Abstract: A processor includes a decode unit to decode an SM3 two round state word update instruction. The instruction is to indicate one or more source packed data operands. The source packed data operand(s) are to have eight 32-bit state words Aj, Bj, Cj, Dj, Ej, Fj, Gj, and Hj that are to correspond to a round (j) of an SM3 hash algorithm. The source packed data operand(s) are also to have a set of messages sufficient to evaluate two rounds of the SM3 hash algorithm. An execution unit coupled with the decode unit is operable, in response to the instruction, to store one or more result packed data operands, in one or more destination storage locations. The result packed data operand(s) are to have at least four two-round updated 32-bit state words Aj+2, Bj+2, Ej+2, and Fj+2, which are to correspond to a round (j+2) of the SM3 hash algorithm.

Abstract: A method of software article protection and transformation includes: retrieving a software article; identifying control flow addressing associated with the software article; removing at least a portion of the control flow addressing; and saving the at least a portion of the control flow addressing from the software article, wherein removing the at least a portion of the control flow addressing comprises replacing call and return functions with protected execution instructions, wherein the protected execution instructions replace call functions by: identifying, in a lookup table, an entry associated with a current instruction; and pushing a return address associated with the current instruction to a secure return stack; and wherein the protected execution instructions replace return functions by: popping the return address from the secure return stack; encrypting the at least a portion of the control flow addressing; and saving the at least a portion of the control flow addressing to a separate software articl

Abstract: In some implementations, a system may generate information that identifies a passphrase to be used as a biometric input. The system may receive a voice input of a user speaking the passphrase. The system may generate one or more cryptographic keys based on the voice input. The system may generate a digital identifier based on the one or more cryptographic keys. The system may generate one or more biometric templates for the user. The system may encrypt the one or more biometric templates using the one or more cryptographic keys and to generate one or more encrypted biometric templates. The system may store in a secure storage associated with the user, at least one of the digital identifier, a public key of the one or more cryptographic keys, a phone number associated with the user, or the one or more encrypted biometric templates. Numerous other aspects are provided.

Abstract: The traditional authentication mechanism of using a public username and a constant secret password needs to be improved upon. A framework and a method is described which allows for much more secure authentication compared to the traditional username/password method. The method is useful for first party authentication as well as non-repudiation of digital information. The non-repudiation is achieved as a by-product of high entropy of the authentication method. The method relies on generation of high entropy tokens (called flakes) as a by-product of authentication. Since these tokens do not exist before being created, and their creation relies on user input, they are non-persisted proofs of user presence.

Abstract: An authentication system is provided with: a user device; user side assistance device(s) to assist user authentication that authenticates a user of the user device, and apparatus authentication that authenticates the user device; and an apparatus authentication server device to perform apparatus authentication in association with the user device. The user side assistance device(s) use distributed shares of verification information to perform multi-party computation for user authentication in association with the user device, and use distributed shares of a secret key generated by the user device, to perform multi-party computation for apparatus authentication in association with the user device.

Abstract: A system protects documents at rest and in motion using declarative policies and encryption. A document at rest includes documents on a device such as the hard drive of a computer. A document in motion is a document that is passing through a policy enforcement point. The policy enforcement point can be a server (e.g., mail server, instant messenger server, file server, or network connection server).

Abstract: A producer communicates over a network with a user application in an infrastructure-as-a-service (IaaS) and an IaaS node. The producer encrypts content with first encryption using a first key and second encryption using a second key, to produce twice encrypted content. The producer encrypts the second key with attribute-based encryption and symmetric encryption using an IaaS key, to produce a twice encrypted second key. The producer provides to the user application the twice encrypted content, the twice encrypted second key, and key information configured to remove the first encryption from the twice encrypted content. The producer provides to the IaaS node the IaaS key to enable the IaaS node to remove the symmetric encryption from the twice encrypted second key, such that the user application and the IaaS node are constrained to exchange with each other key-related information and intermediate decryption results in order to recover the content.

Abstract: Disclosed are example methods, systems, and devices that allow for generation and maintenance of a central identity databank for a user's digital life. The identity databank may include identity elements with payload values and metadata values corresponding immutable attributes of the user. A multifactor identity authentication protocol allows service provider devices to more reliably validate transactions with user devices via an identity system. The identity databank may include passwords, which may be generated by the identity system linked to user accounts and/or service providers. The passwords may be provided to service provider devices, eliminating the need for users to conceive of a multitude of varying passwords for the user's accounts.

Abstract: Embodiments of the present invention include determining whether a cryptographic certificate can be trusted. A cryptographic certificate is received at a client device. The client device performs a first check on a first set of attributes of the cryptographic certificate. In addition, the client device sends the cryptographic certificate to a central verification server, which performs a second check on a second set of attributes of the cryptographic certificate. In the case that the first set of attributes passes the first check, and the second set of attributes passes the second check, the client device determines that the cryptographic certificate can be trusted.

Abstract: A method is provided to control the flow of packets within a system that includes one or more computer networks comprising: policy rules are provided that set forth attribute dependent conditions for communications among machines on the one or more networks; machine attributes and corresponding machine identifiers are obtained for respective machines on the networks; and policy rules are transformed to firewall rules that include machine identifiers of machines having attributes from among the obtained machine attributes that satisfy the attribute dependent policy rules.

Abstract: Exemplary embodiments relate to techniques for anonymizing information in an end-to-end (E2E) encrypted environment; the information may include, for example, statistical data about unique page/message views, view counts, view time, what users selected on the message or page, etc. Exemplary embodiments may prevent an E2E system server from being able to identify which user is associated with which record. Various examples are described, including an embodiment in which an originating client generates the data, encrypts it, and sends it to a random contact. The contact decrypts the data, re-encrypts it, and sends it to another random contact. The procedure continues for a set amount of time or for a set number of hops. Other embodiments relate to wrapping the data in various layers of encryption and sending the data to clients in a chain. The encrypted layers prevent clients along the chain from being able to view the anonymized data.

Abstract: Method and apparatus for allowing the changing of security values and consent data is provided. The security values allow for dynamically changing the security level and ease of access associated with performing specific transactions on specific accounts. The consent data may be pushed or pulled and when stored, may be used for future transactions, of both the same or a different type. The changing of security levels and consent data may be accomplished over the internet using mobile devices over both secure and non-secure networks.

Abstract: An example method includes monitoring execution of one or more applications on a runtime computing system that includes a plurality of processing units, receiving, from the runtime computing system during execution of the applications, monitoring information that includes at least one of function call data or application programming interface call data associated with operations performed by the plurality of processing units during execution of the applications, importing the monitoring information into a risk model, analyzing the monitoring information within the risk model to determine one or more potential vulnerabilities and one or more impacts of the one or more vulnerabilities in the runtime computing system, and outputting, for display in a graphical user interface, a graphical representation of the one or more potential vulnerabilities and the one or more impacts within the risk model.

Abstract: Methods, systems, and computer program products are included for authenticating computing devices. An exemplary method includes associating a security key with an operating system of a first computing device, wherein the security key is generated from a serial number corresponding to the first computing device. A token corresponding to the security key is sent to a second computing device. The token is accessed by the second computing device to authenticate the first computing device. An authenticated session is established between the first computing device and the second computing device. Within the authenticated session, a connection is provided between the first computing device and the second computing device.

Abstract: A system for monitoring actual access to data elements in an enterprise computer network and providing associated data, the system including an at least near real time data element audit subsystem providing audit output data including at least one of a time stamp, identification of an accessor, user depository stored data regarding the accessor, accessed data element data, affected data element data, type of access operation, source IP address of access and access outcome data, in at least near real time, relating to actual access to data elements in the enterprise computer network, and an additional data providing subsystem receiving in at least near real time at least a part of the audit output data and utilizing the at least part of the audit output data for providing additional data which is not part of the audit output data.

Abstract: A method of binding a device to an authority comprising reading pre-determined data corresponding to characteristics of the device. The method includes obtaining a pseudo-random number and combining it with the pre-determined data to generate a base number. The method includes downloading an application that performs a cryptographic function on the base number to generates a secure identifier of the device, and storing the secure identifier in a memory of the device. The method includes providing the secure identifier of the device to the authority to bind the device to the authority.

Abstract: Provided are methods and systems for invalidating user security tokens. An example method may include providing, by one or more nodes in a cluster, a list of revoked security tokens. The method may include receiving, by the one or more nodes, an indication of invalidating a user security token associated with a user device. The indication may include a request from the user to invalidate the user security token. The method may further include, in response to the receiving, adding, by the one or more nodes, the user security token to the list of revoked security tokens. The user security token can be added to the list of revoked security tokens prior to the expiration time of the user security token. The method may further include replicating, by the one or more nodes, the list of revoked security tokens between further nodes of the cluster.

Abstract: Architectures and techniques for in-app behavior detection. A behavior detection agent within an application running on a hardware computing device captures events within the application. The events are inputs received from one or more sources external to the application. The behavior detection agent generates an event stream from the captured events. The behavior detection agent analyzes the event stream for significant feature frequencies and associations corresponding to one or more attack profiles. The behavior detection agent initiates an attack response in response to finding one or more significant feature frequencies and associations. The attack response comprises at least changing an operational configuration of the application.

Abstract: The present invention relates to a communication apparatus including a receiving unit and a restricting unit. The receiving unit is configured to receive a signal from another communication apparatus after code information is displayed by a display control unit. The signal includes identification information indicated by the code information. The code information is information in which information necessary for performing a sharing process for sharing a communication parameter for radio communication among apparatuses is coded. The restricting unit is configured to restrict execution of the sharing process when the communication apparatus has received the signal including the identification information from a plurality of other communication apparatuses with the receiving unit.

Abstract: Systems and methods for encoded communications are disclosed. In some embodiments, a server system may be configured to receive a communication from a user interface at an encoded communication module that includes an artificial intelligence based natural language processing module, determine whether the received communication is an encoded communication, decode the encoded communication to generate a financial query when it is determined that the received communication is an encoded communication, retrieve financial data associated with the user, determine an answer to the financial query based on the retrieved financial data, encode the determined answer to generate an encoded responsive communication, and transmit the generated encoded responsive communication to the user interface for providing to a user of the user interface.