Abstract: A method and a system for integrating post quantum cryptographic algorithms into TLS. The method includes transmitting a client hello message to a server including a request for post quantum cryptographic (PQC) mode of operation and a PQC public client key, receiving a server hello message from the server in response to the client hello message including a PQC server key exchange generated from the PQC public client key. The method includes determining the server hello message includes an authorization to operate the PQC mode of operation. The method also includes transmitting a second client hello message to the server including a PQC encrypted client key share. The PQC encrypted client key share is encrypted using a client encryption key. The method includes receiving a second server hello message that includes a PQC encrypted server key share and decrypting the PQC encrypted server key share using a server encryption key.

Abstract: A system manages access to an asset using a separate physical cryptographically-secure key device. A memory stores a public key as an unalterable record. An access configuration controller reads the public key from the memory to control the access to the asset. The public key is cryptographically paired with a private key securely recorded in the separate physical cryptographically-secure key device. The access configuration controller receives an access control change instruction signed by the private key and verifies a valid signing of the access control change instruction by the private key using the public key read from the memory. A storage system secured by the access configuration controller stores access authorization records managing access to the asset. The access configuration controller alters access authorization records according to the access control change instruction, responsive to verification of the valid signing of the access control change instruction.

Abstract: A computing system comprising: processor(s) and memory; at least one network interface communicatively coupled to the at least one processor and configured to communicate with at least one remotely located computing device; wherein the at least one network interface is configured to receive a plurality of public encryption keys from the at least one remotely located computing device; wherein the at least one processor is configured to: split at least one secret into a plurality of shares, wherein at least a subset of the plurality of shares is sufficient to reconstruct the at least one secret; encrypt each of the plurality of shares based on a different public encryption key of the plurality of public encryption keys to create a plurality of encrypted shares; wherein the at least one network interface is configured to communicate the encrypted shares to the at least one remotely located computing device.

Abstract: Techniques of authenticating a first device of a user to a second device are disclosed. The method enables the second device to perform authentication using a biometric template stored on the first device and a biometric measurement. Homomorphic encryption may be used by the first device to encrypt the biometric template and the second device to determine an encrypted similarity metric between the biometric template and the biometric measurement. The second device can also determine an encrypted code using an authentication function and the encrypted similarity metric. The second device sends the encrypted code and the encrypted similarity metric to be decrypted by the first device. The second device can receive a response from the first device, indicating whether a decrypted similarity metric exceeds a threshold; and whether the decrypted code matches a test code. The second device can then authenticate the user based on the response.

Abstract: An electronic device according to an embodiment includes: a memory configured to store encryption information, a processor, and a switch configured to electrically disconnect the processor from the memory in a first state and to electrically connect the processor and the memory in a second state. The processor is configured to receive a user input for switching the switch from the first state to the second state, provide the encryption information stored in the memory to a secure application executing only in a second execution environment through a secure operating system of the second execution environment, when the switch is switched from the first state to the second state to generate an electrical path between the memory and the processor, acquire signature information for a transaction based on the encryption information, and provide the signature information acquired based on the encryption information to a signature request application.

Abstract: There is described a method of protecting an item of software so as to obfuscate a condition which causes a variation in control flow through a portion of the item of software dependent on whether the condition is satisfied, wherein satisfaction of the condition is based on evaluation of one or more condition variables. The method comprises: (i) modifying the item of software such that the control flow through said portion is not dependent on whether the condition is satisfied; and (ii) inserting a plurality of identity transformations into expressions in said portion of the modified item of software, wherein the identity transformations are defined and inserted such that, in the absence of tampering, they maintain the results of the expressions if the condition is satisfied and such that they alter the results of the expressions if the condition is not satisfied, wherein each identity transformation is directly or indirectly dependent on at least one of the one or more condition variables.

Abstract: Aspects include receiving a request from a user to access data that was acquired by a third-party from a data owner, the data in an encrypted format unreadable by the user. In response to receiving the request from the user to access the data, a third-party key from the third-party is requested and a data owner key from the data owner is requested. The third-party key and the data owner key are applied to the data in the encrypted format to generate the data in an unencrypted format readable by the user. The user is provided with access to the data in the unencrypted format.

Abstract: A method for regulating modification of a distributed digital ledger at a node comprises controlling access to a cryptographic key used to enable modification of the distributed digital ledger according to a policy maintained by at least one owner of the distributed digital ledger.

Abstract: A cryptography system for the protection of data in transit using a post-quantum encryption key management system that eliminates the need for PKI or other asymmetric key management systems used in today's solutions, while allowing encryption of data in transit with no hands-on management including configuration of routers, switches, etc. The present system includes a multi-factor post-quantum key management mechanism that strengthens existing symmetric encryption systems and industry standard key generators on existing hardware through the post-quantum age.

Abstract: Software applications to be installed on user devices are monitored. Authenticity of the applications is evaluated using trust factors. In some cases, the trust factors relate to security associated with a network being accessed by a user device. In response to the evaluation, an action is performed such as configuring or disabling execution of one or more components of an application.

Abstract: This disclosure is directed to monitoring a crypto-partitioned, or cipher-text, wide-area network (WAN). A first computing device may be situated in a plain-text portion of a first enclave behind a first inline network encryptor (INE). A second device may be positioned in a plain-text portion of a second enclave behind a second INE. The two enclaves may be separated by a cipher-text WAN, over which the two enclaved may communicate. The first computing device may receive a data packet from the second computing device. The first computing device may then determine contents of a header of the data packet. The first computing device may, based at least in part on the contents of the header of the data packet, determine a status of the cipher-text WAN.

Abstract: Disclosed are methods and systems to encrypt/decrypt a data message using Geometric Algebra and Hensel encoding (i.e., finite p-adic arithmetic). The security key(s), message data, and ciphertext are all represented as Geometric Algebra multivectors where a sum of the coefficients of an individual multivector is equal to the numeric value of the corresponding message or security key. Various Geometric Algebra operations with the message and security key multivectors act to encrypt/decrypt the message data. Each coefficient of the security key and message multivectors is further Hensel encoded to provide additional confusion/diffusion for the encrypted values. The Geometric Algebra operations permit homomorphic operations for adding, subtracting, multiplication and division of ciphertext multivectors such that the resulting ciphertext, when decrypted, is equal to corresponding mathematical operations using the unencrypted values.

Abstract: An approach is provided for obscuring an individual likeness in a digital image based on a privacy policy. The approach identifies an individual whose likeness appears in a digital image taken by a digital camera with the digital image being stored. A determination is made, based on a privacy policy pertaining to the identified individual, whether to obscure the first individual's likeness in the digital image. Responsive to the determination being positive, the approach obscures the individual's likeness as it appears in the digital image.

Abstract: Systems, computer products, and methods are described herein for improved authentication utilizing two factor authentication of a user. The two factors include a verified identification and a liveness identification. The verified identification may be a governmental verified identification, and the liveness identification may be a video of the user. The user may capture the verified identification and the liveness identification using the user's mobile device. The organization may authenticate the user by identifying the user from the verified identification image and identifying that the user is active by identifying movement from the liveness identification image. Additional authentication may include requiring and/or identifying an identifier from the liveness identification image (e.g., movement, object, characters, or the like), and/or capture image data related to a time or a location at which the images were captured.

Abstract: A system for creating authenticating a user from user information, hardware profile, and combinations thereof, where the hardware profile includes user generated data stored on an electronic device.

Abstract: Multiple systems may determine neural-network output data and neural-network parameter data and may transmit the data therebetween to train and run the neural-network model to predict an event given input data. A data-provider system may perform a dot-product operation using encrypted data, and a secure-processing component may decrypt and process that data using an activation function to predict an event. Multiple secure-processing components may be used to perform a multiplication operation using homomorphic encrypted data.

Abstract: Systems and methods for secure communication between devices where one device has a physical unclonable function (“PUF”) array of PUF devices and another device stores data representing characteristics of the PUF array include encryption schemes using repeated application of one-way cryptographic functions to message segments. The devices transmit or receive a processing instruction used to determined PUF devices whose measured characteristics are used to derive encryption keys. Messages are segmented and message information is securely transmitted by repeatedly application of a suitable one-way cryptographic function to each message segment where the number of applications of the function is determined by each message segment.

Abstract: A system, method, and computer program product are provided for sending and receiving messages using a noisy cryptographic system. To send a message, N secret keys are negotiated using a noisy cryptographic system, where K secret keys are expected to be noiseless. A secret polynomial that includes the N secret keys is generated, and K points on the secret polynomial are derived. For each of the N secret keys, a secret key MAC key is derived and a secret key MAC is calculated using the derived secret key MAC key. A secret key MAC header is generated that includes an array of each of the secret key MACs and possibly a corresponding public key. Message integrity plaintext is generated that includes an encrypted message, the secret key MAC header, and an array of the K points on the secret polynomial. A final message that includes the message integrity plaintext is generated for being sent.

Abstract: A method of maintaining ongoing authentication of a user of an application without the need to enter and re-enter a username and a corresponding password for each session initiated between a client side application residing on a client side platform and a server; and wherein the password is not stored on the server; the method comprising utilising an unbroken chain of one-time pass codes; each pass code in the chain being unique to the username and client side application; each pass code renewed periodically and preferably at least once during each said session.

Abstract: Example routing systems and methods are described. In one implementation, a first set of routing systems is interfaced with a network connection via a network interface. A second set of routing systems interfaced with a secure system is configured to receive information from the first set of routing systems via a first unidirectional data channel. In some embodiments, the first set of routing systems is configured to receive information from the second set of routing systems via a second unidirectional data channel. The secure system is not visible from the network interface.