Abstract: The present disclosure is directed to secure processing and display of protected content. The use of a trusted execution environment (TEE) to handle authentication and session key negotiation in accordance with a selected content protection protocol may reduce any trusted computing base (TCB) needed for such operations, and thereby present a smaller target for potential attackers. Techniques are presented in which a session key negotiated via such a TEE is securely provided to output circuitry such as a display controller, which may encrypt protected content that has been requested for viewing on a protocol-compliant display device communicatively coupled to a device comprising the TEE and/or the output circuitry. The output circuitry may then provide the encrypted protected content to the protocol-compliant display device, such as for compliant display of the protected content.

Abstract: Systems and techniques are disclosed to protect a user equipment's international mobile subscriber identity by providing a privacy mobile subscriber identity instead. In an attach attempt to a serving network, the UE provides the PMSI instead of IMSI, protecting the IMSI from exposure. The PMSI is determined between a home network server and the UE so that intermediate node elements in the serving network do not have knowledge of the relationship between the PMSI and the IMSI. Upon receipt of the PMSI in the attach request, the server generates a next PMSI to be used in a subsequent attach request and sends the next PMSI to the UE for confirmation. The UE confirms the next PMSI to synchronize between the UE and server and sends an acknowledgment token to the server. The UE and the server then each update local copies of the current and next PMSI values.

Abstract: Aspects of the subject disclosure may include, for example, detecting a request for access to a wireless network via an access point. Responsive to a first determination that the identifier corresponds to an entry in the list, access is facilitated to the wireless network via the access point without the equipment of the requesting user providing credentials to the wireless network. The list includes a first set of entries corresponding to a first set of users having unrestricted access and a second set of entries corresponding to a second set of users having restricted access. Responsive to a second determination that the identifier does not correspond to any of the entries, a message is transmitted to equipment of the host regarding the request, and responsive to receiving approval, the list is updated to include the identifier. Other embodiments are disclosed.

Abstract: Examples pertaining to indication of additional security capabilities using non-access stratum (NAS) signaling in 5th Generation (5G) mobile communications are described. A processor of an apparatus (e.g., a user equipment (UE)) transmits an initial NAS message to a communication entity of a 5G mobile network. The processor then receives a message from the communication entity responsive to the transmitting, the message comprising an additional 5G security parameter information element (IE). The processor proceeds to perform a security mode control procedure using information contained in the additional 5G security parameter IE pertaining to at least one 5G security parameter.

Abstract: A method and apparatus for establishing a trust relationship between users is disclosed. The apparatus includes at least two user devices containing the Application, a service provider server (SPS) comprising an application programming interface (API), a network communicably coupling the sender device, the receiver device and the SPS, and an out-of-band (OOB) channel, separate from the network, communicably coupling the sender device and the receiver device. The method includes obtaining a receiver's Public Key provided by an Application Programming Interface (API) on an service provider server, encrypting a verification message with the Receiver's Public key and the Sender's Private Key, sending the encrypted verification message from the Sender's device to the Receiver's device through the out-of-band channel, decrypting the encrypted verification message using Receiver's Private Key and Sender's Public Key, and communicating decrypted verification message via out-of-band channel.

Abstract: A brownfield security gateway is configured to support a trusted execution environment (TEE) that employs cryptographic and physical security—which forms a trusted cyber physical system—to protect sensitive transmissions on route to a controllable device. The gateway may be implemented with a System on Chip (SoC) that utilizes an application layer gateway to filter content within a transmission. When the application layer gateway authorizes the transmission, the transmission is forwarded to a trusted peripheral device that is configured with communication transport protocols, and the trusted peripheral device transfers the transmission to the controllable device. The trusted peripheral device and the controllable device are physically protected by, for example, protected distribution systems. Accordingly, the trusted peripheral device functions as a gateway between the SoC and the controllable device.

Abstract: The present disclosure provides a system for detecting and preventing the intrusion of malicious data flows in a software defined network (SDN). The system comprises at least one data storage or memory, configured to store flow states of data flows, and to share and update the flow states across the system, at least one shared-state forwarding element (FE) configured to block, forward, or replicate a received data flow based on a flow state of the data flow and/or a comparison of the data flow with predetermined patterns, and at least one inspection element (IE), configured to receive a replicated data flow, and to classify, whether the data flow is malicious or allowed. The IE is configured to alter the flow state of the data flow according to a classification result. The present disclosure provides a corresponding method for detecting and preventing intrusion of malicious data flows in a SDN.

Abstract: The disclosed apparatus may include (1) flagging, at a packet filter within a network device, a packet to be discarded instead of passed to a processing unit within the network device, (2) determining that the packet is part of a set of related packets that includes at least one additional packet destined at least intermediately for the network device, (3) identifying, by monitoring incoming packets received at the packet filter, the additional packet within the set of related packets, and then (4) discarding, due to the additional packet being included within the set of related packets, the additional packet instead of passing the additional packet to the processing unit. Various other apparatuses, systems, and methods are also disclosed.

Abstract: A method for processing a denial of service (DOS) includes: receiving a de-authentication/disassociation (D/D) frame by an access point (AP), determining by the AP a state of security association establishment between the AP and a client device, maintaining a connection between the AP and the client device if the security association is incomplete, sending a probe packet from the AP to the client device if security association is complete and the connection between the AP and the client device is in a non-PMF (protected management frames) setting, maintaining the connection if the client device responds to the probe packet, and terminating the connection if the client device does not respond to the probe packet.

Abstract: A technique for determining the safety of the content of beacon transmissions. A user device extracts beacon identification information from a beacon transmission. The user device queries the beacon registry to obtain the targeted content. The user device provides the targeted content and beacon identification information to a validation service. The validation service evaluates the targeted content and the beacon identification information for safety. The validation service determines a score based on that evaluation and sends the score to the user device. The user device alerts the user or performs background actions such as suppression of transmission of beacon contextual data to other apps on user device based on the score.

Abstract: In an embodiment, the disclosed technologies include receiving a query that requests aggregate information about entity event data relating to digital content delivered digitally by an entity management system to entities of the entity management system, the query associated with a requester account; determining a first privacy allocation for the requester account; determining a first privacy value, the first privacy value computed based on the query and a selected privacy algorithm; deducting the first privacy value from the first privacy allocation to produce a first privacy balance; causing executing of the query on the entity event data and providing a result set in response to the query only if the first privacy balance indicates that the first privacy allocation has not been depleted.

Abstract: Techniques are provided for identifying and encrypting fields of an application object at an application layer in a multi-tenant cloud architecture, using an object metadata structure of the application object. Accordingly, transparent, per-tenant encryption capabilities are provided, while enabling transfer of encrypted object data between the application layer and a storage layer.

Abstract: A method of unlocking a second device using a first device is disclosed. The method can include: the first device pairing with the second device; establishing a trusted relationship with the second device; authenticating the first device using a device key; receiving a secret key from the second device; receiving a user input from an input/output device; and transmitting the received secret key to the second device to unlock the second device in response to receiving the user input, wherein establishing a trusted relationship with the second device comprises using a key generated from a hardware key associated with the first device to authenticate the device key.

Abstract: A cloud storage server accesses a plurality of server-stored files of a cloud storage account of a client device. The cloud storage server determines that one or more server-stored files from the plurality of server-stored files are affected by a malware activity. The cloud storage server generates a graphical user interface that includes a detection notification and a confirmation request, the detection notification indicating a detected presence of malware in the one or more server-stored files and metadata corresponding to the one or more server-stored files, the confirmation request indicating a request for the client device to confirm the detected presence of malware in the one or more server-stored files. A confirmation response is received from the client device. The confirmation response identifies at least one of the one or more server-stored files and confirming the presence of malware activity in the identified server-stored files.

Abstract: Methods and apparatus for a secure time service are disclosed. A time server including a time source, a cryptographic key and a cryptographic engine is instantiated within a provider network. A time service endpoint receives a timestamp request from a client. The endpoint transmits a representation of the request to the time server, and receives, from the time server, an encryption of at least a timestamp generated using the time source. A response comprising the encryption of at least the timestamp is transmitted to the requesting client.

Abstract: A service request is received by a terminal device. First biometric authentication information of a user associated with the service request is collected. The first biometric authentication information is compared with preset biometric authentication information. When the comparison shows that the first biometric authentication information and the preset biometric authentication information are consistent, a pre-stored digital signature certificate private key is read. The service request is digitally signed according to the digital signature certificate private key. A biometric information verification message is generated and sent message to a server. The server is configured to read a pre-stored digital signature certificate public key corresponding to the digital signature certificate private key. Authentication result information is receiving from the server after the server verifies and signs the biometric information verification message according to the digital signature certificate public key.

Abstract: An information processing device includes: a non-volatile storage; a communication interface; a processor; and a memory. The non-volatile storage is configured to store a private key. The memory stores computer-readable instructions therein. The computer-readable instructions, when executed by the processor, cause the information processing device to perform: acquiring the private key from the non-volatile storage; acquiring a certificate from a specific external device via the communication interface, the certificate including a public key corresponding to the private key, and the specific external device being different from the information processing device; converting specific data using the private key to generate converted specific data, the converting including one of encrypting the specific data and decrypting the specific data encrypted using the public key; and outputting the certificate.

Abstract: An anti-attack data transmission method and an apparatus thereof are provided. The method includes obtaining a communication protocol message to be transmitted; performing an anti-attack pre-processing for data on information bit(s) located at a message header in the communication protocol message, and generating processing information; storing the processing information in extension bit(s) at the message header of the communication protocol message to obtain a converted communication protocol message, wherein the message header of the communication protocol message includes the information bit(s) and the extension bit(s); and sending the converted communication protocol message to a receiving device. The present disclosure solves the problem of false negatives associated with normally transmitted data flow caused by existing anti-attack methods.

Abstract: Embodiments are directed to methods, apparatuses, computer readable media and systems for authenticating a user on a user device across multiple mobile applications. The identity of the user is validated by encoding and subsequently validating cryptographically encrypted data in a shared data store accessible by the mobile applications tied to the same entity. Specifically, the application leverages the authentication process of a trusted mobile application (e.g. a banking mobile application) to authenticate the same user on a untrusted mobile application (e.g. a merchant mobile application).

Abstract: A method for accessing content of encrypted data item(s) by a terminal device operating in a digital environment, according to which before the data item is being accessed by the terminal device, it is modified after being intercepted if found to be encrypted. The wrapper of the data item is modified or replaced by embedding a URL with a unique identifier and a message into the wrapper of the data item. If a supported terminal device attempts to accesses the modified data item, the client application natively consumes the data from the modified data item and ignores its wrapper. If not, the message and the URL are displayed on the terminal device and the user browses the URL. Then after authentication, a web server locates the modified data item using the unique identifier, retrieves and decrypts the modified item and converts the decrypted modified data item to a format that can be consumed by the browser.