Abstract: A blockchain configuration may be used to store a distributed ledger for information security and accessibility. One example method of operation may include determining a proof-of-work via a device and using a predefined set of nonce values when determining the proof-of-work, storing the proof-of-work on a blockchain, and broadcasting the proof-of-work as a broadcast message.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for implementing service execution. One of the methods includes receiving a service request sent by a user by a service device. The service device determines a service execution policy that matches the service request based on a predetermined data analysis model and the service request by performing data analysis on a first-type blockchain transaction in a blockchain of each first-type blockchain network of at least two first-type blockchain networks. A service is executed by the service device for the service request based on the service execution policy.

Abstract: A cryptographic circuit performs a substitution operation of a cryptographic algorithm. For each substitution operation of the cryptographic algorithm, a series of substitution operations are performed by the cryptographic circuit. One of the substitution operations of the series is a real substitution operation corresponding to the substitution operation of the cryptographic algorithm. One or more other substitution operations of the series are dummy substitution operations. A position of the real substitution operation in said series is selected randomly.

Abstract: Systems and methods for encrypted processing are provided. For example, an apparatus for encrypted processing includes: an input interface adapted to receive input from a device; an encrypted processor connected to the input interface; a program store control connected to the encrypted processor, the program store control controlling use of and access to at least two program stores, where at least one program store acts as a primary program store and at least one program store acts as a back-up program store; and an output interface connected to the encrypted processor for outputting at least one of commands or data; where the encrypted processor is programmed to: receive and validate a request; determine whether a valid request is a program update request for a first program; and initiate a lock mechanism into a locked state.

Abstract: Systems and methods are described that use cryptographic techniques to improve the security of applications executing in a potentially untrusted environment associated with a software application. Embodiments of the disclosed systems and methods may, among other things, facilitate cryptographic operations within an execution environment associated with browser software of a client system while maintaining security of cryptographic keys imported into the environment. As the security of keys is maintained in an execution environment implementing embodiments of the disclosed systems and methods, users and/or systems may be more willing to consign their keys for use in connection with cryptographic operations performed in such environments.

Abstract: Methods, systems, and computer programs are presented for managing electronic devices with autonomous wireless authentication. In one example, the security system includes one or more computer processors, a memory, and a communication channel configured to be coupled to an electronic system. The security system further includes a radio frequency (RF) transceiver configured to receive user-authentication information from a wireless device, and an authentication subsystem for authenticating a user. The authentication subsystem enables the use of the electronic system based on the received user-authentication information. Further, the authentication subsystem sends, over the communication channel, an enable command to the electronic system after the user is authenticated, and the electronic system is not operable until the enable command is received.

Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, safety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.

Abstract: A system for providing quality of service (QoS) levels to clients requesting certificates from a certificate management service is provided. The system includes an application programming interface (API) operable to receive certificate requests from each of a plurality of clients, each certificate request including a client identifier, a QoS manager operable to distribute the certificate requests to a corresponding client queue of a plurality of client queues based on the client identifier, select, based on at least one of a workflow and a client priority level, one or more of the certificate requests distributed to the plurality of client queues, and transmit the selected one or more certificate requests to a QoS queue of the certificate management service for processing.

Abstract: Systems and methods for performing migration may include receiving, by a server computing system, a request to access a data element from a second data store, the data element having been migrated to the second data store from a first data store; accessing, by the server computing system, the data element from the second data store and its counterpart data element from the first data store; and based on the data element from the second data store being different from the counterpart data element from the first data store, responding, by the server computing system, to the request by providing the counterpart data element from the first data store instead of the data element from the second data store.

Abstract: Systems, methods, and computer-readable media for providing standards compliant encryption, storage, and retrieval of data are disclosed. In an embodiment, data is received at a first data center from a first device in connection with a service request and encrypted to produce encrypted data. The encrypted data may be transmitted from the first data center to the first device, and then may subsequently be received at a second data center. The second data center may store the encrypted data in a database accessible to the second data center. Because all data provided to the system is encrypted by the first data center prior to being stored and/or provided to the second data center, the database and the second data center may be out of the scope of compliance monitoring, auditing, and reporting for one or more data security standards.

Abstract: A data security system, and a method of operation thereof, includes a data security transceiver or receiver; an authentication subsystem operatively connected to the data security transceiver or receiver; and a storage subsystem connected to the authentication subsystem.

Abstract: A method, system and apparatus for authenticating target recipients for digital certificates. A certificate authority authentication system receives a request from an entity for a digital certificate including untrusted certificate validation data. The authentication system initiates a communication link using to untrusted certificate validation data to generate verified untrusted certificate validation data. Subsequently or concurrently, the system obtains, from a confirmation computing system, trusted certificate validation data. The authentication system compares the verified untrusted certificate validation data with the trusted certificate validation data and, based on the comparison, authenticates the entity and issues the requested digital certificate.

Abstract: A data set shared by multiple nodes is encrypted. The data set can be split into independent records. The records can be encrypted and shared independently, without the need to modify and transmit the full data set. Although the records are encrypted with their own encryption key, they are all accessible by a single authentication method.

Abstract: Improved systems and methods for automated machine-learning, zero-day malware detection. Embodiments include a system and method for detecting malware using multi-stage file-typing and, optionally pre-processing, with fall-through options.

Abstract: Systems and methods for managing network security for a plurality of networks. Each of the networks comprises one or more networked devices, and each of the networks includes one or more security devices configured to monitor data traffic into and out of the networks. Abstracted access rules are created to define access between the networked devices. Each of the access rules are compiled into a security rule that uses object definitions of the networked devices to define access between the networked devices. The security rules are compiled and transmitted to the security devices for implementation.

Abstract: A computer system and methods for securing files in a file system with storage resources accessible to an authenticable user using an untrusted client device in a semi-trusted client threat model. Each file is secured in the file system in one or more ciphertext blocks along with the file metadata. Each file is assigned a unique file key FK to encrypt the file. A wrapping key WK assigned to the file is used for encrypting the file key FK to produce a wrapped file key WFK. A key manager is in charge of generating and storing keys. The file is encrypted block by block to produce corresponding ciphertext blocks and corresponding authentication tags. The authentication tags are stored in the file metadata, along with an ID of the wrapping key WK, wrapped file key WFK, last key rotation time, an Access Control List (ACL), etc. The integrity of ciphertext blocks is ensured by authentication tags and the integrity of the metadata is ensured by a message authentication code (MAC).

Abstract: An information processing apparatus includes a memory, a request unit, an authenticating unit, and a determination unit. The memory stores authentication information for performing user authentication. When authentication information of a user who is a target of the user authentication is not stored in the memory, the request unit requests the authentication information from a different information processing apparatus. The authenticating unit performs the user authentication by using the authentication information stored in the memory or obtained from the different apparatus in response to the request from the request unit. The determination unit determines whether the apparatus or the different apparatus is to store the authentication information. When the authentication information is not stored in the apparatus, if it is determined that the apparatus is to store the authentication information, the memory stores the authentication information obtained in response to the request from the request unit.

Abstract: A cryptographic ASIC and method for autonomously storing a unique internal identifier into a one-time programmable memory in isolation, by a foundry or a user. When later powered on, the ASIC calculates the value of the unique internal identifier from a predetermined input and compares the calculated identifier value to the stored identifier value. A match indicates the stored value is valid, while a mismatch indicates the stored value is invalid, whether due to natural memory component aging or damage by unauthorized access attempts. The ASIC may compare the calculated identifier to another copy or copies of the stored identifier, and disregard unreliable copies of the stored identifier. The ASIC may compare multiple copies of the stored identifier in a voting scheme to determine their validity. The confirmed valid lifetime of the ASIC thus extends far beyond the useful lifetime of a single copy of the stored identifier.

Abstract: A module with an embedded universal integrated circuit card (eUICC) can include a received eUICC profile and a set of cryptographic algorithms. The received eUICC profile can include an initial shared secret key for authentication with a wireless network. The module can receive a key K network token and send a key K module token to the wireless network. The module can use the key K network token, a derived module private key, and a key derivation function to derive a secret shared network key K that supports communication with the wireless network. The wireless network can use the received key K module token, a network private key, and the key derivation function in order to derive the same secret shared network key K derived by the module. The module and the wireless network can subsequently use the mutually derived key K to communicate using traditional wireless network standards.

Abstract: A method for device authentication comprises receiving, by processing hardware of a first device, a message from a second device to authenticate the first device. The processing hardware retrieves a secret value from secure storage hardware operatively coupled to the processing hardware. The processing hardware derives a validator from the secret value using a path through a key tree. The first device then sends the validator to the second device.