Abstract: In one example embodiment, an electronic device is provided and configured to: acquire authentication data for an authorized user; store the authentication data in an enclave; acquire identification data for a potential user; and compare, in the enclave, the identification data to the authentication data for recognizing if the potential user is the authorized user. In another embodiment, a server is provided and includes at least one processor; at least one memory; at least one driver, where the server is configured to: receive assertion data from an electronic device, where the assertion includes an authentication signing key and results from a comparison of acquired data and reference data; and determine if the assertion data is valid by: comparing the results to a threshold; and comparing the authentication signing key to an authentication signing key assigned to the electronic device.

Abstract: A data processing system is disclosed for data processing, including database and file management, as well accessing one or more databases or other data structures, authenticating users, and categorizing data items for addition to the database system. In some embodiments, the system may be configured to coordinate access to user account information via user-provided authentication credentials; apply account identification rules to the accessed account information to identify a plurality of accounts of the user; and initiate updates to a database record associated with the user indicative of any accounts identified.

Abstract: A method and an apparatus for controlling video output, where the method includes detecting in real time, by a security controller, whether an output resolution configured in a video display controller and a high-bandwidth digital content protection (HDCP) encryption status configured in a high-definition multimedia interface (HDMI) satisfy an HDCP requirement of a video, and when the HDCP requirement of the video is not satisfied, sending, by the security controller, an instruction to the video display controller instructing the video display controller to stop outputting the video. Hence, when the HDCP requirement of the video is not satisfied the output video is insecure such that the security controller sends the instruction to the video display controller instructing the video display controller to stop outputting the video. Therefore, security of the video output is ensured.

Abstract: Disclosed herein are embodiments of systems, methods, and products comprise a computing device, which provides a secure data transport service (SecureX) for data packets traversing from an end user device (EUD) to a mission network over untrusted networks. The disclosed SecureX module may be software product running on the EUD and on a SecureX appliance fronting the mission network. The SecureX module on the EUD compresses the data packets by removing header fields that are constant over the same packet flow and double encrypts the data packets with different cryptographic keys. The SecureX on the EUD transmits the double compressed encrypted data packets over the untrusted network. The SecureX appliance receives the double compressed encrypted data packets, decrypts the data packets and decompresses the data packets to recreate the original data packets. The SecureX appliance transmits the original data packets to the mission network.

Abstract: A method and device for user authorization is presented herein. The authorization device may be integrated in a display interface configured to receive an infrared input signal. The device may include a means for converting the infrared signal into an electric signal. The device may further include a processor configured to analyze the electrical signal. The processor may further be configured to provide an authorization of a user based on the analysis of the electrical signal.

Abstract: Systems and methods for identifying and responding to anomalous data activity by a computer user on a computing device are presented. An anomalous data activity service, implemented as a machine learning service, receives notice of data activity and conducts an evaluation to determine whether the data activity is an anomalous data activity. Upon determining that the data activity is an anomalous data activity, a responsive action may be taken that may result in the anomalous data activity being blocked or allowed.

Abstract: A method includes receiving, at a key management system from one or more client devices, one or more requests for cryptographic keys stored in respective clouds of a plurality of cloud service providers in a multi-cloud environment, the cryptographic keys being distributed across different ones of the respective clouds of the plurality of cloud service providers in the multi-cloud environment. The method also includes determining a location of a given one of the requested cryptographic keys on one or more of the clouds of the cloud service providers in the multi-cloud environment, retrieving the given cryptographic key from the determined location in the multi-cloud environment, providing the given cryptographic key to a given one of the client devices, and shuffling the distribution of the cryptographic keys across the clouds of the plurality of cloud service providers in the multi-cloud environment.

Abstract: An apparatus for embedding a digital watermark includes a memory, and a processor coupled to the memory and configured to generate a watermark signal to be embedded into moving image data based on information to be added to the moving image data, determine a frame of the moving image data at which overlapping of the watermark signal is to be started based on a variation in value in a time direction of a pixel in a region, in each of a plurality of frames of the moving image data, into which the watermark signal is to be embedded and also on a feature of the watermark signal, and embed the watermark signal beginning with the determined frame.

Abstract: Systems and methods for performing decoupled authorization, whereby authorizing access permissions of a user to a resource is performed separate and independent from authorizing intent of the user to access the resource. Once both authorizations are successfully completed within a specified timeout interval, the access state of the resource is changed, thereby granting the user access to the resource. The decoupled authorizations are independently performed over different networks, in response to different triggers, or by leveraging different hardware. Access to the resource can therefore be provided prior to the user arriving before the resource, with little to no action by the user, and without comprising security as the resources will remain restricted or locked if the either of the user's intent or access permissions cannot be verified.

Abstract: Single sign-in for accessing protected content across all providers and access channels is provided. When a user selects to view an additional content item, a determination may be made whether access authentication from the requesting user is required. If access authentication is required, a federated login credential may be received from the requesting user. The federated login credential may be used for granting access by the requesting user to the selected additional content item across different content channels, and the federated login credential may be used for granting access by the requesting user to other protected content items without requiring additional access authentication from the requesting user.

Abstract: In one embodiment, a crypto cloudlet is provided that includes a security wrapper to a virtual machine to guarantee secure Input/Output exchange between a client and one or more cryptographic adaptive services powered by a set of virtual CPUs through a single well defined channel, an adaptive service running in the virtual machine that identifies hardware resources necessary to satisfy a cryptographic demand or request, and an Ethernet interface communicatively coupled to the security wrapper providing network channel services for exchange of cryptographic data and commands. The security wrapper presents to the adaptive services the hardware accelerators exposed by the virtual machine. Other embodiments are disclosed.

Abstract: Systems and methods are disclosed for providing stack overflow protection on a system on chip via a hardware write-once register. An exemplary embodiment of an system on chip comprises a hardware write-once register, a boot processor, and one or more processor subsystems. The boot processor is configured to execute a read only memory (ROM) image which initializes the hardware write-once register with a first numeric value in response to the system on chip being powered on. The one or more processor subsystems have an associated software image configured to use the first numeric value in the hardware write-once register as a stack canary value to combat stack overflow attacks.

Abstract: A method and system for allowing an independent software vendor (ISV) access to proprietary software code for software of an organization has been developed. An ISV generates a login request that masquerades as a user of the software. A license management system that controls access to the software, is accessed and determines if two session IDs are present. The presence of two separate session IDs identifies the ISV and if detected, the ISV is allowed access to the proprietary software code. Finally, the organization is notified about the ISV's access to the proprietary software code.

Abstract: Embodiments are directed to enrollment of an endpoint device in a secure domain. An enrollment request is sent to a delegated registrar (DR) device to initiate a trust-establishment procedure with the DR device to establish initial connectivity and an initial symmetric key to be shared between the DR and the endpoint device. The DR device provides to the endpoint device limited-use credentials for group-access key establishment, and group connectivity parameters for accessing a group administrator (GA) device. The endpoint device and the GA device perform a group-enrollment procedure in which the endpoint device provides the limited-use credentials to the GA device and receives, from the GA device, the group-access key.

Abstract: Configuration discrepancies, such as server drift among different servers or malicious code installed on one or more servers, can be identified using system attribute information regarding processes, CPU usage, memory usage, etc. The system attribute information can be used to generate an image, which can be compared to other images to determine if a configuration discrepancy exists. Image recognition algorithms can be used to facilitate image comparison for different systems. By identifying configuration discrepancies, downtime and other issues can be mitigated and system performance can be improved.

Abstract: Implementations of the present specification include storing a data item in a consortium blockchain; generating a first data digest based on the stored data item; sending the first data digest to verification nodes to cryptographically signs it and stores the signed first data digest in a public blockchain; receiving a request to retrieve the stored data item; retrieving the requested data item from the consortium blockchain; generating a second data digest based on the retrieved data item; sending the second data digest to verification nodes so that each verification node signs the second data digest; receiving the signed second data digests from the plurality of verification nodes; retrieving the signed first data digests from the public blockchain; determining that the signed first data digests match the signed second data digests; and sending a response indicating the stored data item is unchanged to the request to retrieve the stored data item.

Abstract: In one embodiment, a first apparatus includes a processor and an interface, wherein the interface is operative to receive a request from a second apparatus to commence a keyed-hash message authentication code (HMAC) computation, the processor is operative to perform a first computation computing a first part of the HMAC computation using a secret key K as input yielding a first value, the interface is operative to send the first value to the second apparatus, the interface is operative to receive a second value from the second apparatus, the second value resulting from the second apparatus processing the first value with at least part of a message M, the processor is operative to perform a second computation based on the second value and the secret key K yielding an HMAC value, and the interface is operative to send the HMAC value to the second apparatus.

Abstract: The present disclosure relates to methods and apparatus for flexible, security context management during AMF changes. One aspect of the disclosure is a mechanism for achieving backward security during AMF changes in idle mode. Instead of passing the current NAS key to the target AMF, the source AMF derives a new NAS key, provides the new NAS key to the target AMF, along with a key change indication indicating that the NAS key has changed. The target AMF sends the key change indication to the user equipment.

Abstract: As a PUF device ages, the response characteristics of the device change. Thus, mappings made on the original PUF outputs can drift and become invalid. Re-enrollment or re-mapping of hidden values to PUF response characteristics can resolve the changing nature of the PUF. Unfortunately, an adversary may tamper with the PUF during re-enrollment compromising security of the PUF. Accordingly, techniques of securely and remotely re-enrolling a PUF device are described. During an initial enrollment of the PUF device, multiple sets of enrollment values of the PUF device can be generated. For remote re-enrollment, a first initial set of enrollment values can be used to authenticate the PUF device. Upon authentication using the first initial set, the PUF device can re-enroll the PUF device and account for changes in PUF characteristics. A second set of initial enrollment values can then be used to verify that the PUF device is unaltered.

Abstract: An authentication method is provided. The authentication method includes receiving a login request from a client terminal. The login request may be generated based on an identification feature of the client terminal, and the login request may include account information associated with the client terminal. The method may further include identifying the identification feature based on the login request, determining whether a database associated with a server includes the identification feature and the account information, generating login status information based on a result of the determination and sending the login status information to the client terminal, and if the login status information indicates a login success of the client terminal, initiating data communications with the client terminal.