Abstract: In some embodiments, a system includes a processor; and a non-transitory computer readable medium coupled to the processor, the non-transitory computer readable medium including code that: requests, using a device-specific attestation request, a device-specific attestation of a device; receives, via a secure communication channel, device-specific attestation data from the device as a result of the device-specific attestation; and generates an enhanced attestation object based on the device-specific attestation data. In some embodiments, the enhanced attestation object is used to verify that an execution environment of an application on the device is secure. In some embodiments, a device-specific risk score is generated based upon the device-specific attestation data and an enhanced attestation risk score is generated based on the enhanced attestation data analysis, the enhanced attestation risk score being used to verify that the execution environment of the application on the device is secure.

Abstract: Examples of the present disclosure describe systems and methods for implementing a software-based security abstraction engine in a one-way transfer (OWT) system. In examples, data is received at a first device in the OWT system. A first set of policies is identified based on a dataflow identifier associated with the transfer of the data. A policy engine associated with the first set of policies applies the first set of policies to the data to create digital signatures. The digital signatures are evaluated by the security abstraction engine to determine whether the set of digital signatures is valid. If the digital signatures are determined to be valid, a second set of policies is applied to the data. The data is then transmitted to a second device or destination in the OWT system based on the dataflow identifier.

Abstract: Systems and methods for secure information exchange are disclosed. During setup of an accessory device in association with a voice-enabled device, token data may be generated and signed using a private encryption key by the accessory device. An accessory-device system associated with the accessory device may send a request for account identification including the token data to a remote system associated with the voice-enabled device. The remote system may determine if an application associated with the accessory-device system is enabled, and if enabled, may send the account identification in an encrypted format to the accessory-device system.

Abstract: Methods are provided, for controlling router security, cyber vulnerabilities and malware. Such methods may be implemented, for example, via a security application.

Abstract: Method and device for authentication of non-revocation. A revocation list includes at least one pair extracted from a signature generated by a revoked entity, where hi is an element of a mathematical group and ki=hixi, where xi is a secret of the revoked entity. A first entity sends, to a second entity, to authenticate itself therewith: a signature generated by the first entity for this authentication; a character string; an element of the group for each pair in the revocation list; and a zero-knowledge proof that the first entity used a secret of this first entity and the character string to obtain the group element for each pair. The second entity rejects the first entity if the zero-knowledge proof is not valid or if, for at least one the pair, the group element is such that Ci=hiA, where A is a known value.

Abstract: The present disclosure provides a cleaning station configured to decontaminate external storage devices from cybersecurity threats. The cleaning station is configured to scan files in the external storage device using a decontamination means, the decontamination means including one or more anti-virus modules and one or more anti-malware modules. The cleaning station decontaminates the external storage device, and generates an electronic certificate on the external storage device. The cleaning station receives an update signal from a master server, through a management server, which ensures the decontamination means are updated with signatures updates.

Abstract: The invention relates to a computer-implemented method and to a computer program product for the access control of a terminal, private data and other data being stored on the terminal and access to the private data being able to be limited or unlimited, comprising the following steps in the case of unlimited access: capturing an image signal by means of a camera of the terminal; performing a face detection process by means of the captured image signal; and continuously monitoring the number of faces in the captured image signal, which number of faces is determined in the face detection process, the access being limited if the number of faces is greater than one.

Abstract: Various embodiments described herein relate to cybersecurity risk assessment and mitigation for industrial control systems. In an embodiment, a request to perform a cybersecurity assessment of a set of industrial assets is received. Additionally, the set of industrial assets are correlated to industrial asset data associated with the set of industrial assets and a first industrial asset feature set is compared to a cybersecurity rules set to determine a cybersecurity threat level indicator for respective industrial assets from the set of industrial assets. In response to the cybersecurity threat level indicator satisfying a defined criterion, one or more cybersecurity countermeasure actions for the respective industrial assets are then determined based on a comparison between a second industrial asset feature set and a predefined industrial asset feature set for a set of predefined industrial assets associated with one or more predefined cybersecurity countermeasures.

Abstract: A method of discovering components of a wireless network may include transmitting, by a computing system, an account identifier corresponding to an account associated with a cloud network to a credentialing service associated with the account. The method may include receiving a set of credentials from the credentialing service and accessing the cloud network. The cloud network may include a plurality of network components hosted on one or more compute instances. The method may include determining a list of the one or more compute instances within the cloud network. The method may include identifying data associated with each of the one or more compute instances. The method may include determining that a new compute instance of the one or more compute instances is recently instantiated. The method may include generating a record in a database may include at least a portion of the data associated with the new compute instance.

Abstract: An electronic device includes a transaction host, a first peripheral, a second peripheral, a first access controller connected to the first peripheral, a second access controller connected to the second peripheral, and an access control register storing a first access control identifier for the first peripheral and a second access control identifier for the second peripheral. The first access controller to receive an access request for access to the first peripheral by the transaction host, perform an access determination for the first peripheral based at least on the first access control identifier for the first peripheral, and allow or prevent the transaction host access to the first peripheral based on the access determination.

Abstract: Disclosed is an electronic apparatus. The electronic apparatus includes a memory configured to store at least one instruction and store a plurality of categorical data whose values are expressed as a plurality of classes for one category, and a processor configured to execute the at least one instruction to generate the plurality of categorical data into one homomorphic encrypted message, in which the processor is configured to generate a categorical column in which homomorphically encrypted data for each of the plurality of categorical data is located in a plurality of slots, generate mask columns corresponding to each of the plurality of classes to correspond to the number of the plurality of classes, and generate the homomorphic encrypted message by combining the categorical column and the plurality of mask columns.

Abstract: The secure join system includes the first and second information-processing-apparatuses respectively holding first and second data. The second information-processing-apparatus is configured to: create third and fourth vectors in which a hash-value related to a key-value of the first data in a first vector and a ciphertext of the first data corresponding to the key-value in a second vector are rearranged by permutation; and create a fifth vector having a hash-value related to a key-value of the second data. The first information-processing-apparatus is configured to: search for j in which a hash-value of an i-th element of the fifth vector matches a j-th element value of the third vector for each i and create encrypted data in which a ciphertext of a j-th element value of the fourth vector is set when j is found and a ciphertext of a dummy value is set when j is not found.

Abstract: Aspects and implementations include systems and techniques for encryption and decryption of error-corrected codewords for combined protection against corruption of data and adversarial attacks, including obtaining a block of data that has a first plurality of symbols, generating, based on the first plurality of symbols, a second plurality of symbols, wherein the second plurality of symbols includes one or more error correction symbols for the first plurality of symbols, encrypting the second plurality of symbols using a set of symbol-level ciphers (SLCs) to obtain an encrypted plurality of symbols, and using the encrypted plurality of symbols in a computer operation.

Abstract: An integrated circuit (IC), including multiple registers and functional units for performing operations of the integrated circuit, provides security of register accesses. A bus interface controller coupled to the registers provides read/write access from bus interface. The IC includes a state controller for managing multiple operational modes, and an access control manager coupled to the state controller and the bus interface controller that asserts a dynamic lock over the accesses to the registers according to a selected operating mode and one or more protected addresses of the addressable register space corresponding to the current operating mode. A data screener compares data associated with the read or write accesses to sets of valid or invalid data values for the current operating mode and the protected addresses, and the access control manager permits or denies the read or write accesses in conformity with a result of the comparison.

Abstract: A cloud computing environment for providing remote secure element services, comprising at least one server, a plurality of secure elements being connectable to the at least one server, each secure element having a secure element identifier and comprising at least one secure element application having a secure element application identifier, each secure element application being uniquely addressable by the at least one server with the secure element identifier of the secure element containing the given secure element application and the secure element application identifier of the given secure element application. A method for providing secure element services performed by the cloud computing environment is also disclosed.

Abstract: A method, apparatus and computer program product for homomorphic computation enables secure computation of determinants of a matrix under Fully Homomorphic Encryption (FHE). According to this disclosure, encrypted data that contains the values of a matrix is received at a server. The matrix is separated into at least a first portion, and a second portion. Each portion is configured as a square. A first data vector of ciphertext is computed for the first portion, and a second data vector of ciphertext is computed for the second portion. Under FHE, determinants of the first and second data vectors are computed as Single Instruction Multiple Data (SIMD) operations to generate a set of results. The set of results are then used to compute a determinant of the matrix. The determinant may then be used for FHE-based analytics.

Abstract: An electronic apparatus for generating a homomorphic encrypted message includes: a processor configured to generate a mask homomorphic encrypted message by homomorphically comparing the homomorphic encrypted message with the index data in case that a calculation command of the predetermined function for the homomorphic encrypted message is input, generate an intermediate homomorphic encrypted message by homomorphically multiplying the generated mask homomorphic encrypted message by the function result data, generate a function-result encrypted message for the homomorphic encrypted message by computing sum of values in a plurality of slots of the intermediate homomorphic encrypted message.

Abstract: A method of symmetric encryption and transferring encrypted data is provided that incorporate the Lucente Stabile Atkins Cryptosystem (“DIO-LSA”). This method uses certain properties of mathematical objects called “groups,” where groups are sets of elements that are equipped with an operator and have the closure, associativity, identity, and invertibility properties. The DIO-LSA uses groups to encrypt and decrypt any kind of information between two or more parties.

Abstract: Methods and systems for managing access to data stored in data storage systems are disclosed. To prevent malicious parties from gaining access to sensitive data stored in a data storage system, an access control system may be implemented. The access control system may include monitoring of the physical environment and a registration process that assigns cryptographic key pairs to registered combinations of users and devices. When an end device requests sensitive data, the registered user-device combinations may be authenticated using the key pairs generated during registration. To protect sensitive data in the physical environment during access, environmental data (e.g., collected by sensing devices located in the physical environment) may be analyzed using trained inference models that generate predictions regarding the security risk present in environment. Provided the physical environment is secure, the sensitive data may be made accessible to the registered user.

Abstract: An example method identifying a request to access or modify a data resource. The request is made by a user. The example method further includes authenticating the user. Based on authenticating the user, the example method includes determining that the request is associated with a malicious intent based on a characteristic of the user. Further, based on determining that the request is associated with the malicious intent, the example method includes blocking the user from accessing or modifying the data resource.