Abstract: Securely provisioning a System on a Chip (SoC) includes generating a public/private key pair having a public key and a private key, securely storing the private key external to the SoC, embedding the public key in Resistor Transistor Logic (RTL) of the SoC during manufacture of the SoC, encrypting provisioning data using the private key to create encrypted provisioning data, and programming the SoC using the encrypted provisioning data. The secure provisioning may further include generating a secret shared key, embedding the secret shared key in the RTL of the SoC during manufacture of the SoC, and encrypting the provisioning data using the secret shared key. The RTL may be the boot Read Only Memory (ROM) of the SoC. The secure provisioning technique may also be used for subsequent provisioning after the SoC is deployed.

Abstract: An encryption device includes a counter, an encryption/decryption unit, and a timer. The counter is configured to generate a first timestamp for a first time. The encryption/decryption unit is configured to concatenate security data and the first timestamp, encrypt the concatenated data into encryption data, transmit the encryption data to a memory device, and decrypt read data transmitted from the memory device into decryption data. The timer is configured to inform the counter and the encryption/decryption unit that a time elapses from the first time to a second time such that the counter generates a second timestamp for the second time and the encryption/decryption unit decrypts the read data into the decryption data. Checking logic implemented by the encryption device is configured to check whether a decryption timestamp of the decryption data is identical to the first timestamp.

Abstract: Embodiments are directed to techniques for constructing, configuring, triggering, and executing various types of multi-party pipelines that access and/or use a shielded asset required to exist or execute within a data trustee environment. Generally, authorized participants can build upon template data privacy pipelines and other shielded assets to create other pipelines. Building blocks such as entitlements, cross-environment pipelines, and/or shielded assets governed by various collaborative intelligence contracts can be used to construct more complicated pipelines that may include any number of data privacy pipelines, cross-environment pipelines, input datasets, computational steps, output datasets, permissible queries, participants, and/or governing collaborative intelligence contracts.

Abstract: A machine and process for remotely controlling a vessel. The system may include a land-based computing system configured to communicate control signals via a communications system that communicates the control signals to the vessel and a controller network on the vessel configured to control at least certain functions of the vessel. The controller network may further be configured to receive the control signals from the land-based computing system. The controller may include a switch including an input port and multiple output ports. A remote control computing device may be configured to control the vessel via at least one other computing device. A one-way Ethernet cable may be communicatively coupled between one of the output ports of the switch and the remote control computing device. The control signals may be received by the switch being communicated to the remote control computing device via the one-way Ethernet cable.

Abstract: Various arrangements for wireless network provisioning using a pre-shared key (PSK) are presented. A plurality of wireless network access profiles that indicate a plurality of PSKs may be stored. An access point may receive, from a wireless device, a first value based at on the PSK. The access point can transmit the first value to a cloud-based provisioning system. A plurality of values based on the plurality of PSKs of the plurality of wireless network access profiles may be created and a match between a second value of the plurality of values and the transmitted first value may be identified. A third value may be provided to the access point based on the PSK of the wireless network access profile of the plurality of wireless network access profiles used to generate the value. Network access can then be granted based on the third value.

Abstract: Embodiments are directed to techniques for constructing, configuring, triggering, and executing various types of multi-party pipelines that access and/or use a shielded asset required to exist or execute within a data trustee environment. Generally, authorized participants can build upon template data privacy pipelines and other shielded assets to create other pipelines. Building blocks such as entitlements, cross-environment pipelines, and/or shielded assets governed by various collaborative intelligence contracts can be used to construct more complicated pipelines that may include any number of data privacy pipelines, cross-environment pipelines, input datasets, computational steps, output datasets, permissible queries, participants, and/or governing collaborative intelligence contracts.

Abstract: Techniques are disclosed herein for managing and sharing sensitive information using blockchain technology. In certain embodiments, a transaction may be generated using information and a set of conditions, wherein satisfying the set of conditions by a requester of the information determines access to the information by the requester and the set of conditions include a count for a number of queries allowed for accessing the information. As requesters access the information, the count is decremented or adjusted and updated transactions are stored on the blockchain ledger until the count adjusts to a predetermined number, such zero. The information and the set of conditions may be defined by the user.

Abstract: Systems and methods for automated testing of network security controls are provided. According to one embodiment, information regarding multiple desired security controls for a protected network are received by a network device. Network traffic configured to validate an extent of conformance by the protected network with the desired security controls is generated by the network device. The generated network traffic is transmitted by the network device onto the protected network. An assessment is performed by the network device regarding how network security policies configured within the protected network process the generated network traffic.

Abstract: A method that automatically generates blacklists for a sandbox application. The method first obtains a set of disassembled operating system (OS) dynamic-link libraries (DLLs) and then identifies application programming interfaces (API) functions that have respective kernel interruptions. The identified API functions that have kernel instructions are saved to an interrupt list. Based on the interrupt list, a processor generates a blacklist that includes for each of the DLLs, the identified API functions in the interrupt list, all API functions that directly or indirectly invoke one of the identified API functions in the interrupt list via one or more nested API functions. The method outputs the blacklist to the sandbox application that operates on a sample file to emulate API functions of the sample file that match the blacklist. All other APIs not identified as being blacklisted, are then considered whitelisted and are allowed to run natively.

Abstract: A container from a first root of trust associated with a first root entity may be received. The container may correspond to a mapping of a resource of an integrated circuit that is associated with the first root entity. The container may be verified based on a key that corresponds to the first root of trust and that is stored in the integrated circuit at manufacturing of the integrated circuit. An identification may be made that an assignment of the resource from the container corresponds to assigning the resource from the first root of trust to a new root of trust. A new key corresponding to the new root of trust may be generated. Information corresponding to the new key may be stored into a memory of the integrated circuit. Furthermore, the new key may be used to delegate the resource to a subsequent container.

Abstract: A subscriber identity module (eUICC), comprises profiles for the utilization of a mobile terminal that include at least a first profile and at least a second profile, of which the second profile (Pr1, Pr2) is devised as an active profile. The first profile is designed as a root profile (PrR) which in a normal state of the subscriber identity module is in an inactive state, and which is devised to be activated in response to an authentication command (AUTHENTICATE) received at the subscriber identity module. The authentication command is specially parameterized for the root profile (PrR) with a specific root value of the network parameter (P2) to be activated during a change-over period. The initially active second profile (Pr1, Pr2) is deactivated during the change-over period. After the end of the change-over period, the first profile (PrR) is again deactivated and the second profile (Pr1, Pr2) is again activated.

Abstract: A managed directory service obtains a request to generate a first account of a first directory within a first network. In response to the request, the managed directory service creates the first account within the first directory. From the request, the managed directory service also obtains credential information of a second account of a second directory within a second network. The managed directory service updates the first account to include this credential information to enable the first account to be used to access the second directory within the second network.

Abstract: In some examples, a software agent may request a token from a server. The request may include dock identifiers associated with one or more docks, credentials, and actions to be performed by the one or more docks. The server may determine, using an access control list, whether the credentials authorize the software agent to instruct the one or more docks to perform the actions. If the server determines that the software agent is authorized, then the server may send a token to the software agent. The software agent may send an action request to the one or more docks. The action request may include the token and the actions. Each dock that receives the request may attempt to validate the token. If the dock successfully validates the token, the dock may perform the actions and send a message to the software agent indicating a result of performing the actions.

Abstract: An example operation may include one or more of connecting, by a disposition node, to a blockchain comprised of a plurality of user nodes connected to a plurality of device nodes that store user data of the plurality of the user nodes, receiving, by the disposition node, a request from a user node of the plurality of the user nodes to dispose of user data (D) on at least one of the device nodes of the plurality of the device nodes, the request contains a disposal policy (P) and a disposal method (M) of the D, executing, by the disposition node, a consensus algorithm to validate the request based on the D, P and M, in response to a validation of the request, accessing, by the disposition node, the D on the at least one of the device nodes of the plurality of the device nodes, generating, by the disposition node, a location sensitive hash of the D (LSH(D)) and a crypto hash of the D (SHA256(D)), storing, by the disposition node, the LSH(D), the SHA256(D), the P and the M on the blockchain, executing, by the dis

Abstract: A secure bus for pre-placement of device capabilities across a set of cryptoprocessors may be provided. A first cryptoprocessor may receive a key corresponding to a second cryptoprocessor and it may receive an object in response to the object being instantiated on the second cryptoprocessor. Next, the first cryptoprocessor may use the key to determine that the second cryptoprocessor signed the object. The first cryptoprocessor may then store the object in the first cryptoprocessor in response to determining that the second cryptoprocessor signed the object. Then the first cryptoprocessor may receive a request for the object and provide a response to the request.

Abstract: Methods for managing a communication session in a communication network are disclosed. For example, a method includes detecting, by a first endpoint comprising at least one processor, an error condition associated with the communication session, sending, by the first endpoint, a notification of the error condition to a second endpoint that is using a transport layer session and receiving, by the first endpoint, a communication from the second endpoint, proposing a response to the error condition. Another method includes receiving, by a first endpoint comprising at least one processor, a notification of an error condition associated with the communication session, selecting, by the first endpoint, a response to the error condition, and sending, by the first endpoint, a communication to a second endpoint that is using a transport layer session, proposing a response to the error condition.

Abstract: Privilege delegation in a computer device is managed by invoking a utility by a first user account. A requested command is captured by an agent plugin which is provided as a plugin to the utility. The agent plugin sends a request message to an agent, which determines an outcome for the requested command including allowing or blocking. If allowed, a reply message from the agent instructs the agent plugin to provide command information to the utility to run the requested command by the operating system with delegated privileges of the second user account. The agent plugin can also be instructed to perform custom messaging, or passively handle the requested command via a child plugin.

Abstract: A response method and system in virtual network computing authentication, and a proxy server, where the method includes receiving, by a proxy server, a password from a controller, receiving challenge information from a serving end, where the challenge information is generated by the serving end based on the virtual network computing authentication, determining a first response value according to the password and the challenge information, and sending the first response value to the serving end in order to resolve a problem that sensitive data of a user is leaked or decrypted by brute force because a response process in the virtual network computing authentication is completed by a client, thereby improving security in the virtual network computing authentication process.

Abstract: A method authenticates a user in order to activate an access mechanism for a device. One or more processors detect a real-time initial emotional state of the user, where the real-time initial emotional state of the user dynamically changes over time. The processor(s) present content as a stimulus to the user, and predict a predicted post-stimulus emotional state of the user, where the predicted post-stimulus emotional state of the user is predicted to be caused by the content being presented to the user, and where the predicted post-stimulus emotional state is dependent upon the real-time initial emotional state of the user. The processor(s) detect a real-time post-stimulus emotional state of the user. The processor(s) match the predicted post-stimulus emotional state of the user to the real-time post-stimulus emotional state of the user, and then authenticate the user and activate an access mechanism for a device.

Abstract: A method and a device for directing traffic are provided. The method includes: determining whether a tag of a to-be-sent data packet is same as a reference tag configured in a preset matching rule; under situations where a determination result is that tag of the to-be-sent data packet is not the same as the reference tag configured in the preset matching rule, configuring the to-be-sent data packet with the reference tag by redirecting the to-be-sent data packet; sending the to-be-sent data packet configured with the reference tag.