Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media for program execution and data proof scheme to prove that sub-logic code that was expected to be executed within a TEE was indeed executed, and that the resulting data is trustworthy. In some implementations, each sub-logic code of a plurality of sub-logic code is registered, and stored within the TEE, and a key pair (private key, public key) corresponding to the sub-logic code is generated. The client receives and stores the public key, sends requests to the TEE with an identifier of the sub-logic that is to be executed. The sub-logic code corresponding to the identifier is executed within the TEE, which signs the result using a digital signature that is generated using the private key of the sub-logic code. The client verifies the result based on the digital signature and the public key of the sub-logic code.

Abstract: A method and system for automatically terminating access or initiating a logout session for a restricted access system by determining that an authorized user has left the vicinity of the restricted access system. The authorized user preferably carries a wireless transmitter which transmits an authorization signal. When the authorized user leaves the vicinity of the restricted access system after logging in, the signal is no longer received by a wireless receiver or too weak of a signal, such that an access control system in communication with the wireless receiver automatically causes the restricted access system to initiate a logout action in order to prevent or reduce the chance of an unauthorized user gaining access to the restricted access system. In one embodiment the signal strength from the authorization signal at the time of logon is used as a baseline signal strength for future calculations that determine when to initiate an automatic termination of access to the restricted access system.

Abstract: Described embodiments provide systems and methods for data encryption. A server communicating data with a client can determine a level of data encryption on the data that the server is capable of handling according to resources available to the server. A level of data encryption can include a type of encryption and a strength of the type of data encryption. The server can receive a level of data encryption on the data that the client is capable of handling according to resources available to the client. The server can identify a level of data encryption with which the server and the client agree to proceed, according to the determined level of data encryption and the received level of data encryption. The server, following a predefined interval, can identify an updated level of data encryption with which the server and the client agree to proceed.

Abstract: Example methods, apparatus, systems and articles of manufacture (e.g., physical storage media) to implement contextual key management for data encryption are disclosed. Example apparatus disclosed herein to perform contextual encryption key management, which are also referred to herein as contextual key managers, include an example context discoverer to discover context information associated with a request to access first encrypted data. Such disclosed example apparatus also include an example contextual key mapper to identify a combination of context rules associated with a key that is to provide access to the first encrypted data, validate the context information associated with the request based on the combination of context rules associated with the key to determine whether the request to access the first encrypted data is valid, and obtain the key from a key management service when the request to access the first encrypted data is valid.

Abstract: A hardware device architecture is described that improves security and flexibility in access to hardware device settings. A device management proxy service is digitally signed and granted access to device settings. Applications are then digitally provisioned by the proxy service and only validated signed requests from applications are permitted to change hardware device settings. Further granularity over hardware device settings is achieved through user accounts and groups established by the applications.

Abstract: Approaches provide for monitoring attempted network activity such as network port connections and corresponding payloads of network data obtained by a network device and, based on the attempted connections and/or payloads, identifying malicious network activity in real time. For example, network activity obtained from a plurality of network devices in a service provider environment can be monitored to attempt to detect compliance with appropriate standards and/or any of a variety of resource usage guidelines (e.g., network behavioral standards or other such rules, guidelines, or network behavior tests) based at least in part on network port connection activity with respect to at least one network device. If it is determined that network activity is not in compliance with the usage guidelines, or other such network behavior test, the system can take one or more remedial actions, which can include generating a notification identifying the malicious network activity.

Abstract: In a networked environment, a client side application executed on a client device may transmit a request to an authorization service for access to a resource. The authorization service may authenticate the user of client device and/or the client device based on user credentials and/or a device identifier. In response to authenticating the user and/or the client device, the authorization service may send to the client side application a request for confirmation that the client device complies with a distribution rule associated with the resource, where the distribution rule requires a specific application or specific type of application to be installed, enabled and/or executing on the client device as a prerequisite to accessing the resource. If the client device complies with the distribution rule, the client side application accesses the resource. Accessing the resource may include receiving an authorization credential required for access to the resource.

Abstract: The present invention relates to a method to fabricate a tamper respondent assembly. The tamper respondent assembly includes an electronic component and an enclosure fully enclosing the electronic component. The method includes printing, by a 3-dimensional printer, a printed circuit board that forms a bottom part of the enclosure and includes a first set of embedded detection lines for detecting tampering events and signal lines for transferring signals between the electronic component and an external device. The electronic component is assembled on the printed circuit board, and a cover part of the enclosure is printed on the printed circuit board. The cover part includes a second set of embedded detection lines. Sensing circuitry can be provided for sensing the conductance of the first set of embedded detection lines and the second set of embedded detection lines to detect tampering events.

Abstract: A method disclosed herein generally facilitates authenticating of an electronically-detectable device identifier against a user account identifier, such as a user-provided phone number, to ensure that a user account identified by the user account identifier is accessible by a user who is in possession of the electronic device having the device identifier.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for storing blockchain data. One method includes receiving a request from an application component of a blockchain node to execute one or more software instructions in a trusted execution environment (TEE); determining one or more blockchain node blocks for executing the one or more software instructions; performing error correction coding of the one or more blocks in the TEE to generate one or more encoded blocks; dividing each of the one or more encoded blocks into a plurality of datasets; selecting one or more datasets from each of the one or more encoded blocks; and hashing the one or more datasets to generate one or more hash values corresponding to the one or more datasets for use in replacing the one or more datasets to save storage space of the blockchain node.

Abstract: When a client requests a data import job, a remote storage service provider provisions a shippable storage device that will be used to transfer client data from the client to the service provider for import. The service provider generates security information for the data import job, provisions the shippable storage device with the security information, and sends the shippable storage device to the client. The service provider also sends client-keys to the client, separate from the shippable storage device (e.g., via a network). The client receives the device, encrypts the client data and keys, transfers the encrypted data and keys onto the device, and ships it back to the service provider. The remote storage service provider authenticates the storage device, decrypts client-generated keys using the client-keys stored at the storage service provider, decrypts the data using the decrypted client-side generated keys, and imports the decrypted data.

Abstract: Revocable biometric-based keys for digital signing are provided by, in part, generating a revocable public key at a secure device and transmitting the public key to a registration system for registration to facilitate linking the public key to the secure device user's identity for use in accessing a protected resource. Generating the revocable public key may include generating a salt, storing the salt on the secure device, and temporarily obtaining, by the secure device, biometric data of the user of the secure device. The biometric data is obtained from user biometrics, and the temporarily obtaining is absent storing the biometric data in persistent storage. A public and private key pair is generated at the secure device based, at least in part, on the stored salt and the user's temporarily obtained biometric data.

Abstract: Methods and systems are disclosed for genetic manipulation and for securing communication of genetic sequences. In one example, a sequence security system comprises a security device communicatively coupled to a separator module, the separator module comprising a first separator device and a second separator device. The security device may store instructions in non-transitory memory that are executable by a processor to receive a source sequence from the first separator device at a receiving module, receive manipulation instructions from the second separator device at the receiving module, and apply the manipulation instructions to the source sequence to form a target sequence via a transforming module. Thus, the source sequence and the manipulation instructions may be maintained separate from one another until the source sequence and the manipulation instructions are received at the receiving module, for example.

Abstract: Some websites accessed via browser allow for file uploading via drag and drop functionality. In a drag and drop operation, a user selects a file on the information handling system and drags the file to a browser window for uploading via the browser. File encryption systems, such as virtual file systems, may implement an encryption algorithm and enforce encryption standards, set by a user or organization, when uploading files via a browser, including uploading of files performed via file drag and drop functionality.

Abstract: Some websites accessed via browser allow for file uploading via drag and drop functionality. In a drag and drop operation, a user selects a file on the information handling system and drags the file to a browser window for uploading via the browser. File encryption systems, such as virtual file systems, may implement an encryption algorithm and enforce encryption standards, set by a user or organization, when uploading files via a browser, including uploading of files performed via file drag and drop functionality.

Abstract: Data may be encrypted using a derived block encryption key for each of at least one append blocks of data. A data operation associated with manipulating particular data associated with a user may be received. The particular data may comprise at least one append block of data. In response to the received data operation, for each append block of data of the at least one append block of data, parameters associated with deriving a block encryption key for a given append block of data of the at least one append block of data may be accessed. The parameters may comprise at least a data encryption key associated with the user and a nonce. A block encryption key may be derived for the given append block of data utilizing the parameters. The given append block of data may be encrypted utilizing the block encryption key.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for storing blockchain data. One method includes receiving a request from an application component of a blockchain node to execute one or more software instructions in a trusted execution environment (TEE); determining one or more blockchain node blocks for executing the one or more software instructions; performing error correction coding of the one or more blocks in the TEE to generate one or more encoded blocks; dividing each of the one or more encoded blocks into a plurality of datasets; selecting one or more datasets from each of the one or more encoded blocks; and hashing the one or more datasets to generate one or more hash values corresponding to the one or more datasets for use in replacing the one or more datasets to save storage space of the blockchain node.

Abstract: Rapid deployments of application-level deceptions (i.e., booby traps) implant cyber deceptions into running legacy applications both on production and decoy systems. Once a booby trap is tripped, the affected code is moved into a decoy sandbox for further monitoring and forensics. To this end, this disclosure provides for unprivileged, lightweight application sandboxing to facilitate monitoring and analysis of attacks as they occur, all without the overhead of current state-of-the-art approaches. Preferably, the approach transparently moves the suspicious process to an embedded decoy sandbox, with no disruption of the application workflow (i.e., no process restart or reload). Further, the action of switching execution from the original operating environment to the sandbox preferably is triggered from within the running process.

Abstract: An information processing apparatus includes a processor configured to receive, respectively from a plurality of external devices, plural pieces of encrypted data encrypted with a random number sequence. The processor generates parity data by using the received plural pieces of encrypted data. The processor stores the generated parity data in a memory. The processor receives a restoration request for restoring first encrypted data from a first external device among the plurality of external devices. The processor receives, respectively from one or more second external devices among the plurality of external devices other than the first external device, one or more pieces of second encrypted data among the plural pieces of encrypted data other than the first encrypted data. The processor restores the first encrypted data by using the received one or more pieces of second encrypted data and the parity data stored in the memory.

Abstract: A computer access control system includes a client electronic device configured to administer an alertness test to a user. A computer access controller is coupled to and configured to be actuated by the client electronic device.