Abstract: Techniques are provided for computing with private healthcare data. The techniques include a de-identification method including receiving a text sequence; providing the text sequence to a plurality of entity tagging models, each of the plurality of entity tagging models being trained to tag one or more portions of the text sequence having a corresponding entity type; tagging one or more entities in the text sequence using the plurality of entity tagging models; and obfuscating each entity among the one or more tagged entities by replacing the entity with a surrogate, the surrogate being selected based on one or more attributes of the entity and maintaining characteristics similar to the entity being replaced.

Abstract: Disclosed are systems and methods for personalized care management. A plurality of user devices corresponding to a plurality of authorized caregivers are configured to provide input data to a processing module 1004. The input data is associated with an actionable item being performed for at least one care receiver, wherein the actionable item includes one of: a scheduled actionable item and a non-scheduled actionable item. The processing module 1004 receives, the at least one input data based on the scheduled actionable item and the non-scheduled actionable item. A profile of the at least one care receiver is updated based on the received at least one input data, and thereafter stored in a database 1010. The plurality of authorized caregivers is facilitated to access the stored updated profiles of the at least one care receiver for further analysis.

Abstract: In one example method for generating an access stratum key in a communication system, a terminal device acquires an input parameter, where the terminal device is communicably coupled to a first network-side device through a first air interface and at the same time is communicably coupled to a second network-side device through a second air interface. The terminal device has access to a core network via the first network-side device, and has access to the core network via the second network-side device which has access to the core network through the first network-side device. The terminal device calculates an access stratum root key of the second air interface according to the input parameter and an access stratum root key of the first air interface, and generates an access stratum key of the second air interface according to the access stratum root key of the second air interface.

Abstract: Disclosed are examples of searching for content associated with multiple applications. In various examples, a first application can obtain a search query and maintain a list of applications available to provide content. The first application can send a request to a second application identified in the list, the request including a key that indicates the first application is authorized to request the second application to search for content. The first application can obtain a search result from the second application based on the request and present the search result in a user interface in the first application.

Abstract: A method, system and computer program product relating to an application server operable to manage a microservice-based application, i.e. app, on behalf of clients, the clients being available for use by system actors who may be, for example, end users, bots, developers or other apps. A permissions validator is used to compute effective permissions in response to client requests. The requests are granted or denied conditional on the effective permissions being at least a subset of the permissions required to be given by any of the app's microservices that are needed for the resource being requested. The effective permissions are computed from an intersection of a set of actor permissions, a set of client permissions and a set of resource permissions.

Abstract: Systems, methods, and computer-readable media for assessing reliability and trustworthiness of devices across domains. Attestation information for an attester node in a first domain is received at a verifier gateway in the first domain. The attestation information is translated at the verifier gateway into translated attestation information for a second domain. Specifically, the attestation information is translated into translated attested information for a second domain that is a different administrative domain from the first domain. The translated attestation information can be provided to a verifier in the second domain. The verifier can be configured to verify the trustworthiness of the attester node for a relying node in the second domain by identifying a level of trust of the attester node based on the translated attestation information.

Abstract: According to various aspects, systems and methods are provided for secure communication between a passive sensor node and a reader. A passive sensor node may be used for monitoring in a variety of situations. A reader may power the passive sensor while communicating with the passive sensor. In some scenarios, it may be necessary or desirable to provide security between the passive sensor and the reader. According to one aspect, the reader may send a first message initiating communication with the passive sensor, which may respond with a second message including encrypted data. An authorized reader may decrypt the data and respond with data encrypted based on the second message in a third message, which may be used by the device to authenticate the reader.

Abstract: A system for tracking an asset including one or more processing devices that identify a spatial region in a complex number space, the spatial region being associated with the asset, receive a user defined password, identify a plurality of key locations within the spatial region at least in part using the user defined password, calculate key numerical values at each of the plurality of key locations using a defined complex number formula and use the key numerical values to generate an encryption key. The asset can be associated with a user by storing an asset record in a database which is indicative of an asset identifier, the spatial region and an encrypted payload derived using the encryption key.

Abstract: A small piece of hardware connects to a mobile device and filters out attacks and malicious code. Using the piece of hardware, a mobile device can be protected by greater security and possibly by the same level of security offered by its associated corporation/enterprise. In one embodiment, a mobile security system includes a connection mechanism for connecting to a data port of a mobile device and for communicating with the mobile device; a network connection module for acting as a gateway to a network; a security policy for determining whether to forward content intended for the mobile device to the mobile device; and a security engine for executing the security policy.

Abstract: A system and method for binding or assigning network access credentials to computer chip modules may include transmitting to a remote server a set of initialization data items each including an identification and a derivation of a secret value; and receiving from the remote server credential files, each including encrypted network access credentials and an initialization data item. For each computer chip module, a credential file may be installed on the computer chip module, an identification and a secret value may be installed on the computer chip module, and binding software may be executed. The execution of the binding software may accept as input the identification and a derivation of the secret value and may cause extraction of the network access credentials if the identification and the secret value when input to a formula result in a match.

Abstract: A container that manages access to protected resources using rules to intelligently manage them includes an environment having a set of software and configurations that are to be managed. A rule engine, which executes the rules, may be called reactively when software accesses protected resources. The engine uses a combination of embedded and configurable rules. It may be desirable to assign and manage rules per process, per resource (e.g. file, registry, etc.), and per user. Access rules may be altitude-specific access rules.

Abstract: Methods for transitioning an existing TLD from an existing registry operator to a new TLD of a new registry operator, the new TLD subsequently accessible over a communications network, the existing TLD having a non-operational zone or an operational zone.

Abstract: A computer-implemented method includes: establishing a connection between a user device of a user and a system onboard a vehicle being driven by the user; requesting access, through the established connection, to user information on the user device; in response to a grant of access, retrieving at least a portion of the user information from the user device, the portion of user information including a digital identification document of the user that had been issued by an entity after having vetted the user, the digital identification document including a digital biometric of the user as well as a digital watermark indicating the issuing entity; and retaining, on the system onboard the vehicle, data encoding the digital identification document of the user on the vehicle such that when the vehicle is inspected by a third-party agent, the digital identification document of the user is presented to the third-party agent.

Abstract: Techniques for computer security, and more specifically timestamp-based key generation techniques, are described. Some implementations provide a table of key generation processes that is shared as a secret between a first computing system and a second computing system, both of which have two clocks. The first clock is a real-time clock and the second clock is a variable-time clock. The variable time clocks are synchronized and run at the same rate, faster or slower than real time. Both computing systems use the same technique for selecting a key generation process from the table, such as based on a random number generator seeded with a timestamp obtained from their variable time clocks. Since the computing systems have synchronized variable-time clocks, they both select and use the same key generation process, thereby generating the same encryption key without the need to communicate the key from one system to another.

Abstract: Techniques are described herein that are capable of providing security for code between a code generator and a compiler. The code generator generates source code. The code generator generates a first checksum of a file that includes the source code. The code generator provides the first checksum to the compiler via a secure channel. The compiler generates a second checksum of the file that includes the source code. The compiler determines whether to compile the source code based at least in part on whether the first checksum and the second checksum are the same. The first checksum and the second checksum being the same indicates that the source code is to be compiled. The first checksum and the second checksum being different indicates that the source code is not to be compiled.

Abstract: Described herein is a data security system for enabling tokenized access to sensitive data, including a token provider configured to initiate a secure connection with a remote client computing device of a first data subject, and receive, from the remote client computing device, a request for an access token to provide a service provider with access to sensitive data associated with the first data subject. The request includes a data definition and authorization parameters including a data source identifier. The token provider is also configured to generate the access token that enables access to the sensitive data from the data source, store the access token in a token database, and transmit, to the remote client computing device, a response including the access token and instructions that enable the remote computing device to display the access token to the first data subject or transmit the access token to the service provider.

Abstract: An electronic device may include circuitry and an anti-tamper device having a physical characteristic that changes in response to a tamper attempt. The circuitry is configured to determine physically unclonable function (PUF) data based on the physical characteristic and to perform at least one secure operation based on the PUF data. The circuitry is further configured to detect the tamper attempt based a change to the physical characteristic and to perform at least one action in response to detection of the tamper attempt for protecting the electronic device from the tamper attempt.

Abstract: One embodiment a method, including: providing, using a processor, a user challenge over a network, wherein the user challenge is associated with a predetermined gesture to be performed by a user; obtaining, using a processor, user image data; determining, using the user image data, that a user has performed the predetermined gesture; and thereafter providing the user access to information. Other aspects are described and claimed.

Abstract: An authentication system includes: ECUs constituting on-vehicle network and server device communicating with the ECU. The ECU stores ID and encryption key set individually to the ECU and used for authenticating data exchanged between the ECUs. The server device stores the ID and encryption key of the ECU. The ECU includes: first CPU configured to perform: generating authentication data; generating authentication code by encrypting the authentication data using the encryption key; and transmitting the ID, authentication data, and authentication code to the server device. The server device includes: second CPU configured to perform: acquiring the ID transmitted from the ECU; retrieving the encryption key of ECU corresponding to the ID acquired; acquiring the authentication data and authentication code transmitted from the ECU; and authenticating the ECU using the encryption key retrieved.

Abstract: An information handling system may include a persistent memory configured to be secured via a passphrase; a basic input/output system (BIOS); and a management controller configured to provide out-of-band management of the information handling system. The BIOS may be configured to set the passphrase of the persistent memory, encrypt the passphrase via a first key of a first asymmetric key pair, and transmit the encrypted passphrase to the management controller. The management controller may be configured to decrypt the encrypted passphrase via a second key of the first asymmetric key pair, re-encrypt the passphrase via a first key of a second asymmetric key pair, and transmit the re-encrypted passphrase to an external management console via an out-of-band management interface.