Abstract: Techniques for Diameter security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for Diameter security with next generation firewall includes monitoring Diameter protocol traffic on a service provider network at a security platform; and filtering the Diameter protocol traffic at the security platform based on a security policy.

Abstract: The invention involves a computer or system of computers such as workstations used to provide human-readable code along with a tag associate therewith, said tag containing identifying data to an operating computer. Using a database of authorized computers (workstations), the operating computer receives the line(s) of human-readable code from the workstation and converts it into machine readable code, if and only if, the source of the code is authorized based on the database of authorized computers.

Abstract: Techniques for network layer signaling security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for network layer signaling security with next generation firewall includes monitoring a network layer signaling protocol traffic on a service provider network at a security platform; and filtering the network layer signaling protocol traffic at the security platform based on a security policy.

Abstract: Provided is a security authentication method of a network video recorder (NVR) including assigning a terminal unique index to each of pseudo-random functions included in a pseudo-random function set using terminal information; transmitting a session key having a predetermined expiry time and the pseudo-random function set with the assigned terminal unique index to a terminal; calculating a first terminal unique index for authenticating a first message using a predetermined bitstream of the first message received from the terminal; selecting a first pseudo-random function for authenticating the first message using the calculated first terminal unique index; generating a first independent private key of the terminal for authenticating the first message by inputting the session key and a MAC address of the terminal to the first pseudo-random function; and generating a message authentication code for the first message using the first independent private key and authenticating the first message.

Abstract: Techniques for application layer signaling security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for application layer signaling security with next generation firewall includes monitoring application layer signaling traffic on a service provider network at a security platform; and filtering the application layer signaling traffic at the security platform based on a security policy.

Abstract: A baseband processor of a communication device, the baseband processor comprising a multiple encryption manager that utilizes a transmit data stream as an input data stream in the case that the transmit data stream is determined not to already have encryption applied by a higher layer component, and that utilizes a known unencrypted dataset as an input data stream in the case that the transmit data stream is determined to already have encryption applied by a higher layer component, an encryptor block that encrypts the input data stream into an encrypted data stream, and a randomness inspector that is in communication with the encryptor block, the randomness inspector unit accessing the input data stream and the encrypted data stream from the encryptor block and determining a randomness gain by comparing a first randomness measurement associated with the input data stream to a second randomness measurement associated with the encrypted data stream.

Abstract: Each tenant of a secure web gateway (SWG) is issued a secret key. A user accesses a unique secret key derived from the tenant's secret key and loads the secret key into an application which generates time-based one time passwords (TOTPs). When the SWG receives a connection request from a client and cannot decrypt the network traffic, the SWG challenges the client request and indicates an authentication scheme to be used. The client obtains user credentials, constructs a response to the challenge based on the authentication scheme, and issues a connection request to the SWG which indicates the response. The SWG determines an expected response based on a locally generated TOTP and the secret key of the corresponding tenant. If the expected response matches the provided response, the SWG authenticates the user, allows the connection request, and whitelists the client for a period longer than the lifetime of the TOTP.

Abstract: A method for generating random numbers includes initializing a pseudo-random number generator (PRNG) having a state of 2048 bits comprising inner bits and outer bits, the inner bits comprising the first 128 bits of the 2048 bits and the outer bits comprising the remaining bits of the 2048 bits. The method also includes retrieving AES round keys from a key source, and for a threshold number of times, executing a round function using the AES round keys by XOR'ing odd-numbered branches of a Feistel network having 16 branches of 128 bits with a function of corresponding even-numbered neighbor branches of the Feistel network, and shuffling each branch of 128 bits into a prescribed order. The method also includes executing an XOR of the inner bits of the permuted state with the inner bits of a previous state.

Abstract: A method for providing a digital signature to a message, M, in accordance with a digital signature algorithm (DSA) or an elliptic curve digital signature algorithm (ECDSA) is disclosed. A secret key, x, is generated as a random secret sharing [x] among at least two parties, such as among at least three parties. Random secret sharings, [a] and [k], are generated among the at least two parties and [w]=[a][k], R=gk and W=Ra are computed and their correctness verified. [w] is verified by checking whether or not gw=W. The message, M, is signed by generating a sharing, [s], among the at least two parties, using at least M, [w], R and [x].

Abstract: Disclosed are an encryption and decryption method and device based on bit permutation and bit transformation. The method includes: configuring a memory space, and preparing corresponding storage spaces for a plaintext file, a ciphertext file and a key file; changing a bit value of an initial key stream according to a bit operation rule, so as to obtain a bit-transformed key stream, changing a bit value of a plaintext according to the bit operation rule depending on the key stream; on the basis of a bit-transformed plaintext stream, according to a bit permutation rule depending on the key stream, performing a bit permutation operation on the bit-transformed plaintext stream, and randomly distributing the plaintext stream in a ciphertext stream, so as to obtain a target ciphertext and store the same as a file.

Abstract: Embodiments described herein relate to credential wrapping for secure transfer of electronic SIMs (eSIMs) between wireless devices. Transfer of an eSIM from a source device to a target device includes re-encryption of sensitive eSIM data, e.g., eSIM encryption keys, financial transaction credentials, transit authority credentials, and the like, using new encryption keys that include ephemeral elements applicable to a single, particular transfer session between the source device and the target device. The sensitive eSIM data encrypted with a symmetric key (Ks) is re-wrapped with a new header that includes a version of Ks encrypted with a new key encryption key (KEK) and information to derive KEK by the target device. The re-encrypted sensitive SIM data is formatted with additional eSIM data into a new bound profile package (BPP) to transfer the eSIM from the source device to the target device.

Abstract: Systems and methods for efficiently serving blockchain requests using an optimized cache are disclosed herein. An example method normalizing a request for blockchain data into a key, the request including a hash of a canonical head block of the blockchain data, searching a distributed key value store using the key, the distributed key value store comprising key value pairs, each of the key value pairs being associated with responsive blockchain data, determining when one of the key value pairs match the key, placing a pending job space for a job in the distributed key value store when one of the key value pairs is not found, and storing a new key value pair in the distributed key value store when a response for the request is obtained, the response being new responsive blockchain data.

Abstract: An encoder includes a computer readable storage medium storing program instructions, and a processor executing the program instructions, the processor configured to generate a key, estimate a network capacity, and encode each bit of the key using a random matrix of a selected rank and the estimated network capacity for secure transmission of the key through a network.

Abstract: The invention provides methods and apparatus for detecting when an online session is compromised. A plurality of device fingerprints may be collected from a user computer that is associated with a designated Session ID. A server may include pages that are delivered to a user for viewing in a browser at which time device fingerprints and Session ID information are collected. By collecting device fingerprints and session information at several locations among the pages delivered by the server throughout an online session, and not only one time or at log-in, a comparison between the fingerprints in association with a Session ID can identify the likelihood of session tampering and man-in-the middle attacks.

Abstract: An authenticated encryption device 10 includes: an encryption means 11 which encrypts a plaintext block by inputting, to an encryption function whereby data of a predetermined bit number is output when data of the predetermined bit number is input, a plaintext block of the predetermined bit number constituting the plaintext to be encrypted with a mask value, which is uniquely determined from an adjustment value including an initial vector not overlapping a past value and a secret key, being added; and a computation means 12 which computes, as a checksum, the exclusive OR of corresponding bits of a first bit string, a bit number of which is less than the predetermined bit number, of each of a plurality of plaintext blocks constituting the plaintext.

Abstract: Embodiments disclosed herein are directed to methods and systems of password-based threshold authentication, which distributes the role of an authentication server among multiple servers. Any t servers can collectively verify passwords and generate authentication tokens, while no t?1 servers can forge a valid token or mount offline dictionary attacks.

Abstract: To verify compliance with a data access policy, a query result including data specified by a requesting entity and a representation of a data access policy is received from a database. Based on the representation of the data access policy included in the query result, it is verified whether the requesting entity is permitted to access the data included in the query result. Transmission of the data included in the query result to the requesting entity is controlled responsive to the verification. Related methods, systems, and computer program products are also discussed.

Abstract: Aspects of the invention include a computer-implemented method of executing a hybrid quantum safe key exchange system. The computer-implemented method includes initially retrieving an authenticated random value from a trusted source, generating a first Z value using a first elliptic curve (EC) private key and a first certified form of an EC public key with an EC Diffie-Hellman (ECDH) algorithm, deriving a shared key using the authenticated random value and the first Z value with a key derivation function, decrypting the authenticated random value using a quantum safe algorithm (QSA) private key, generating a second Z value using a second EC private key and a second certified form of the EC public key with the ECDH algorithm and deriving the shared key using the authenticated random value and the second Z value with the key derivation function.

Abstract: The present invention disclose a key distribution method. The method includes obtaining, by a first key management system, a shared key of a first network element, where the shared key of the first network element is generated according to a key parameter obtained after the first network element performs authentication or a root key of the first network element; obtaining a service key, where the service key is used to perform encryption and/or integrity protection on communication data in a first service between the first network element and a second network element; performing encryption and/or integrity protection on the service key by using the shared key of the first network element, to generate a first security protection parameter; and sending the first security protection parameter to the first network element. According to present invention, data can be protected against an eavesdropping attack in a sending process.

Abstract: Disclosed herein is a method for detection of a cyber-threat to a computer system. The method is arranged to be performed by a processing apparatus. The method comprises receiving input data associated with a first entity associated with the computer system, deriving metrics from the input data, the metrics representative of characteristics of the received input data, analysing the metrics using one or more models, and determining, in accordance with the analysed metrics and a model of normal behavior of the first entity, a cyber-threat risk parameter indicative of a likelihood of a cyber-threat. A computer readable medium, a computer program and a threat detection system are also disclosed.