Abstract: A system for managing opt-out instructions includes a global opt-out service and opt-out store in communication with regional subsystems. The opt-out service maintains a global opt-out store database of consumers for whom opt-out instructions have been received. The opt-out store includes no personal data, but instead contains only anonymized data. Before consumer data is utilized, an anonymized identifier is created by a regional data anonymizer and transmitted to the opt-out store. The opt-out instructions are applied by searching for a match in the opt-out store for a matching anonymized identifier. In this manner, the system may comply with privacy laws and regulations concerning the transmission of personal data outside of a region, while still providing a global opt-out service.

Abstract: Methods and systems for embedding data in an image. The methods include, by a computing device: receiving data indicative of a source of an image that is one of a series of images that collectively provide a visual representation of a state of an application of the computing device, identifying, region of the image that is the same in another image of the series of images, determining a size of the identified region, and embedding the data within the identified region of the image in response to a comparison between the determined size of the identified region and a threshold.

Abstract: An electronic device is disclosed. The disclosed electronic device includes a communication unit for communicating with a server and at least one external electronic device, and a processor electrically coupled with the communication unit, and the processor may receive the latest communication connection information of the external electronic device from the external electronic device or the server through the communication unit, if a transaction occurs, propagate the transaction to the external electronic device based on the communication connection information, receive a verification result of the transaction from the external electronic device which receives the transaction, and perform the transaction by generating and propagating new block data based on the verification result.

Abstract: A processor comprising a first register to store a wrapping key, a second register to store a pointer to a handle stored in a memory coupled to the processor, the handle comprising a cryptographic key encrypted using the wrapping key, and a core to execute a decryption instruction. The core is to, responsive to the decryption instruction, identify, in the decryption instruction, a pointer to ciphertext stored in the memory, retrieve the ciphertext and the handle from the memory, decrypt the cryptographic key of the handle based on the wrapping key, and decrypt the ciphertext based on the decrypted cryptographic key.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for managing cryptographic keys based on user identity information. One of the methods includes receiving biometric information associated with a user and a request to store a user key pair to a memory on an identity cryptographic chip (ICC); comparing the biometric information associated with the user with biometric information pre-stored in the memory as pre-stored biometric information; in response to determining that the biometric information associated with the user matches the pre-stored biometric information, encrypting the user key pair to provide an encrypted user key pair; and storing the encrypted user key pair to the memory.

Abstract: The present invention relates to virtual code-based control system, method and program, a control device and a control signal generating means. A control method on the basis of a control signal comprising a virtual code according to an embodiment of the present invention comprises: a control signal receiving step for a control module receiving, from a control signal generating means, a control signal generated by means of combining a plurality of specific codes in accordance with a particular rule; a step for the control module extracting the plurality of specific codes comprised in the virtual code; and a command searching step for the control module searching for a storage location comprising a particular command on the basis of the plurality of specific codes.

Abstract: One embodiment described herein provides a system and method for secure point-to-point communication. During operation, the system establishes a voice communication channel between a local client device and a remote client device and obtains an encryption key negotiated between the local client device and the remote client device. The system can then obtain a voice signal generated by a user associated with the local client device based on the encryption key and performs a key-validation operation by sending the voice signal from the local client device to the remote client device using the voice communication channel. In response to a successful validation of the encryption key, the system establishes a secure point-to-point communication channel between the local and remote client devices using the validated encryption key.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: A key management method includes: sending, by a security chip of a computer device, a request for obtaining a service key to a key management service; receiving, by the security chip, a service key ciphertext from the key management service, wherein the service key ciphertext is obtained by encrypting the service key by the key management service based on a migration key of the security chip; decrypting, by the security chip, the service key ciphertext based on the migration key to obtain the service key; storing, by the security chip, the service key in the security chip; and providing, by the security chip, the service key to an application program of the computer device when the application program needs to encrypt data based on the service key.

Abstract: A method for regulating document access, the method comprising providing a set of access keys for a user, respective ones of the keys providing different user access privileges for components of a composite document, selecting multiple nodes in a distributed storage system, distributing data representing N fragments of encrypted or unencrypted versions of the set of access keys and/or at least one of the individual keys and/or a symmetric key. K, associated with the user across N selected nodes of the distributed storage system, wherein the encrypted versions are encrypted using the symmetric encryption key. K, associated with the user, encrypting data relating to address information of the N selected nodes using a public encryption key of the user to generate a location object and storing the location object as a component of the composite document.

Abstract: In one embodiment, a method for securely distributing secret keys for hardware devices is disclosed. A distributor server transmits to a provider server an order for hardware devices. Each hardware device has a unique identifier and at least one secret key for authentication. The provider server sends a database associated with the distributor, for each of the hardware devices, the unique identifier and an unencrypted version of the at least one secret key. In response to an order received by the distributor from a customer for a portion of the hardware devices, the distributor server provides the database the unique identifiers and an associated customer order identifier, and the distributor server provides a customer server the unique identifiers. In response to the customer logging into the database and providing the order information, the database provides the customer the unencrypted keys for the hardware devices to allow authentication.

Abstract: Key management for encrypted data includes establishing a cache of key decryption keys and periodically evicting the keys from the cache. A pool of key encryption keys also is created and periodically, selected key encryption keys are removed from service. Notably, the rate of removal of the encryption keys differs from the rate of cache eviction for the decryption keys. Thereafter, clear data is encrypted with a cipher to produce cipher text, and the cipher is encrypted with a selected key encryption key from the pool. Finally, in response to an access request for the clear data, an attempt to locate in the cache a key decryption key for the encrypted cipher is made. If attempt fails, the key decryption key is retrieved from remote memory. Finally, the encrypted cipher is decrypted with the located key, and the cipher text decrypted to produce the clear data.

Abstract: A computing platform of a vehicle may receive a request, from a mobile application accessing a secure vehicle function, to create a secure tunnel between the computing platform and the mobile device; retrieve an application certificate from the mobile application; and validate the creation of the secure tunnel using the application certificate and a module certificate from a local policy table of the computing platform. A mobile device, connected to a computing platform of a vehicle may execute a mobile application requiring a secure vehicle function; send a request to create a secure tunnel with the computing platform responsive to access of by the mobile application of the secure vehicle function; and send to the computing platform an application certificate corresponding to the mobile application to validate creation of the secure tunnel.

Abstract: Systems and methods for detecting breached user login records in a zero-knowledge architecture. A breach detection module obtains login data that has been breached from breached data sources and service providers. The breached data is hashed with a system key and the breached data hashes are hashed in a hardware security module (HSM) using a hashing method and a non-exportable key. Clients provide user login data that has been hashed using the hashing method by the client device to the breach detection module. The breach detection module hashes the hashed user login data and compares the hashed user login hashes with the hashed breached data hashes and sends a breach alert to the client device if any hashes match.

Abstract: Techniques are disclosed for providing information sharing with enhanced security. In an embodiment, a secure information sharing engine provides secure sharing of data by applying one or more validation rules to the data. When applied to a given portion of the data, the validation rule verifies that the data of the given portion is, in fact, the data that is supposed to be in the given portion. At least one of the validation rules includes a check that a portion of the data contained in multiple fields maintain a relationship between the multiple fields. If the data passes the applied one or more validation rules, the secure information sharing engine allows the sharing of the data. Otherwise, if the data does not pass the one or more applied validation rules, the secure information sharing engine disallows the sharing of the data.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: Technologies for accelerated key caching in an edge hierarchy include multiple edge appliance devices organized in tiers. An edge appliance device receives a request for a key, such as a private key. The edge appliance device determines whether the key is included in a local key cache and, if not, requests the key from an edge appliance device included in an inner tier of the edge hierarchy. The edge appliance device may request the key from an edge appliance device included in a peer tier of the edge hierarchy. The edge appliance device may activate per-tenant accelerated logic to identify one or more keys in the key cache for eviction. The edge appliance device may activate per-tenant accelerated logic to identify one or more keys for pre-fetching. Those functions of the edge appliance device may be performed by an accelerator such as an FPGA. Other embodiments are described and claimed.

Abstract: A system for assessing potential cybersecurity threats to a subject system is provided. The system includes a computer system including at least one processor in communication with at least one memory device. The at least one processor is programmed to: receive a subject system to analyze, determine a potential hazard event associated with the subject system, generate an attack graph associated with the potential hazard event, wherein the attack graph includes a plurality of actions, determine an exploitability score for each of the plurality of actions, determine an uncertainty level for each of the plurality of actions based on the corresponding exploitability score, aggregate the plurality of actions including the corresponding exploitability scores and the corresponding uncertainty levels to determine one or more vulnerabilities of the subject system, and generate a response to the one or more vulnerabilities of the subject system.

Abstract: A domain transcendent file cryptology network includes a first data cryptology node in a first data domain having a first security protocol. A hardware processor of the first data cryptology node executes a first instantiation of a software code to receive a request to transfer a data file from the first data domain to a second data domain having a second, different, security protocol, obtain one or more characteristics of the data file, and generate an authentication tag for the data file based on the characteristic(s). The first instantiation of the software code also encrypts the data file and transmits the encrypted data file, the authentication tag, and a decryption key to a second data cryptology node in the second data domain. The decryption key and the authentication tag enable decryption of the encrypted data file by a second instantiation of the software code on the second data cryptology node.