Abstract: Methods and systems for managing endpoint devices are disclosed. The endpoint devices may be managed by onboarding them. To onboarding the endpoint devices, ownership vouchers and proxy certificates may be used to cryptographically verify to which entities authority over the endpoint devices have been delegated. The proxy certificates may extend certificate and/or delegation chains in ownership vouchers to other devices. The extended chains may eliminate the need for proliferation of keys used to demonstrate authority over endpoint devices.

Abstract: A system for performing operations using linear integer programming for RSA factorization is provided, including an n/e extractor, a prime factorization calculator, a private key determiner, and a decryptor. The n/e extractor is configured to extract a modulus and a public key exponent from a public key. The prime factorization calculator is configured to: determine a semi-prime number of the modulus according to the modulus; use a tail digit and a head digit set of the semi-prime number of the modulus to perform decomposition and factorization with respect to the semi-prime number into two prime factors. The private key determiner is configured to determine a private key using the public key exponent and the two prime numbers. The decryptor is configured to decrypt an encrypted message using the private key so as to generate a decrypted message.

Abstract: Some embodiments include a method for detecting and interrupting a cache-based side-channel attack. The method includes: (1) at least calibrating one or more chiplets of a network by calculating a threshold; (2) determining one or more device heartbeat vectors of the one or more chiplets, the one or more device heartbeat vectors being derived at least part from one or more measurements of activity of one of more dedicated security processors associated with the one or more chiplets; (3) determining that a particular chiplet of the one or more chiplets is being attacked with a cache-based side-channel attack, the determining being based at least in part on a computed disparity exceeding the threshold; and (4) employing countermeasures against the cache-based side-channel attack of the particular chiplet, the countermeasures including revoking one or more access rights of the particular chiplet on the network.

Abstract: An apparatus comprises at least one processing device including a processor and a memory. The at least one processing device is configured to implement an agent application for supporting an authentication process between a client device and a web server over at least one network, to register the agent application with an operating system of the client device, and in conjunction with initiation of the authentication process via a web browser of the client device, to obtain a uniform resource identifier (URI) from the web server, the URI corresponding to a particular endpoint of the web server, and to make the URI accessible to the agent application via the operating system. The at least one processing device is further configured to carry out one or more authentication operations of the authentication process at least in part through interaction between the agent application and the particular endpoint of the web server.

Abstract: A computer-implemented method includes generating two tensile circles based on a common circle created by overlapping two tensile spheres. An angle is determined using a modulo function and a predefined value. The angle is applied to both tensile circles. Next, multiplicands are determined for both tensile circles based on the angle applied to both tensile circles. The method then encrypts and/or decrypts data using a symmetric cryptography technique and the multiplicands.

Abstract: Evaluating polynomials for use under fully homomorphic encryption (FHE) is provided. An input polynomial of degree n is received, wherein n is equal to 2{circumflex over (?)}m. An input ciphertext containing an input value is also received. The input value is duplicated in n/2 slots. Two plaintext vectors each containing half of the roots in the polynomial are subtracted from the input ciphertext, obtaining second and third ciphertexts, which are multiplied elementwise to produce a result ciphertext comprising n/2 slots. The result ciphertext is rotated by 2{circumflex over (?)}i to generate a rotated ciphertext (i=iteration number) and multiplied by the rotated ciphertext to produce a new result ciphertext, for m?1 iterations. The final result ciphertext is multiplied with a leading coefficient of the polynomial, resulting in a final polynomial evaluation. An operation not supported under FHE is estimated according to the final evaluation.

Abstract: A method for automatic configuration and use of Category 1 message filtering rules includes, at a network function (NF), subscribing, with an NF repository function (NRF), to receive notification of NF profile changes. The method further includes receiving, from the NRF and as a result of the subscribing, notification of an NF profile change. The method further includes automatically configuring, based on the notification of the NF profile change, at least one Category 1 message filtering rule implemented. The method further includes using the at least one Category 1 message filtering rule to filter service based interface (SBI) messages.

Abstract: Systems, methods, and computer-readable storage media to trace obfuscated data of an entity. One system includes a data processing system including memory and one or more processors configured to generate a data structure including a plurality of cryptographic outputs, wherein each of the plurality of cryptographic outputs obfuscates data of at least one identifier of the entity. The processors are further configured to broadcast the data structure to a distributed ledger and receive a proof request associated with a customer's cryptographic output. The processors are further configured to generate a cryptographic proof dataset for the customer's cryptographic output and provide the cryptographic proof dataset.

Abstract: Example implementations provide a computer program product for authenticating a number of grouped product-packaging pairs, in which each product-packaging pair comprises a respective message, associated with a respective product, and a respective signature associated with the message; the computer program product comprising machine executable instructions arranged, when processed, to: read the product messages and the signatures from the grouped product-packaging pairs; determine and store bilinear computation results associated with each of the messages, and each of the signatures; and determine, from the stored bilinear computation results, whether or not at least one product-packaging pair of the number of grouped product-packaging pairs is authentic.

Abstract: A communication system includes a first network device including a RADIUS server configured to determine whether to authenticate a network communication of a terminal, or a first RADIUS client corresponding to a RADIUS server and storing identification information identifying the RADIUS server and a secret key, and a second network device directly connected to the first network device in the same network segment as the first network device. The first network device includes a first processor and a first memory device configured to store a first program, the first program being executed by the first processor to cause the first processor to transmit the identification information and the secret key to the second network device in a first time period.

Abstract: An apparatus and method for facilitating zero-knowledge proofs is disclosed. The apparatus includes at least a processor and a memory communicatively connected to the at least a processor, the memory contains instructions configuring the at least a processor to identify a trace, divide the trace into a plurality of trace segment, identifying at least an operation of the trace and dividing the trace into the plurality of trace segments as a function of the at least an operation of the trace, recompile the plurality of trace segments for zero-knowledge proof generation and generate a zero-knowledge proof for each of the plurality of recompiled trace segments.

Abstract: Methods for database recovery for encrypted indexes are performed by systems and devices. A query with a decryption key is received from a client device, where the query modifies an encrypted index of a database using a secure enclave. When events requiring remedial actions for the database occur during the querying, some transactions of the query and later queries are deferred, and a remedial action is initiated that includes restarting the database. A determination of the remedial action being unsuccessful in recovering the encrypted index causes the action to be re-performed until another query having the decryption key is received whereupon the action is performed again to recover the encrypted index utilizing the decryption key. Deferred transactions are then performed with the decryption key. When a database restarts for access without secure enclaves, the encrypted index for the database is invalidated, and the remedial actions are otherwise completed or discarded.

Abstract: An example system includes a one-time-use secret (OTUS) deployer engine to: provide an OTUS within a container-orchestrated environment (COE). The example system further includes: a non-OTUS provider engine to: provide a non-OTUS in exchange for the OTUS; and, invalidate the OTUS when the non-OTUS is provided. The example system further includes: a first container engine to: in response to bootstrapping, receive the OTUS from the OTUS deployer engine; and receive the non-OTUS from the non-OTUS provider engine in exchange for the OTUS. The example system further includes: a replica of the first container engine, to: in response to bootstrapping, after the first container engine, receive the OTUS from the OTUS deployer engine; attempt to receive the non-OTUS from the non-OTUS provider engine in exchange for the OTUS; receive an indication from the non-OTUS provider engine that the OTUS is invalid; and receive the non-OTUS from the first container engine.

Abstract: Various examples relate to apparatuses, methods, and computer programs for executing an executable, and to a method for distributing software or firmware. An apparatus for executing an executable comprises interface circuitry, machine-readable instructions, and processing circuitry for executing the machine-readable instructions to identify, for the executable, a trigger to activate or deactivate a noise injection mode during execution of the executable, the noise injection mode being suitable for introducing noise during execution of the executable, and activate or deactivate the noise injection mode based on the identified trigger.

Abstract: Methods and systems for identifying poisoned training data used for training artificial intelligence (AI) models are disclosed. To identify poisoned training data in a proposed training dataset, a causal model may be obtained. The causal model may include relationships relating data elements. The proposed training dataset may be identified as poisoned when data elements within the proposed training dataset do not satisfy the relationships set forth by the causal model. When the identification of poisoned training data is made, the AI model may not be updated using the proposed training dataset and the proposed training dataset may be discarded. If poisoned training data is not identified prior to training an AI model, methods and systems are disclosed for the remediation of the poisoned training dataset and subsequent tainted AI models. By doing so, the effect of poisoned training data may be prevented and/or efficiently computationally mitigated.

Abstract: Methods and systems for performing an authenticated boot; performing a continuous data protection; performing automatic protection and optionally a consolidation; and performing other defenses and protection of a protected computing device (such as a computer system) are provided. The aspects include integrating security mechanisms (which may include a “call home” function, role and rule-based policies, validating technologies, encryption and decryption technologies, data compression technologies, protected and segmented boot technologies, and virtualization technologies. Booting and operating (either fully or in a restricted manner) are permitted only under a control of a specified role-set, rule-set, and/or a controlling supervisory process or server system(s). The methods and systems make advantageous use of hypervisors and other virtual machine monitors or managers.

Abstract: The disclosed computer-implemented method for regulating application permissions may include detecting a device permission control interface displayed on the computer and identifying an application associated with the device permission control interface. The method may also include determining a permission policy applicable to the identified application and overlaying a transparent window over the device permission control interface. The transparent window may restrict interaction with one or more control elements of the device permission control interface in accordance with the permission policy. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: This document relates to using secure MPC to select digital components in ways that preserve user privacy and protects the security of data of each party that is involved in the selection process. In one aspect, a method includes receiving, by a first server of a secure MPC system from a client device, a digital component request. The first server identifies, for each digital component in a set, a selection value and a priority tier. For each tier, the first server determines, using a secure MPC process in collaboration with one or more second servers of the secure MPC system, a first secret share of a winner parameter for each digital component in the priority tier. The first server identifies a highest tier for which a given digital component has a winner parameter that indicates that the given digital component is a winning digital component.

Abstract: In some embodiments, a malware detection system includes an attack channel removal unit, a feature extraction unit coupled to the attack channel removal unit, and a graphical encoding unit coupled to the feature extraction unit and a malware detection unit. In some embodiments, based upon graphically-encoded component-based features and monotonic features extracted from attack-channel-free software output by the attack channel removal unit, the malware detection unit detects malware in software input into the malware detection system. In some embodiments, the monotonic features extracted from the attack-channel free software and the graphically-encoded component-based features are combined to generate a combination monotonic-component based feature vector. In some embodiments, the combination monotonic-component based feature vector is used to detect malware using the malware detection system.

Abstract: Techniques are described for validating build integrity of software products, such as applications or containers. More specifically, this disclosure describes a build integrity validation system that analyzes build artifacts resulting from a software build process to create source code assertions, and compares the assertions against the source code from which the build artifacts were produced. The build integrity validation system validates that a particular build artifact is producible by the source code to ensure that no additional code was introduced during the build process. The build integrity validation system may also reverse the analysis to validate that the source code is able to produce the build artifacts to ensure that no code was removed or modified during the build process. The build integrity validation system identifies and reports identified discrepancies between the source code and the build artifacts resulting from the software build process of the source code.