Abstract: Aspects of the invention include channel key loading of a host bus adapter (HBA) based on a secure key exchange (SKE) authentication response by a responder node of a computing environment. A non-limiting example computer-implemented method includes receiving an authentication response message at an initiator channel on an initiator node from a responder channel on a responder node to establish a secure communication, the receiving at a local key manager (LKM) executing on the initiator node. A state check can be performed based on a security association of the initiator node and the responder node. An identifier of a selected encryption algorithm can be extracted from the authentication response message. The initiator channel can request to communicate with the responder channel based at least in part on a successful state check and the selected encryption algorithm.

Abstract: The present disclosure relates to systems and methods for a machine-learning platform for the safe serialization of a machine-learning application. Individual library components (e.g., a pipeline, a microservice routine, a software module, and an infrastructure model) can be encrypted using one or more keys. The keys can be stored in a location different from the storage location of the machine-learning application. Prior to incorporation of the library component into a machine-learning model, one or more keys can be retrieved from the remote storage location to authenticate that the one or more encrypted library components are authentic. The process can reject any of the one or more component, when the encrypted library component fails authentication. If a component is rejected, the system can roll back to a previous, authenticated version of the library component. The authenticated library components can be compiled into machine-learning software.

Abstract: A device, method, and computer readable storage medium generate a biometric public key for an individual based on both the individual's biometric data and a secret, in a manner that verifiably characterizes both while tending to prevent recovery of either by anyone other than the individual. The biometric public key may be later used to authenticate a subject purporting to be the individual, using a computing facility that need not rely on a hardware root of trust. Such biometric public keys may be distributed without compromising the individual's biometric data. In operation, a confident subset of a set of biometric values of the subject is extracted, including by performing a transform of the set of biometric values. The transform may variously be a Gabor transform, a wavelet transform, processing by a machine learning system, etc.

Abstract: Digital certificates are signed by a server's private key and installed at lock controllers that restrict access to physical resources. The server's public key is distributed to lock controllers and to wireless mobile devices operated by users who are given access to primary locks which secure access to physical resources, and secondary locks, which retain the primary locks within operable vicinity to the physical resources. Additionally, tertiary locks may secure access to internal components of the primary or secondary locks. When a wireless mobile device enters the vicinity of a lock controller, the digital certificate of the lock controller is used as the basis for encrypted communications between the wireless mobile device and the lock controller. Wireless mobile devices may be used to gather evidence of integrity of the locks after use. Lock controllers may be powered by energy harvesting devices.

Abstract: Aspects herein relate to storing information concerning rights and liabilities or other records on distributed ledgers. A method disclosed can include identifying a transferor blockchain associated with rights and liabilities for transfer from a transferor to an acquirer, identifying an acquirer blockchain associated with the acquirer, creating an interim blockchain including the rights and liabilities, generating entries to the transferor blockchain removing the rights and liabilities, and generating entries to the acquirer blockchain adding the rights and liabilities. Another method disclosed can include identifying a critical record of a party, identifying a blockchain associated with the party, and generating an entry on the blockchain associated with the critical record, the entry having permissions related to at least the party.

Abstract: There are provided systems and methods for limiting device functionality based on data detection and processing. A user computing device may include sensitive or confidential data and/or processes that utilize such data that a malicious party may wish to abuse, such as an electronic transaction processing application that uses financial data of a user. The device may therefore be compromised by the malicious party if the device becomes accessible to that party. The device may utilize one or more processes to detect device data determine data proximate to the device and/or contextual data in order to determine whether limitations on application processes are required based on the potential nearby risk. If the nearby risk indicates the device application processes may be in danger, the device may impose limitations on the processes and/or wipe data. The device may also alert other devices or nearby users.

Abstract: To provide a mutual authentication system which is not required to erase master key when a slave device is replaced. The storage part stores a temporary key which is key data used temporarily and a master key which is key data used for authentication. The storage part stores the temporary key. The key confirmation unit inquires whether the slave device stores the master key. The key confirmation response unit confirms whether the master key has already been stored in the storage part for an inquiry from the master device and responds. The key introduction unit encrypts the master key by using the temporary key and transmits to the slave device. The key storage unit decrypts the encrypted master key by using the temporary key and stores in the storage part. The main authentication unit and the sub-authentication unit authenticate with each other by using the master key.

Abstract: Embodiments described herein relate to implantable medical devices (IMDs) and methods for use therewith. Such a method includes, during each of a plurality of message alert periods during which a communication capability of the IMD is enabled, determining whether a valid message is detected. In response to determining that no valid message was detected during a message alert period, the communication capability of the IMD is temporarily disable for a disable period. A length of the disable period may be increased in response to no valid message being detected during two consecutive message alert periods. A length of the disable period may be dependent on an operational mode of the IMD, such that the length of the disable period differs for different operational modes. The IMD may also enter a noise state, and remain in the noise state until the IMD receives a specified number of valid messages.

Abstract: A system and methodology for preventing extraction of an authentication credential from a memory in a computer. The system and methodology include identifying a memory area used by a native process, monitoring the memory area for any access of the memory area by a process, detecting when data is being read from the memory area, detecting an amount of data being read from the memory area, comparing the amount of data being read from the memory area to a data amount threshold value, and blocking access to the memory area or terminating said process when the amount of data being read from the memory area reaches or exceeds the data amount threshold. The native process can include a Windows® operating system lsass.exe process.

Abstract: A hashed fried password method includes receiving a password value, a global pepper value and fry values; generating a random salt value and selecting a fry value; generating a fried password; and authenticating the user when a hashed fried password value matches a candidate hash. The method may include receiving the fried password and/or salt. A system includes processor and a memory storing instructions that, when executed by the processor cause the system to receive a password value, a global pepper value and fry values; receive a hashed fried password value and salt value; apply a hashing function; and authenticate the user when the hashed fried password value matches a candidate.

Abstract: Techniques related to securely providing artificial intelligence inference on protected video content in a vision processing unit are discussed. Such techniques include decrypting encrypted video via a neural network processor of the vision processing unit by providing the neural network processor direct memory access to a security engine of the vision processing unit and applying a machine learning model to the decrypted video content using the neural network processor such that a host and other components of the vision processing unit do not have access to the decrypted video content.

Abstract: Systems, methods, and devices of the various embodiments may enable the reduction of the impact of Border Gateway Protocol (BGP) hijacks by automatically announcing more-specific route prefixes when a netblock is hijacked. In various embodiments, the more-specific route prefixes may be automatically withdrawn when the netblock hijacking stops.

Abstract: There are described computer-implemented methods of obtaining a user input. A first such method comprises: (a) providing access to video content, the video content representing a user interface including a plurality of elements for selection by a user; (b) playing a first portion of the video content to the user; (c) detecting a first user interaction occurring in response to the played first portion of the video content; and (d) determining a first element selected by the user based on one or more properties of the detected first user interaction.

Abstract: A method of sending blocks of data from a client to be stored at a storage server, wherein for each block compression and encryption is performed at the client, and deduplication is performed at the server. Security is thus enhanced as the block is compressed and encrypted when it is sent over an unsecured network and when it is stored in potentially a third-party backup system. Provisions are made to enable addition of new compression algorithms and for retirement of old compression algorithms, while ensuring that a client would not receive a block which was compressed using an unsupported, e.g., retired, compression algorithm. In some examples a compression algorithm ID is tied to an encryption key version to enable refresh of blocks compressed with old algorithm.

Abstract: A method of processing data includes at least one processor accessing a data storage unit, the data storage unit providing at least one input data object and at least one transmutation command to be performed on the at least one input data object. The at least one transmutation command operates in a forward mode on the at least one input data object to produce at least one output data object to be stored in a data storage unit.

Abstract: A method may include obtaining a request to unblock a predetermined website in a network and that is associated with a predetermined list. The predetermined list may be used to determine whether a respective user device among various user devices can access one or more websites. The method may further include determining an impact level of the predetermined website for an organization using a machine-learning algorithm and website gateway data. The method may further include determining a probability of a security breach using the machine-learning algorithm and threat data. The method may further include determining whether to unblock the predetermined website based on the impact level and the probability of a security breach. The method may further include transmitting, in response to determining that the predetermined website should be unblocked, a command that modifies the predetermined list to enable the respective user device to access the predetermined website.

Abstract: A segmentation server updates enforcement of a segmentation policy based on detection of core services. The segmentation server obtains characteristics of workloads and identifies workloads that provide core services using port matching, supervised learning based classification, semi supervised learning based classification, or a combination thereof. The segmentations server applies labels to workloads identified as core service providers indicative of the detection. Rules of the segmentation are distributed to enforcement modules based on the label sets of associated workloads to enable the enforcement modules to enforce the segmentation policy. Detection of core services reduces the likelihood of administrator inadvertently enforcing a policy that blocks essential core services.

Abstract: A method for side-channel attack mitigation in streaming encryption includes reading an input stream into a decryption process, extracting an encryption envelope having a wrapped key, a cipher text, and a first message authentication code (MAC) from the input stream, generating a second MAC using the wrapped key of the encryption envelope, and performing decryption of the cipher text in constant time by determining whether the encryption envelope is authentic by comparing the first MAC extracted from the encryption envelope and the second MAC generated using the wrapped key.

Abstract: Disclosed herein are a system on chip, a method of operating the system on chip, and an electronic device including the system on chip that execute artificial intelligence (AI) algorithms and/or machine learning algorithms in a 5G environment connected for Internet of Things in order to prevent an artificial intelligence product from being surreptitiously used, replaced, or modified by an attacker.

Abstract: A stacked-substrate advanced encryption standard (AES) integrated circuit device is described in which at least some circuits associated logic functions (e.g., AES encryption operations, memory cell access and control) are provided on a first substrate. Memory arrays used with the AES integrated circuit device (sometimes referred to as “embedded memory”) are provided on a second substrate stacked on the first substrate, thus forming a AES integrated circuit device on a stacked-substrate assembly. Vias are fabricated to pass through the second substrate, into a dielectric layer between the first substrate and the second substrate, and electrically connect to conductive interconnections of the AES logic circuits.