Abstract: Systems and processes for managing personal data are provided herein. Personal data associated with a data subject may be received or derived in association with a virtual identity of the data subject. The personal data may be stored, and identifying information that is linked to the personal data may be stored, where the identifying information is included in shadow data associated with the personal data. The identifying information may include a virtual identity identifier of the virtual identity, and, in some examples, a creation timestamp of the personal data. When a request to retrieve personal data for a data subject, shadow data storage may be searched to locate identifying information provided in the request, and personal data items linked to the located identifying information may be returned as a result of the request.

Abstract: A technique for protecting a cryptographic key. A user has an identifier and an associated password. The first cryptographic key is designed to decrypt a piece of encrypted data. The user device generates a second cryptographic key by applying a key derivation algorithm to at least the password, then encrypts the first cryptographic key by applying an encryption algorithm parameterized by the second cryptographic key. The user device then provides the encryption of the first cryptographic key to a management device for storage. A response associated with a question is obtained from the user. The user device calculates a result of an application of a function to at least one response associated with a question, then provides a value dependent on the result to a management device for storage. The value then enables the user device to determine the password when it has the response to the corresponding question.

Abstract: In a blockchain network, a “cold wallet” allows users to securely create and store their private key and sign their transaction data only when the wallet is completely offline. When a user requests a transaction, a user key tag that identifies the user's key is determined. The transaction data and the user's key tag are transmitted to a cold wallet that includes an HSM Trusted Client and an HSM over a first one-way communication channel during a window in a first sequence of connection windows. Inside the cold wallet, the HSM Trusted Client uses the user key tag to determine an encrypted version of the user's signing key. During a processing window, the transaction data and encrypted signing key are transmitted to the HSM, where a cleartext key is recovered and used to sign the transaction, and the signed transaction is transmitted back to the HSM Trusted Client. During a second connection window, the signed transaction is transmitted from the HSM Trusted Client for transmission to the blockchain network.

Abstract: An air-gapped system enables the secure transfer and control of digital assets, such as those associated with crypto-currency. The system includes an Integration Server for receiving requests from an application interface, a Central Control Center for verifying the requests received and authorizing the requests using digital signatures, and multiple Distributed Data Centers, each including a cold Data Center Hardware Security Module (DC HSM). These DC HSMs securely store and manage cryptographic keys. Each Data Center also includes an offline Processing Unit coupling its DC HSM to a dedicated Remote Controlled Server. The Remote Controlled Server receives requests from the Integration Server and forwards them to the Processing Unit of a DC HSM using a Near-Field Communication (NFC) Interface between the two. Preferably, the NFC interface is physically shielded to resist side channel attacks.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, devices, and processes that securely manage transfers of digital assets between computing devices using permissioned distributed ledgers. By way of example, an apparatus may receive, from a first device, a request to transfer a digital asset to a second device and a first digital signature applied to the request. Based on a validation of the first digital signature, the apparatus may approve the request and apply a second digital signature to the request and the first digital signature indicative of the approval of the request by the apparatus. The apparatus may also transmit the request, the first digital signature, and the second digital signature to a computing system, which may validate the first and second digital signatures and perform operations that record the first public key and asset data identifying the digital asset within at least one element of a distributed ledger.

Abstract: A transformation key generation apparatus has key generation means for receiving a decryption key sks of a first public key encryption scheme ?s and a public key pkd of a second public key encryption scheme ?d, and generating a transformation key utks?d for transforming first ciphertext cts of the first public key encryption scheme ?s into second ciphertext tct of the second public key encryption scheme ?d by using a probabilistic circuit or function secret sharing.

Abstract: Herein are techniques for domain adaptation of a machine learning (ML) model. These techniques impose differential privacy onto federated learning by the ML model. In an embodiment, each of many client devices receive, from a server, coefficients of a general ML model. For respective new data point(s), each client device operates as follows. Based on the new data point(s), a respective private ML model is trained. Based on the new data point(s), respective gradients are calculated for the coefficients of the general ML model. Random noise is added to the gradients to generate respective noisy gradients. A combined inference may be generated based on: the private ML model, the general ML model, and one of the new data point(s). The noisy gradients are sent to the server. The server adjusts the general ML model based on the noisy gradients from the client devices. This client/server process may be repeated indefinitely.

Abstract: Embodiments describe apparatuses, systems, and methods for analyzing digital certificates. A system may scan the internet to identify all publicly available digital certificates. The system may further determine external information for individual digital certificates that is not found within the digital certificate. The system may store the external information and internal information that is found within the digital certificates. The system may run one or more queries on the stored information to identify one or more vulnerable digital certificates among a set of digital certificates associated with a client. For example, the system may identify differences between the internal information and/or external information among the digital certificates of the set and/or may compare the internal information and/or external information for the digital certificates of the set to expected information. Other embodiments may be described and claimed.

Abstract: Techniques are provided to import a cryptographic key into a key vault in which an application programming interface for the key vault does not support importing existing cryptographic keys into the key vault. A key management system obtains a cryptographic key from a first key vault. The cryptographic key includes a key value and attributes which describe the cryptographic key. The key management system imports the cryptographic key into a second key vault by generating a surrogate key in the second key vault which corresponds to the cryptographic key. The surrogate key includes a key attribute having a value which corresponds to the key value of the cryptographic key.

Abstract: In one example aspect, a computerized method of automatically detecting and blocking at least one attack on an application includes the step of modifying instructions of the application to include at least one sensor. The at least one sensor generates a set of events related to detecting an attack on the application or a computing system implementing the application. The method includes the step of reviewing, from within the application, the set of events generated by the at least one sensor. The method includes the step of detecting a presence of at least one attack on the application based on the review of the set of events. The method includes the step of invoking an attack response action.

Abstract: Techniques are disclosed for securing traffic flowing across multi-tenant virtualized infrastructures using group key-based encryption. In one embodiment, an encryption module of a virtual machine (VM) host intercepts layer 2 (L2) frames sent via a virtual NIC (vNIC). The encryption module determines whether the vNIC is connected to a “secure wire,” and invokes an API exposed by a key management module to encrypt the frames using a group key associated with the secure wire, if any. Encryption may be performed for all frames from the vNIC, or according to a policy. In one embodiment, the encryption module may be located at a layer farthest from the vNIC, and encryption may be transparent to both the VM and a virtual switch. Unauthorized network entities which lack the group key cannot decipher the data of encrypted frames, even if they gain access to such frames.

Abstract: A secure processing engine and method configured to protect a computing system are provided. The system includes a first processor configured to provide real-time protection to at least processes executed over the main processor of the protected computing system; and a direct memory access (DMA) configured to provide an access to a main memory of the main processor, wherein the first processor is coupled to the DMA and further configured to monitor the at least processes by accessing the main memory via the DMA; wherein the first processor operates in an execution environment in complete isolation from an execution environment of the main processor.

Abstract: A blockchain-based network arrangement includes member nodes joined by a multicast network including a trusted node configured for creating at least one cryptographic key and for distributing copies of the cryptographic key over the multicast network as a multicast blockchain transmission to other member nodes. A requesting node outside the member nodes is configured for initiating a smart contract containing its blockchain address and for sending the smart contract as a request for group access with an address of the trusted node. The trusted node is configured for receiving the smart contract and a decides to accept or reject the smart contract, and records the decision in the blockchain by updating the smart contract. An accept decision results in a member node sending the cryptographic key to the requesting node.

Abstract: A wearable computing device is provided that comprises one or more environmental sensors, one or more positioning sensors, and a communication interface. In some embodiments, the wearable computing device is configured to activate at least one environmental sensor of the one or more environmental sensors to obtain at least one environmental condition value; activate at least one positioning sensor of the one or more positioning sensors to determine a position of the wearable computing device; activate the communication interface; and transmit the at least one environmental condition value and the position for storage in a blockchain storage system.

Abstract: Systems, methods, and software can be used to detect stack cookie utilization in a binary software component using binary static analysis. In some aspects, one computer-implemented method includes identifying a function defined in the binary software component, the function including one or more instructions; performing a binary static analysis of the function to determine whether the function utilizes stack cookie protection based on the one or more instructions including one or more stack cookie handling instructions; and in response to determining that the function utilizes stack cookie protection, updating a security report for the binary software component to indicate that the function utilizes stack cookie protection.

Abstract: A computer-automated method for securing unidirectional communication within a network. The method includes orchestrating an automated arrangement and/or coordination of at least one portion of a message using a top level orchestration server, transmitting a first data packet from the top level orchestration server to a first top level backbone server, wherein the first data packet is a first portion of the message, and authenticating the first data packet using the first top level backbone server. The method can include transmitting a second data packet from the first top level backbone server to a second top level backbone server, wherein the second data packet is a second portion of the message and/or the second data packet includes a modified first data packet, and authenticating the second data packet using the second top level backbone server.

Abstract: Various communication systems may benefit from an improved signaling protocol. For example, machine-to-machine communications in a network may benefit from improved signaling and security. A method includes establishing a secure data transmission path for an application. The secure data transmission path is used to transmit data between a user equipment and a network element. The network entity includes a gateway or an application server. The method also includes transmitting data for the application over the secure data transmission path using a pre-configured radio bearer. The radio bearer is pre-configured for data transmission between the user equipment and an access node located between the user equipment and the network element. In addition, the method includes receiving a response message at the user equipment from the network element through the secure data transmission path.

Abstract: A system and method for providing anonymous validation of a query among a plurality of nodes in a network: receives at a support node a query from a requester node; wherein the query comprises a one-way function representation of at least one data point of information of the requester node; receives at the support server, from at least one validator node, a one-way function representation of at least one data point of information of the validator node; compares by the support server the query from the requestor node with the one-way function representation of the at least one data point of information; determines by an aggregator server, based on the comparison, whether the at least one data point of information of the requester node matches the at least one data point of information of the at least one validator node; and outputs a match result to the requestor node.

Abstract: A key acquisition unit (411) acquires a decryption key ski in a pair of a conversion source and a public key pkj in a pair of a conversion target, out of a plurality of pairs of a decryption key and a public key. A conversion key generation unit (412) encrypts the decryption key ski acquired by the key acquisition unit (411) with the public key pkj, so as to generate a conversion key rki?j for converting a ciphertext encrypted with a public key pki in the pair of the conversion source into a converted ciphertext that can be decrypted with a decryption key skj in the pair of the conversion target. An output unit (413) outputs the conversion key rki?j generated by the conversion key generation unit (412).

Abstract: A bus-based communication system, may include a communication bus connecting a plurality of nodes. A first node, of the plurality of nodes, may receive a first message on the communication bus, the first message having been broadcast on the communication bus by a second node of the plurality of nodes. The first message may include a modular exponentiation associated with a private key of the second node. The first node may compute a shared secret key, associated with the plurality of nodes, based at least in part on the modular exponentiation and a private key of the first node.