Abstract: Disclosed are various approaches for extending a single sign-on (SSO) session to multiple devices. If a device is enrolled as a managed device with a management service, a SSO session can be extended to the device if the user has previously authenticated with an identity provider from another device. The user is authenticated on the second device using a user-and-device token issued by the management service with which the device is enrolled as a managed device.

Abstract: The present embodiments relate to providing near real-time communications from a public network to a private network. A first computing device in a public network can obtain data packets to be provided to the private network from an application executing on the first computing device. A trust module executed by the first computing device can authenticate the user, application, and the data packets to be provided to the private network and add metadata relating to the sending user, recipient user, etc. The data packets can be forwarded to the private network via a cross-domain system (CDS). The metadata and the digital signature on the data packets can be verified by a trust module executing on a second computing device in the private network. The second computing device can receive the data packets and store the data packets for subsequent actions to be performed in the private network.

Abstract: The disclosed technology is generally directed to web authentication. In one example of the technology, authentication of a broker with an identity provider is initiated. The broker is a first application that is executing in a top-level frame. At the broker, from a second application that is executing on a first descendent frame that is a descendant frame of the top-level frame, a token request is received. Via the broker, a first token is requested from the identity provider on behalf of the second application. The first token is associated with an authorization of secure delegated remote access of at least one resource by the second application. At the broker, from the identity provider, the first token is received. Via the broker, the first token is provided to the second application.

Abstract: One or more aspects described herein provide methods and systems for authoritatively confirming that a recipient is an intended recipient to receive personal data, and to securely transmit the personal data to the intended recipient, when both the sender and receiver are operating in a trustless ecosystem such as that used with blockchain technology. A computing device may receive an indication of a blockchain address used, by a sender computing device and via a blockchain, to send one or more virtual assets. The computing device may store an association between the blockchain address and the recipient. The computing device may send, to the sender computing device and in response to a query comprising the blockchain address, an indication of the recipient. The indication may be configured to cause the sender computing device to send, to the recipient, personal data associated with an owner of the one or more virtual assets.

Abstract: A computer system and a method are provided for storage and distribution of encryption keys in sequence. Encryption keys, such as public keys, are provided key pointers as properties, the key pointer indicating another key, to thereby form a sequence. A current key is designated, and the sequence is advanced to a successor key indicated by the key pointer of the current key upon a predetermined succession event. The current key is transmitted upon receipt of a key request. In various embodiments, succession events can include occurrence of an expiration date, or the addition of a new key to the sequence.

Abstract: In embodiments, an authentication server interfaces between a user device with a self-signed certificate and a verifying computer that accepts a user name and password. The user device generates a self-signed certificate signed by a private key on the user device. The self-signed certificate is transmitted to a verifying party computer over a network. The verifying party stores the self-signed certificate with user identification data, including at least one of a user name, user address, user email, user phone number, user tax ID, user social security number and user financial account number. In subsequent communications, the verifying party receives a certificate chain including the self-signed certificate, and matches that with the user identification data stored in a database.

Abstract: A distributed key management system (KMS) includes a central KMS server and multiple intermediate KMS servers. The central KMS server replicates managed keys to the intermediate KMS servers. An intermediate KMS server receives a KMS service request from a KMS client, where any of the intermediate KMS servers are capable of servicing the request. The intermediate KMS server performs the action requested if it has access to the necessary managed key and returns the response to the KMS client. If it does not have access to the necessary managed key, the intermediate KMS server transmits a request for the managed key to the central KMS server. The intermediate KMS server receives the managed key, performs the action requested, and returns the response to the KMS client.

Abstract: Embodiments of the present invention disclose a method, an apparatus, and a system for establishing a security context and relates to the communications field, so as to comprehensively protect UE data. The method includes: acquiring an encryption algorithm of an access node; acquiring a root key and deriving, according to the root key and the encryption algorithm, an encryption key of the access node; sending the encryption key and the encryption algorithm to the access node, so that the access node starts downlink encryption and uplink decryption; sending the encryption algorithm of the access node to the UE so as to negotiate the encryption algorithm with the UE; and instructing the access node to start downlink encryption and uplink decryption and instructing, during algorithm negotiation, the UE to start downlink decryption and uplink encryption.

Abstract: A security engine may use event-stream processing and behavioral techniques to detect ransomware. The engine may detect process behavior associated with encrypting a file, encrypting a storage device, or disabling a backup file, and may assign a ransomware category to the process based thereon. The engine may initiate protection actions to protect system resources from the process, which may continue to execute. The engine may monitor the process for specific behavior corresponding to its ransomware category. Based on the extent to which such specific behavior is detected, the engine may determine that the process is not ransomware, assign a ransomware subcategory to the process, or adjust the process's threat score. Monitoring of the process may continue, and the threat score may be updated based on the process's behavior. If the threat score exceeds a threshold corresponding to the ransomware category (or subcategory), a corresponding policy action may be initiated.

Abstract: Embodiments of the present invention provide an index establishment method and device. The method can include receiving an access request sent by the client, the access request including a uniform resource locator (URL) and parameter information; determining a target service type of the access request according to the URL and the parameter information; converting the access request according to the target service type; and sending the converted access request to a server corresponding to the target service type.

Abstract: A system and method of encrypting data via public key cryptography with certificate verification of target. The method includes receiving an unsigned certificate signing request (CSR) for a second digital certificate associated with a second application executing on a second client device. The method includes signing, by a processing device of a secret sharing management (SSM) system, the unsigned CSR using a second private key associated with the second client device to generate a signed CSR, the second private key is inaccessible to the second client device. The method includes generating a second digital certificate associated with the second application based on the signed CSR and a different private key associated with the SSM system. The method includes causing the second digital certificate associated with the second application to be stored in a shared data storage available to a first client device.

Abstract: A system and method for homomorphic encryption in a healthcare network environment is provided and includes receiving digital data over the healthcare network at a data custodian server in a plurality of formats from various data sources, encrypting the data according to a homomorphic encryption scheme, receiving a query at the data custodian server from a data consumer device concerning a portion of the encrypted data, initiating a secure homomorphic work session between the data custodian server and the data consumer device, generating a homomorphic work space associated with the homomorphic work session, compiling, by the data custodian server, a results set satisfying the query, loading the results set into the homomorphic work space, and building an application programming interface (API) compatible with the results set, the API facilitating encrypted analysis on the results set in the homomorphic work space.

Abstract: A method for using the active connection of connected devices for additional security in the conveyance of sensitive data from a computing device includes: storing sensitive data; storing one or more device identifiers, wherein each device identifier is associated with a connected device separate from the computing device; receiving a user instruction requesting use of the sensitive data; detecting one or more active communication channels between the computing device and external connected devices; identifying, for each of the detected one or more active communication channels, a device identifier associated with the respective external connected device; verifying that at least one of the identified device identifiers is included in the one or more stored device identifiers; and transmitting the sensitive data after the verification.

Abstract: Systems and methods for encrypted storage device telemetry data are described. Storage device telemetry data may be collected for a telemetry message, such as a non-volatile memory express (NVMe) telemetry command, and encrypted using a first encryption key. The first encryption key may be encrypted using one or multiple second encryption keys and the encrypted first encryption key may be added to the telemetry message. A client system may receive the telemetry message, decrypt the encrypted first encryption key, and use the first encryption key to decrypt the encrypted storage device telemetry data.

Abstract: A system and method for flexible writing of internal data of a regulated system can include generating a flexible write instruction, providing the flexible write instruction to the regulated system, and storing or committing data changes to the regulated system outside of the normal system operations, during runtime.

Abstract: An intelligent electronic device (IED) includes memory and a processor operatively coupled to the memory. The processor is configured to establish, over a communication network of a power system, a communication link according to a media access control security (MACsec) Key Agreement (MKA). The TED receives a plurality of access control secure association keys (SAKs) via the communication link. The TED receives one or more checked-out SAKs indicating a request to access the TED The TED allows access based on the one or more checked-out access control SAKs matching at least one of the plurality of access control SAKs.

Abstract: Methods for rotating cryptographic keys to revoke access to encrypted data stored on a remote server. Obtaining a first cryptographic key from a key store. Generating a second cryptographic key at a user device. Obtaining a first chunk of data from an encrypted file stored on the remote server. Decrypting the first chunk of data using the first cryptographic key to provide a decrypted first chunk of data. Re-encrypting the decrypted first chunk of data using the second cryptographic key to provide a re-encrypted first chunk of data. Uploading the re-encrypted first chunk of data to the remote server from non-persistent storage. Repeating the steps until an entire encrypted file has been decrypted and re-encrypted. Combining all the re-encrypted chunks of the encrypted file to provide a reassembled encrypted file that is associated with the second cryptographic key. Updating the remote server with the reassembled encrypted file associated with the second cryptographic key.

Abstract: A security platform architecture is described herein. The security platform architecture includes multiple layers and utilizes a combination of encryption and other security features to generate a secure environment.

Abstract: A shared terminal includes: circuitry to control a display to display an image to a plurality of users, the plurality of users sharing a use of the shared terminal, and obtain, from a first privately-owned terminal owned by a first user of the plurality of users, first terminal identification information for identifying the first privately-owned terminal; a transmitter to transmit, to a terminal management server, an authentication request for authenticating the first privately-owned terminal to allow login of the first user into the shared terminal, the authentication request including the first terminal identification information of the first privately-owned terminal; and a receiver to receive an authentication result indicating whether the first privately-owned terminal is authenticated to allow login of the first user, from the terminal management server.

Abstract: This disclosure relates to, among other things, electronic device security systems and methods. Certain embodiments disclosed herein provide for protection of cryptographic keys and/or associated operations using both an operating system security service and a software-based whitebox cryptographic security service executing on a device. Leveraging operating system security services and software-based whitebox cryptographic security services may provide enhanced security when compared to using either service alone to protect cryptographic keys and associated operations. In additional embodiments, server-side cryptographic security solutions may be further used to enhance device security implementations.