Abstract: This specification discloses a consensus method of a consortium blockchain and a consortium blockchain system. The method includes: dividing, by a primary consensus node of the consortium blockchain, proposed data into data blocks corresponding to backup consensus nodes of the consortium blockchain based on erasure coding (EC), the data blocks corresponding to hash values calculated based on EC; sending, by the primary consensus node, a first data block to a corresponding backup consensus node, wherein the first data block is forwarded by the corresponding backup consensus node receiving the first data block to one or more other backup consensus nodes; and initiating, by the primary consensus node, a consensus process for the proposed data based on a Practical Byzantine Fault Tolerance (PBFT) protocol to send a hash value of the first data block to the corresponding backup consensus node via a PBFT protocol message.

Abstract: A client device is fabricated using a semiconductor fabrication process. One or more uncontrollable random physical processes in the semiconductor fabrication process can cause small differences between the client device and other client devices. When the client device is presented with a challenge from a server device, the client device generates a random response that depends on its physical properties. The server device stores this random response as a part of a virtual PUF circuitry storage device having other random responses from the other client devices. The server device uses the random response of the client device stored in the virtual PUF circuitry storage device for one or more encryption algorithms to encrypt information to be provided to the client device.

Abstract: An example of the instant solution comprises at least one of receiving an encrypted data and an encryption key, generating a randomized matrix, dispersing the encrypted data based on the randomized matrix resulting in a fragmented encrypted data and dispersing the encryption key based on the randomized matrix and the fragmented encrypted data.

Abstract: Authentication is a key procedure in information systems. Conventional biometric authentication system is based on a trusted third-party server which is not secure. The present disclosure provides a privacy preserving multifactor biometric authentication for authenticating a client without the third-party authentication server. The server receives a plurality of encrypted biometric features from the client, encrypted using Fully Homomorphic Encryption. Further, the server evaluates the plurality of encrypted biometric features to obtain a client identifier value and a plurality of encrypted resultant values. The server encrypts each of the plurality of resultant values based on a time based nonce and the client identifier value. The encrypted authentication tags and the corresponding resultant values are aggregated by the server and transmitted to the client. The client decrypts the resultant value and the authentication tag and transmits to the server.

Abstract: A method and system for secure input at a remote service are provided. In a method conducted at a secure input device, a hash operation is performed on a data structure including shared data, the shared data having been obtained from a remote service via an encrypted payload. User input for secure entry at the remote service is received and encoded by performing an operation on corresponding symbols of the user input and an output of the hash operation to output an encoded message, the user input and the encoded message having the same length. The encoded message is output for entry at the remote service.

Abstract: A system, method, and apparatus for providing secure communications to one or more users through an unclassified network. The system may include a network access management device may have a plurality of internal data network communications interfaces configured to communicate with at least one classified computing device using a National Security Agency (NSA) Commercial Solution for Classified (CSfC) comprised solution and an external data network communications interface configured to communicate with an unclassified network. A network access management device may use an inner NSA CSfC approved tunneling technology, an outer NSA CSfC approved tunneling technology, and a processor configured to perform processing and routing protocols associated with interconnecting the internal data network communications interface and the external data network communications interface.

Abstract: When a user equipment (UE) provides a new request to a serving gateway (S GW), the S GW augments domain name system (DNS) requests and provides them to a public DNS, with the augmentation providing indications of the requested function. The public DNS responds by providing the IP address of a simplified packet data network (PDN) gateway (P GW) close to the UE location. The P GW forwards communications to the nearest instance of an endpoint providing the requested service or function. In embodiments, some of the functions of the P GW are shifted to other devices in the mobile core, devices that are already local. The simplification of the P GW allows the P GW to be virtualized and moved to a general-purpose server location. Existing information present in the data path is used to provide encryption of portions of the General Packet Radio Services (GPRS) Tunneling Protocol (GTP) connection, allowing the location of the P GW to be optimized in a virtual server data center, as the data path is now secure.

Abstract: Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s) operate under a guest OS VM. A detection module operates under the guest OS VM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.

Abstract: An embodiment method includes: obtaining, by a first key management system, a shared key of a first network element, where the shared key of the first network element is generated according to a key parameter obtained after the first network element performs authentication or a root key of the first network element; obtaining a service key, where the service key is used to perform encryption and/or integrity protection on communication data in a first service between the first network element and a second network element; performing encryption and/or integrity protection on the service key by using the shared key of the first network element, to generate a first security protection parameter; and sending the first security protection parameter to the first network element.

Abstract: Provided is a data processing system in which data are uploaded from a user terminal A to data storage server, and data are accessed from a user terminal B. User terminal A and B have a key KA and KB, respectively. Data storage server has a replacement key KA?B. User terminal A generates an authenticator tag with data M and temporary key R, generated by user terminal A, and generates a key k with temporary key R and key KA. User terminal A transmits data M, key k, and authenticator tag to the data storage server. Data storage server generates a key k? from key k and replacement key KA?B, and transmits data M, key k?, and the message authenticator tag to user terminal B. User terminal B generates temporary key R with key k? and key KB and generates an authenticator tag? to compare with the received authenticator tag.

Abstract: Methods and systems for managing security in a cloud computing environment are provided. Exemplary methods include: receiving a target, the target specifying workloads of a plurality of workloads to be included in the security policy, the plurality of workloads being associated with the cloud computing environment; identifying nodes and edges in the graph database using the target, the graph database representing the plurality of workloads as nodes and relationships between the plurality of workloads as edges; getting a security intent, the security intent including a high-level security objective in a natural language; obtaining a security template associated with the security intent; and applying the security template to the identified nodes and edges to produce security rules for the security policy, the security rules at least one of allowing and denying communications between the target and other workloads of the plurality of workloads.

Abstract: Techniques for network layer signaling security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for network layer signaling security with next generation firewall includes monitoring a network layer signaling protocol traffic on a service provider network at a security platform; and filtering the network layer signaling protocol traffic at the security platform based on a security policy.

Abstract: A device and method for processing a ciphertext, including determining a seed using a secret key and the ciphertext, extracting a public key candidate from the ciphertext using the seed, determining a checkvalue candidate based on the public key candidate, comparing the checkvalue candidate with a checkvalue, and further processing the ciphertext if the comparison indicates that the checkvalue candidate corresponds to the checkvalue.

Abstract: Techniques for Diameter security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for Diameter security with next generation firewall includes monitoring Diameter protocol traffic on a service provider network at a security platform; and filtering the Diameter protocol traffic at the security platform based on a security policy.

Abstract: Techniques for application layer signaling security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for application layer signaling security with next generation firewall includes monitoring application layer signaling traffic on a service provider network at a security platform; and filtering the application layer signaling traffic at the security platform based on a security policy.

Abstract: System and methods for generating and authenticating verifiable network traffic. Specifically, the system and methods disclosed herein describe solutions for augmenting layer-2 (L2) frames with additional verifiable information entailing, for example, hash-based message authentication code encryption or digital signature authentication. These solutions may address scenarios where evidence of tampering, through deceptive practices, of network traffic data may prove difficult to detect.

Abstract: Techniques for transport layer signaling security with next generation firewall are disclosed. In some embodiments, a system/process/computer program product for transport layer signaling with next generation firewall includes monitoring transport layer signaling traffic on a service provider network at a security platform; and filtering the transport layer signaling traffic at the security platform based on a security policy.

Abstract: Described herein are methods, systems, and computer-readable storage media for managing cryptographic keys needed for peripheral devices to securely communicate with host computing devices. Techniques include receiving, at a centralized identity management resource, a first key that is part of a cryptographic key pair comprising the first key and a second key, wherein the second key is stored at a peripheral device for use by the peripheral device in encrypting data. Techniques further include identifying a first host computing device that is permitted to engage in secure communications with the peripheral device. Further, making available the first key from the centralized identity management resource to the first host computing device to enable the first host computing device to decrypt the encrypted data.

Abstract: Systems and methods to produce shared secret data are generally described. In some examples, a first device may receive a first public key from a second device. The first device may produce a first public key based on the first public key of the second device. The respective private keys of each device may be associated with the first public keys of each device. Each device may produce a second public key based of respective private keys and the other devices first public key. Each device may transmit a second public key to the other device. The first device may produce the shared secret data based on its private key and the second public key of the second device. The second device may produce the shared secret data based on its private key and the second public key of the first device.

Abstract: An information processing apparatus generates a public key pair in accordance with a certificate issuance request, generates a certificate signing request based on the public key pair and transmits an electronic certificate issuance request to an external apparatus. The information processing apparatus receives a response transmitted from the external apparatus as a response to the electronic certificate issuance request, obtains an electronic certificate included in the received response and causes an application to enable its use of the obtained electronic certificate.