Abstract: Secure management of keys and identities of an object manufactured by a manufacturer having a manufacturer key pair, and a client having a client key pair, the management being carried out using a decentralized blockchain database. The method includes generation of a manufacturing key pair; and publication and recording, in the blockchain, of the decentralized object identifier used to obtain the public key of the object. When a client purchases the object from the manufacturer, the method includes providing, by the object manufacturer, the object identifier, and the public manufacturing key to the client; and updating the blockchain. When the object is switched on for the first time, the object enrolls itself by generation of a utilization key pair; auto-enrollment using the manufacturing key pair; and replacement, in the blockchain, of the public manufacturing key associated with the object identifier with the public utilization key associated with the object identifier.

Abstract: A security appliance may incorporate a touch screen or similar input/output interface, providing command and control over network functionality and configuration, without requiring log in via a network from another computing device. During denial of service attacks, commands from the local interface may be given priority access to processing resources and memory, allowing mitigating actions to be taken, such as shutting down ports, blacklisting packet sources, or modifying filter rules. This may allow the security device to address attacks without having to be manually rebooted or disconnected from the network.

Abstract: A system and method is disclosed for transporting application data through a communications tunnel between a host device and a guest device that each includes networked processors. The application data may be transported between the host device and the guest device through an allowed port of the host device, the communications tunnel, and a port of the guest device. Based on logon credentials, the guest device can be authenticated by a security server and a role may be determined. The role can include allowed ports and associated applications on the host that the guest is allowed to access. Remote access from the guest device to host devices or remote devices may be enabled without needing prior knowledge of their configurations. Secure access may be facilitated to remote host devices or remote devices, according to security policies that can vary on a per-session basis and takes into account various factors.

Abstract: Embodiments enable a displayed webpage containing sensitive information to be accurately and efficiently sanitized. The sensitive information is contained within a text string of the webpage and displayed using a font specified in a style sheet. The text string that is to be sanitized is determined based on a tag for sanitization associated with the text string. When the tag is determined the text string is rendered using a font from the style sheet that is not legible. Upon rendering, the text string of the webpage is redisplayed using the non-legible font, which effectively sanitizes the text string containing the sensitive information.

Abstract: Systems, methods, and computer-readable media for facilitating an authentication processing service are provided.

Abstract: In one embodiment, data communication apparatus includes a network interface for connection to a network and configured to receive a sequence of data packets from a remote device over the network, the sequence including data blocks, ones of the data blocks having block boundaries that are not aligned with payload boundaries of the packets, and packet processing circuitry to cryptographically process the data blocks using a block cipher so as to write corresponding cryptographically processed data blocks to a memory, while holding segments of respective ones of the received data blocks in the memory, such that the packet processing circuitry stores a first segment of a data block of a first packet in the memory until a second packet is received, and then cryptographically processes the first and second segments together so as to write a corresponding cryptographically processed data block to the memory.

Abstract: A method of creating and applying a self-authenticating digital identity for a user having an identity is described.

Abstract: A system for performing a service by using biometric information is disclosed.

Abstract: A communication apparatus configured to acquire information in a distributed ledger shared in a network, the communication apparatus includes a memory; and a processor coupled to the memory and configured to acquire one or more digital certificates used by a user of another apparatus to apply to the communication apparatus from the other apparatus, acquire type information that identifies a combination of the user and the type of information certified by the one or more digital certificates, by using the distributed ledger, acquire certificate issue history that is recorded in the distributed ledger in association with the type information, and determine whether the issue history contains information of another digital certificate that has not been acquired from the other apparatus.

Abstract: Apparatus to enforce network policy based on identity authentication at a network endpoint device by offloading the authentication to a network attached authentication devices is disclosed. The authentication device may use Statistical Object Identification to perform the authentication. The present disclosure greatly reduces the resources needed by the network endpoint device to perform the authentication and eliminates the topological restrictions found in traditional network appliance based approaches.

Abstract: A virtual hardware security module (“HSM”) is used to perform cryptographic operations. The virtual HSM may provision and coordinate requests between one or more HSMs within a fleet of HSMs. A set of cryptographic keys and/or digital certificates may be exchanged between a client and the virtual HSM such that the client and the virtual HSM may communicate with each other via a cryptographically protected communication session. The fleet of HSMs of a virtual HSM may be scaled up or scaled down according to various criteria. Cryptographic key material may be propagated between HSMs of the fleet using a fleet transfer key. Digital certificates may be used to demonstrate that one or more cryptographic keys were generated by a service provider and/or manufacturer.

Abstract: The system and methods described herein may be utilized to perform operations in a faster and less complex manner than provided by conventional systems. An encrypted record may be stored at a user device. The encrypted record may include entries related to operations that were previously requested by the user device. The encrypted record may have been encrypted using a dynamic value and a key that is associated with an entity associated with the user. A recipient computer of a request by the user device may be configured to utilize the dynamic value provided in the request and the key associated with the entity to derive the encryption key(s) last used to encrypt the record. The recipient computer may decrypt and modify the encrypted record to perform the requested operation while the user device is precluded from doing so.

Abstract: An information processing device includes a memory; and a processor coupled to the memory and configured to transmit, to a terminal, a program and a first identifier related to the program, the program being encrypted with a first public key corresponding to a first private key of the terminal, the first identifier being encrypted by using the first public key and a second public key not corresponding to the first private key; and when the terminal receives the first identifier decrypted by the first public key and encrypted by the second public key, register, in a blockchain, transaction information which includes the first identifier decrypted with the second private key corresponding to the second public key.

Abstract: Disclosed are systems, methods, and non-transitory computer-readable media for symmetric cryptography using varying sized symbol sets. To protect against a brute force or other similar type of attack, multiple symbol sets of varying sizes can be used for encrypting/decrypting data. For example, different portions of the data (e.g., data blocks representing multiple symbols, set of bits representing a single symbol) may be encrypted/decrypted using different symbol sets that include different numbers of unique symbols. Using varying sized symbol sets adds additional complexity to the encryption process, thereby greatly increasing the difficulty in decrypting the encrypted data with a brute force attack.

Abstract: A system is configured to derive a set of encryption keys from measured device characteristics of at least one PUF device and communicate with a remote device by performing a cryptographic operation secured by the set of encryption keys. The cryptographic operation includes segmenting a first data stream into a first plurality of data stream fragments, segmenting a first data stream fragment of the first plurality of data stream fragments into a first numeric value and a second numeric value, identifying, using the first numeric value, a first encryption key of the set of encryption keys, and applying a one-way cryptographic function to the first encryption key a first number of times determined by the second numeric value to generate a transformed fragment having a value that depends on the values of the first numeric value and the second numeric value from the first data stream fragment and a value of the first encryption key.

Abstract: Provided is a non-transitory computer readable medium. The non-transitory computer readable medium storing program code that, when is executed by a processor, causes the processor to calculate a message, based on a first cipher text, a second cipher text, and a private key, to compare a coefficient of the message with a reference value based on a prime number, to decide a coefficient of a modified message, based on a comparison result between the coefficient of the message and the reference value, and to decrypt the modified message.

Abstract: A Quantum Digital Signature (QDS)-based mail system and a transceiving method are provided. The system is a three-layer structure formed by a physical layer, a key layer, and an application layer. The physical layer is a key generation terminal and is used to generate a key string for signature in real time; the key layer is used to store the key string generated by the physical layer and provide a required key to the upper layer, namely, the application layer when required; and the application layer is a transceiving software part in the mail system, and is used to extract keys generated by the physical layer from the key layer so as to encrypt information to be sent. The mail transceiving method comprises: a quantum key distribution (QKD) phase, a mail signature phase, and a signature verification phase.

Abstract: Systems and processes for managing personal data are provided herein. Personal data associated with a data subject may be received or derived in association with a virtual identity of the data subject. The personal data may be stored, and identifying information that is linked to the personal data may be stored, where the identifying information is included in shadow data associated with the personal data. The identifying information may include a virtual identity identifier of the virtual identity, and, in some examples, a creation timestamp of the personal data. When a request to retrieve personal data for a data subject, shadow data storage may be searched to locate identifying information provided in the request, and personal data items linked to the located identifying information may be returned as a result of the request.

Abstract: A technique for protecting a cryptographic key. A user has an identifier and an associated password. The first cryptographic key is designed to decrypt a piece of encrypted data. The user device generates a second cryptographic key by applying a key derivation algorithm to at least the password, then encrypts the first cryptographic key by applying an encryption algorithm parameterized by the second cryptographic key. The user device then provides the encryption of the first cryptographic key to a management device for storage. A response associated with a question is obtained from the user. The user device calculates a result of an application of a function to at least one response associated with a question, then provides a value dependent on the result to a management device for storage. The value then enables the user device to determine the password when it has the response to the corresponding question.

Abstract: In a blockchain network, a “cold wallet” allows users to securely create and store their private key and sign their transaction data only when the wallet is completely offline. When a user requests a transaction, a user key tag that identifies the user's key is determined. The transaction data and the user's key tag are transmitted to a cold wallet that includes an HSM Trusted Client and an HSM over a first one-way communication channel during a window in a first sequence of connection windows. Inside the cold wallet, the HSM Trusted Client uses the user key tag to determine an encrypted version of the user's signing key. During a processing window, the transaction data and encrypted signing key are transmitted to the HSM, where a cleartext key is recovered and used to sign the transaction, and the signed transaction is transmitted back to the HSM Trusted Client. During a second connection window, the signed transaction is transmitted from the HSM Trusted Client for transmission to the blockchain network.