Abstract: Techniques for securing user sessions using a time-based one-time password (TOTP) generated from a shared secret. The shared secret can be a cryptographic hash of one or more user credentials. In response to a successful authentication based on the user credential(s), a session is created. The authentication is performed in connection with an initial access request from a client application. A subsequent access request for a protected resource during the session is processed by extracting a session cookie and a TOTP and generating a corresponding TOTP using the shared secret. The TOTP can be generated by combining the shared secret with one or more additional parameters such as a Uniform Resource Locator associated with the resource, or the session cookie. Access to the protected resource is conditioned upon the session, which is identified by the session cookie, being valid and upon the TOTPs matching.

Abstract: Systems and methods for conducting convenient and secure mobile transactions between a payment terminal and a mobile device, e.g., in a fueling environment, are disclosed herein. In some embodiments, the payment terminal and the mobile device conduct a mutual authentication process that, if successful, produces a session key which can be used to encrypt sensitive data to be exchanged between the payment terminal and the mobile device. Payment and loyalty information can be securely communicated from the mobile device to the payment terminal using the session key. This can be done automatically, without waiting for the user to initiate a transaction, to shorten the overall transaction time. The transaction can also be completed without any user interaction with the mobile device, increasing the user's convenience since the mobile device can be left in the user's pocket, purse, vehicle, etc.

Abstract: An apparatus and method for determining a source of an unauthorized copy of speech signals in a conference call session. A conference bridge receives a speech signal during a conference call session with a plurality of end user devices attending. The conference bridge provides one or more dynamic, end user specific watermarks corresponding to the one or more end user devices. Each watermark is adjusted based on characteristics of the speech signal to make the watermark imperceptible to a human being. The speech signal is then embedded with the adjusted watermark in real time to generate a modified speech signal.

Abstract: A method for enhancing rapid data analysis includes receiving a set of data; storing the set of data in a first set of data shards sharded by a first field; and identifying anomalous data from the set of data by monitoring a range of shard indices associated with a first shard of the first set of data shards, detecting that the range of shard indices is smaller than an expected range by a threshold value, and identifying data of the first shard as anomalous data.

Abstract: The disclosure concerns implementing, by a cryptographic circuit, a set of substitution operations of a cryptographic process involving a plurality of substitution tables. For each set of substitution operations of the cryptographic process, a series of sets of substitution operations are performed. One set of the series is a real set of substitution operations corresponding to the set of substitution operations of the cryptographic process. One or more other sets are dummy sets of substitution operations, each dummy set being based on a different permutation of said substitution tables.

Abstract: A cryptographic circuit performs a substitution operation of a cryptographic algorithm based on a scrambled substitution table. For each set of one or more substitution operations of the cryptographic algorithm, the circuit performs a series of sets of one or more substitution operations of which: one is a real set of one or more substitution operations defined by the cryptographic algorithm, the real set of one or more substitution operations being based on input data modified by a real scrambling key; and one or more others are dummy sets of one or more substitution operations, each dummy set of one or more dummy substitution operations being based on input data modified by a different false scrambling key.

Abstract: In the disclosed transaction processing system, members of an authorized network of consumers and merchants manage account information using blockchain ledgers. Because both consumers and merchants maintain copies of the blockchain, for any consumer/merchant transaction, both entities can quickly validate the transaction because both are aware, via their blockchain entries, of the current status of the account sourcing the transaction, allowing fast and accurate transaction validation without the need to incur the processing charges inherent in traditional fiat currency credit transactions.

Abstract: Secure multi-party computations may be used to get attribution results without compromising user privacy. A content provider and an advertiser may each sign a calculation indicating that they wish to share data using a secure multi-party computation. A measurement company may sign the calculation indicating that the measurement company has evaluated the computation and that the computation will protect user privacy. A user device may confirm with the verification service that all parties have signed the calculation. The user device may transmit one-time identifiers to the measurement company, which allows impression data and conversion data stored by the content provider and the advertiser to be linked. The content provider, the advertiser, and the measurement company may perform the secure multi-party computation, which allows the advertiser to evaluate attribution results without accessing the user data stored by the content provider.

Abstract: An electronic device configured for retail display includes a persistent memory on which boot instructions are stored, a storage device on which security monitoring instructions are stored, and a processor configured to execute the boot instructions during a boot sequence to initiate execution of the security monitoring instructions. The processor is further configured, via the execution of the security monitoring instructions, to monitor the retail display of the electronic device for a security trigger event and, upon detection of the trigger event, lock a user interface of the electronic device.

Abstract: A system and associated methods provide digital identity and strong authentication management services for Internet users. The system includes a central, cloud-based, online service, referred to as a central service, which can manage user accounts. The system also includes dedicated, always-on, always-connected, cryptographically unique devices, referred to as beacons, located within the physical residences of its users. The central service associates each beacon with the residence address of its user by physically sending a unique address verification code by postal mail to the user's residence. The user presents the unique code to the beacon, and the beacon cryptographically confirms its identity and the unique code sent to the residence address back to the central service. The beacons can attest to users' identities and provide seamless strong authentication to third-party online service providers on behalf of those users.

Abstract: Methods, systems, and computer programs are presented for a self-encrypting device (SED) incorporated into a host system. In one example, the host system includes a memory, a processor, a data channel in communication with the memory and the processor, and the SED. The SED comprises an authentication subsystem, a storage subsystem that stores encrypted data that is encrypted with an encryption key provided by the authentication subsystem, a radio frequency (RF) transceiver, and a data interface in electrical contact with the data channel. The data interface is locked from sending and receiving data until the SED is unlocked by the authentication subsystem with user-authentication information received via the RF transceiver.

Abstract: A blockchain configuration may be used to store a distributed ledger for information security and accessibility. One example method of operation may include determining a proof-of-work via a device and using a predefined set of nonce values when determining the proof-of-work, storing the proof-of-work on a blockchain, and broadcasting the proof-of-work as a broadcast message.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for implementing service execution. One of the methods includes receiving a service request sent by a user by a service device. The service device determines a service execution policy that matches the service request based on a predetermined data analysis model and the service request by performing data analysis on a first-type blockchain transaction in a blockchain of each first-type blockchain network of at least two first-type blockchain networks. A service is executed by the service device for the service request based on the service execution policy.

Abstract: A cryptographic circuit performs a substitution operation of a cryptographic algorithm. For each substitution operation of the cryptographic algorithm, a series of substitution operations are performed by the cryptographic circuit. One of the substitution operations of the series is a real substitution operation corresponding to the substitution operation of the cryptographic algorithm. One or more other substitution operations of the series are dummy substitution operations. A position of the real substitution operation in said series is selected randomly.

Abstract: Systems and methods for encrypted processing are provided. For example, an apparatus for encrypted processing includes: an input interface adapted to receive input from a device; an encrypted processor connected to the input interface; a program store control connected to the encrypted processor, the program store control controlling use of and access to at least two program stores, where at least one program store acts as a primary program store and at least one program store acts as a back-up program store; and an output interface connected to the encrypted processor for outputting at least one of commands or data; where the encrypted processor is programmed to: receive and validate a request; determine whether a valid request is a program update request for a first program; and initiate a lock mechanism into a locked state.

Abstract: Systems and methods are described that use cryptographic techniques to improve the security of applications executing in a potentially untrusted environment associated with a software application. Embodiments of the disclosed systems and methods may, among other things, facilitate cryptographic operations within an execution environment associated with browser software of a client system while maintaining security of cryptographic keys imported into the environment. As the security of keys is maintained in an execution environment implementing embodiments of the disclosed systems and methods, users and/or systems may be more willing to consign their keys for use in connection with cryptographic operations performed in such environments.

Abstract: Methods, systems, and computer programs are presented for managing electronic devices with autonomous wireless authentication. In one example, the security system includes one or more computer processors, a memory, and a communication channel configured to be coupled to an electronic system. The security system further includes a radio frequency (RF) transceiver configured to receive user-authentication information from a wireless device, and an authentication subsystem for authenticating a user. The authentication subsystem enables the use of the electronic system based on the received user-authentication information. Further, the authentication subsystem sends, over the communication channel, an enable command to the electronic system after the user is authenticated, and the electronic system is not operable until the enable command is received.

Abstract: Techniques are described for metadata processing that can be used to encode an arbitrary number of security policies for code running on a processor. Metadata may be added to every word in the system and a metadata processing unit may be used that works in parallel with data flow to enforce an arbitrary set of policies. In one aspect, the metadata may be characterized as unbounded and software programmable to be applicable to a wide range of metadata processing policies. Techniques and policies have a wide range of uses including, for example, safety, security, and synchronization. Additionally, described are aspects and techniques in connection with metadata processing in an embodiment based on the RISC-V architecture.

Abstract: A system for providing quality of service (QoS) levels to clients requesting certificates from a certificate management service is provided. The system includes an application programming interface (API) operable to receive certificate requests from each of a plurality of clients, each certificate request including a client identifier, a QoS manager operable to distribute the certificate requests to a corresponding client queue of a plurality of client queues based on the client identifier, select, based on at least one of a workflow and a client priority level, one or more of the certificate requests distributed to the plurality of client queues, and transmit the selected one or more certificate requests to a QoS queue of the certificate management service for processing.

Abstract: Systems and methods for performing migration may include receiving, by a server computing system, a request to access a data element from a second data store, the data element having been migrated to the second data store from a first data store; accessing, by the server computing system, the data element from the second data store and its counterpart data element from the first data store; and based on the data element from the second data store being different from the counterpart data element from the first data store, responding, by the server computing system, to the request by providing the counterpart data element from the first data store instead of the data element from the second data store.