Abstract: A method, computer program product, and computer system for storing, by a computing device, a data encryption key in a keystore. A plurality of stable system values may be generated, wherein a threshold number of the plurality of stable system values is required to access the data encryption key from the keystore. The plurality of stable system values may be stored in different locations. More stable system values of the plurality of stable system values than the threshold number of the plurality of stable system values required to access the data encryption key from the keystore may be deleted.

Abstract: Disclosed are various embodiments for validating documents using a blockchain data. Multiple documents can be included in the validation process using a merge and hash process and a summary terms document. Validation can be performed by hashing and merging operations, followed by comparing hash values.

Abstract: In a post-quantum asymmetric key generation method and system, a processing unit generates, based on a prime and an arithmetic function or a classical string, a prime vector which has an infinite number of components; generates a prime array based on the prime vector; generates an associated matrix based on the prime array; obtains, based on the associated matrix and a first reference prime, a first reference inverse prime array that serves as a private key; and obtains a public key that is paired with the private key based on a second reference inverse prime array. The second reference inverse prime array is obtained based on the associated matrix, the first reference prime, a second reference prime, and a randomization array.

Abstract: A method for implementing a secure multiparty computation protocol between a plurality of parties for a multiparty computation includes performing an offline phase of an SPDZ protocol for each of the parties participating in the multiparty computation. A secret share redistribution phase is then performed wherein the secret shares of the parties are redistributed to a subset of the parties. A secret share recombination phase is performed during which the subset of the parties recombines the redistributed secret shares to recover the secret shares of the parties not in the subset. An online phase of the SPDZ protocol is then performed during which the function is computed with respect to the private inputs of the parties and using the secret shares of all the parties.

Abstract: According to an example aspect of the present invention, there is provided a method, comprising: storing a security context comprising a first key for wireless data transmission, and applying a timer for defining validity of the security context for the data transmission during an inactive state.

Abstract: An electronic device including a key generator is disclosed. The key generator acquires a first affine map, a second affine map, and a third map, and generates a public key using the first affine map, the second affine map, and the third map, the third map is a system of multivariate quadratic polynomials having n variables and m equations, at least one of the multivariate quadratic polynomials has oil-oil quadratic terms with non-zero coefficients, and the third map includes at least one set for defining vinegar variables used in an Oil and Vinegar method and index sets for defining oil variables used in the Oil and Vinegar method, and each of the first affine map, the second affine map, and the third map is a finite field.

Abstract: Methods for speaker role determination and scrubbing identifying information are performed by systems and devices. In speaker role determination, data from an audio or text file is divided into respective portions related to speaking parties. Characteristics classifying the portions of the data for speaking party roles are identified in the portions to generate data sets from the portions corresponding to the speaking party roles and to assign speaking party roles for the data sets. For scrubbing identifying information in data, audio data for speaking parties is processed using speech recognition to generate a text-based representation. Text associated with identifying information is determined based on a set of key words/phrases, and a portion of the text-based representation that includes a part of the text is identified. A segment of audio data that corresponds to the identified portion is replaced with different audio data, and the portion is replaced with different text.

Abstract: Provided herein are identification of a distributed denial of service attack and automatic implementation of preventive measures to halt the distributed denial of service attack. At substantially the same time as the attack, valid users/customers (e.g., devices) are provided quality of service and continued access to a website experiencing the distributed denial of service attack. Further, service to temporary or unknown users (e.g., devices) with public access to the website is suspended during the duration of the distributed denial of service attack.

Abstract: Integrated circuits to compute a result of summing m values, rotating the sum by k bits, and adding a summation of n values Bi to Bn to the rotated sum. An embodiment includes: a first carry save adder to add up the m values to generate a first carry and a first sum; rotator circuitry to rotate both the first carry and the first sum by k bits to generate a second carry and a second sum; a second carry save adder to add up the second carry, the second sum, and the summation of values Bi to Bn to generate a third carry and a third sum; two parallel adders to generate a first intermediate result and a second intermediary result based on the third carry and the third sum; and a multiplexer to generate the result utilizing various portions of the first and second intermediate results.

Abstract: Presented herein are methods and systems for adjusting code files to apply memory protection for dynamic memory regions supporting run-time dynamic allocation of memory blocks. The code file(s), comprising a plurality of routines, are created for execution by one or more processors using the dynamic memory. Adjusting the code file(s) comprises analyzing the code file(s) to identify exploitation vulnerable routine(s) and adding a memory integrity code segment configured to detect, upon execution completion of each vulnerable routine, a write operation exceeding from a memory space of one or more of a subset of most recently allocated blocks allocated in the dynamic memory to a memory space of an adjacent block using marker(s) inserted in the dynamic memory in the boundary(s) of each of the subset's blocks. In runtime, in case the write operation is detected, the memory integrity code segment causes the processor(s) to initiate one or more predefined actions.

Abstract: Embodiments are configured to receive metadata of a process intercepted on an end host when attempting to access a network. The metadata includes a hash of an application associated with the process and an endpoint reputation score of the application. Embodiments are configured to request a threat intelligence reputation score based on the hash of the application, to determine an action to be taken by the end host based, at least in part, on one or more policies and at least one of the threat intelligence reputation score and the endpoint reputation score, and to send a response indicating the action to be taken by the end host. Further embodiments request another threat intelligence reputation score based on another hash of a dynamic link library module loaded by the process on the end host, and the action is determined based, at least in part, on the other threat intelligence score.

Abstract: An authentication method, includes: receiving an authentication request from a user, the authentication request including an identity identifier of the user; acquiring authentication data associated with the identity identifier from a blockchain network, a blockchain node of the blockchain network storing a mapping relationship between identity identifiers and authentication data; and performing identity authentication for the user according to the authentication data.

Abstract: Aspects of the invention include a computer-implemented method including providing, by a processor, a computing cluster having a plurality of cluster nodes and services. The method provides, by the processor, a limited catalog of services and restricts, by the processor, access of an administrator of the computing cluster to use of a service deployer, wherein the service deployer restricts administrator access to installation and administration of clusters and deployment of only the limited catalog of services.

Abstract: A method, computer system, and a computer program product for secure transport of data is provided. The present invention may include defining a trust relationship based on a secret. The present invention may also include associating a trusted transport key identity (TTKI) based on the defined trust relationship. The present invention may then include receiving a trusted transport key (TTK), wherein the TTK is digitally signed and encrypted with the TTKI. The present invention may further include verifying the digitally signed TTK. The present invention may also include enveloping the secret with the TTK.

Abstract: The innovation disclosed and claimed herein, in one aspect thereof, comprises systems and methods of credentialing an application in a cloud environment. The application is determined to be a trusted application type. The application is provided with a certificate service process dedicated to request and receive a certificate from a source outside the cloud environment. An integration component retrieves the secret and provides it to the application that is inside the cloud environment. The secret is verified within the cloud environment and the application is deployed as a trusted application instance inside the cloud environment.

Abstract: A network-based appliance includes a mechanism to set-up and selectively use an “out-of-band” encryption channel. The mechanism comprises a packet parser, and a packet dispatcher, and it is integrated with an existing network layer stack that typically is not visible to host applications. In lieu of simply encrypting all data it receives, the mechanism instead analyzes one or more attributes, e.g., protocol type, application type, current encryption strength, content payload, etc., associated with a packet transmission to determine whether further encryption is required. The evaluation may include a deep packet inspection (DPI) when the information at the network layer (e.g., IP address, port number, etc.) is not sufficient to determine if the payload in the packet needs to be further encrypted. Based on the result of the analysis, packets are dispatched to the encryption channel as and when necessary.

Abstract: In some embodiments, a method receives address information for two or more paths between a first network device and a second network device. A connection is established between the first network device and the second network device to determine one or more security keys for the first network device and the second network device. Then, the method installs the one or more security keys with the address information for the two or more paths. The one or more security keys are used to provide a security service on one or more packets that are sent or received between the first network device and the second network device using the address information for the two or more paths.

Abstract: The present disclosure provides a method for securely updating firmware components, which is used in connection with an electronic device including a universal serial bus human interface device interface. The method includes: downloading a deformed patch executable file by the electronic device, wherein the deformed patch executable file is deformed from a patch executable file including a plurality of binary files, and each of the binary files is configured with an address reference label; and executing the deformed patch executable file and verifying whether a digital signature of the deformed patch executable file is authorized or not. If the digital signature of the deformed patch executable file is authorized, providing an update tool for updating the corresponding firmware component. If the digital signature of the deformed patch executable file is not authorized, prompting that the digital signature is unauthorized.

Abstract: A system includes an interface, a tenant authentication processor, and an application routing processor. The interface is configured to receive a first request for access. The tenant authentication processor is configured to provide a tenant token request to a tenant process associated with the first request; receive a tenant token from the tenant process; determine a signed tenant token based on the tenant token and a key; and provide the signed tenant token for access to an application routing platform. The application routing processor of the application routing platform is configured to receive an API call comprising the signed tenant token; determine that the signed tenant token is valid; determine an application platform token; determine routing information to an application platform based on the API call; and provide the application platform the API call and the application platform token using the routing information to gain access to the application platform.

Abstract: A method and apparatus for encrypting communications between two radio frequency (RF) transceivers selects a level of encryption based on device characteristics of the two RF transceivers. Each RF transceiver generates a common sequence having an integer, M, symbols based on the selected encryption level and on signals received from the other RF transceiver. Each RF transceiver then generates a cryptographic key based upon the common sequence, encrypts a message using the cryptographic key, and sends the encrypted message to the other RF transceiver. In one embodiment, the M symbols are selected from an alphabet where the value M and the size of the alphabet are selected based on the device characteristics of the two RF transceivers.