Abstract: In aspects of string matching in encrypted data, a computing device stores homomorphic encrypted data as a dataset, and implements a string matching application that receives an encrypted query string as a query of the homomorphic encrypted data. The string matching application can then apply algorithms to perform addition and multiplication operations, and determine whether there are matching strings of the encrypted query string in the dataset. The string matching application can compute, for each row of the dataset, a sum of some function of dataset bits and query bits for a row result, and multiply the row results of the computed rows to determine matching strings. Alternatively, the string matching application can compute, for each row of the dataset, a product over some function of the dataset bits and the query bits for a row result, and add the row results of the computed rows to determine matching strings.

Abstract: A software verification method and apparatus are disclosed, applied to the cloud computing field and the communications field, and can be used to automatically verify whether an installation file of VNF software has been tampered with. The method includes: obtaining installation files of VNF software and signature files of the installation files, where the signature files of the installation files are used to store verification information of the installation files; verifying the installation files according to the signature files of the installation files; and determining, if the verification of the installation files succeeds, that the VNF software has not been tampered with.

Abstract: A wearable device includes a user information obtainer configured to obtain user information, a controller configured to selectively generate, in response to a user being authenticated based on the user information, an encryption key for encryption of content of an external device; and a communicator configured to transmit the encryption key to the external device.

Abstract: Certain embodiments described herein are generally directed to a first host machine exchanging a Security Parameter Index (SPI) value with a second host machine by storing the SPI in an options field of an encapsulation header of an encapsulated packet.

Abstract: Various additional and alternative aspects are described herein. In some aspects, the present disclosure provides a method of authenticating executable images in a system-on-chip (SoC), the method comprising: storing a plurality of executable images; storing, as separate from the plurality of executable images, a signed image of hashes comprising a plurality of hashes corresponding to the plurality of executable images and a first signature; authenticating the signed image of hashes based on the first signature; and using a first hash of the plurality of hashes to authenticate a first executable image of the plurality of executable images when the signed image of hashes passes authentication.

Abstract: Implementations and methods herein provide a networked storage system including a plurality of physical storage devices configured to store data on a plurality of virtualized volumes, a key store configured to store a plurality of encryption keys, and a secure messaging manager configured to encrypt a message to each of the plurality of virtualized volumes using a different encryption key.

Abstract: Various systems and methods for provisioning migration containers are disclosed. A system includes a memory and a processor to generate a migration container and migration metadata. The migration container can store data verified as encrypted with an encryption key and the migration metadata can include a lifespan value indicating a time limit for the migration container. In an example, the system can, in response to a request from a user device, provide the encryption key and a migration container path corresponding to a location of the migration container to the user device. In an example, the system can store data in the migration container in response to detecting the data from the user device via the migration container path. The system can migrate the data in the migration container to a server, and delete the migration container in response to the time limit of the lifespan value being exceeded.

Abstract: A system, method and computer program product obtains user data relating to a plurality of system users, who have previously been granted access to a resource in a context without complying with a ruleset defining criteria for automatically accessing the resource in the context. A combination of two or more user data properties having common values in user data of a subset of two or more of the plurality of system users is identified. A determination of whether the number of system users in the subset exceeds a predetermined threshold is made. If the number of system users in the subset exceeds the predetermined threshold, the ruleset is updated to include criteria based on the identified combination of two or more user data properties.

Abstract: A blockchain of transactions may be referenced for various purposes and may be later accessed by interested parties for ledger verification or information retrieval. One example method of operation may include one or more of receiving an access request from a requesting device for access to an encryption key associated with a user device, broadcasting the request to peer nodes for approval or disapproval, storing a transaction to a blockchain indicating the approval or disapproval of the request for access to the encryption key, and providing access to the encryption key when the approval is indicated.

Abstract: An inconsistency in shares is detected with a small volume of communications traffic. n inconsistency detecting devices generate random numbers si and make the random numbers si public. The n inconsistency detecting devices generate a common random number s which is the sum total of the random numbers s0, . . . , sn?1. The n inconsistency detecting devices calculate shares [c]i. The n inconsistency detecting devices generate shares [r]i, each of which would become a random number r by reconstruction. The n inconsistency detecting devices calculate shares [d]i, each of which would become a judgment value d by reconstruction. One inconsistency detecting device receives shares [d]1, . . . , [d]n?1 from n?1 inconsistency detecting devices. The one inconsistency detecting device restores n?k shares [d]?k, . . . , [d]?n?1 from k shares [d]0, . . . , [d]k?1. The one inconsistency detecting device judges, for j=k, . . . , n?1, whether or not a share [d]j and a share [d]?j coincide with each other.

Abstract: In some embodiments, a protected client operates a live introspection engine and an on-demand introspection engine. The live introspection engine detects the occurrence of certain events within a protected virtual machine exposed on the respective client system, and communicates the occurrence to a remote security server. In turn, the server may request a forensic analysis of the event from the client system, by indicating a forensic tool to be executed by the client. Forensic tools may be stored in a central repository accessible to the client. In response to receiving the analysis request, the on-demand introspection engine may retrieve and execute the forensic tool, and communicate a result of the forensic analysis to the security server. The server may use the information to determine whether the respective client is under attack by malicious software or an intruder.

Abstract: A data-source computer provides message data, having associated id data, to be sent to a data-collection computer; produces a blinded id by blinding the id data using a nonce; sends the blinded id to a tokenization computer; and sends the nonce and the message data via a network for receipt by the data-collection computer. In response, the tokenization computer produces a blinded token comprising a function, blinded with the nonce, of the id data and a secret key of the tokenization computer, and sends the blinded token to the data-collection computer. The data-collection computer, in response, uses the nonce to unblind the blinded token to obtain an id token which comprises a deterministic function of the id data and the secret key. The data-collection computer then stores the id token and the message data in storage operatively coupled to the data-collection computer.

Abstract: A data-source computer provides message data, having associated id data, to be sent to a data-collection computer; produces a blinded id by blinding the id data using a nonce; sends the blinded id to a tokenization computer; and sends the nonce and the message data via a network for receipt by the data-collection computer. In response, the tokenization computer produces a blinded token comprising a function, blinded with the nonce, of the id data and a secret key of the tokenization computer, and sends the blinded token to the data-collection computer. The data-collection computer, in response, uses the nonce to unblind the blinded token to obtain an id token which comprises a deterministic function of the id data and the secret key. The data-collection computer then stores the id token and the message data in storage operatively coupled to the data-collection computer.

Abstract: A processing device of a media server selects a media item to be provided to users via a satellite broadcast system, encrypts the media item using an encryption key to generate an encrypted media item, and transmits the encrypted media item to the satellite broadcast system via a first communication protocol. The processing device receives a request from a user device for authorization to decrypt the encrypted media item obtained by the user device via a direct connection with the satellite broadcast system. The request is received by the media server via a second communication protocol that is different from the first communication protocol. The processing device determines whether the user device is authorized to decrypt the encrypted media item, and transmits a key for decrypting the encrypted media item in response to the user device being authorized to decrypt the encrypted media item.

Abstract: Blockchain-based proof of presentation of content on a media channel, including: a blockchain; a generator configured to generate at least first, second, and third parameters, wherein the first and second parameters are input parameters and the third parameter is calculated as an output parameter of a one-way cryptographic function, the generator configured to incorporate the first and third parameters into a first type of block and append the first type of block to the blockchain; an embedder configured to receive and embed the second parameter into the content to produce tainted content; and a probe configured to monitor the media channel for the tainted content and to extract the second parameter from the tainted content.

Abstract: In an aspect of the disclosure, a method, a computer-readable medium, and a system for managing a collection of virtual desktops are provided. The system receives, at a license manager and from a first virtual desktop of the collection of virtual desktops, a first request to validate a license for the first virtual desktop. The system also determines whether a license is available for the first virtual desktop. The system further sends a validation status message to the first virtual desktop to indicate whether a license is available for the first virtual desktop based on the determination.

Abstract: A forged command filtering system includes: a secure command generating device for performing a digital signature operation on a selected command to generate a command request; a command transmitting device for receiving and transmitting the command request; a target device; and a command authentication circuit. The command authentication circuit includes: a communication interface for communicating with the command transmitting device or the target device; a secure micro-controller for storing a signature verification key of the secure command generating device; a control circuit for cooperating with the secure micro-controller to authenticate the command request using the signature verification key; and a storage circuit for storing data required for the operations of the control circuit.

Abstract: One embodiment provide a system and method for detecting eavesdropping while establishing secure communication between a local node and a remote node. During operation, the local node generates a random key and a regular optical signal based on the random key. The local node also generates a quantum optical signal based on a control sequence and a set of quantum state bases, and multiplexes the regular optical signal and the quantum optical signal to produce a hybrid optical signal. The local node transmits the hybrid optical signal to the remote node, sends information associated with the control sequence and information associated with the set of quantum state bases to the remote node, and receives an eavesdropping-detection result from the remote node based on measurement of the quantum optical signal, the information associated with the control sequence, and the information associated with the set of quantum state bases.

Abstract: In one or more embodiments, one or more systems, methods, and/or processes may receive, independently of a processor of the information handling system (IHS), first credential management information and may modify, independently of the processor and based on the first credential management information, credential information stored via a secure object store of the IHS. For example, modifying the credential information may include modifying the credential information such that the IHS denies access to at least a portion of the IHS based on the credential information. In one instance, denying access to at least the portion of the IHS may include disabling at least one of password, biometric information associated with a user, and an encryption key. In another instance, denying access to at least the portion of the IHS may include remapping, independently of the processor, at least one human interface device.

Abstract: A device may receive encrypted traffic associated with a secure session. The device may determine, based on the encrypted traffic, information associated with an offload service to be applied to the encrypted traffic associated with the secure session. The information associated with the offload service may indicate whether the encrypted traffic is permitted to bypass inspection by one or more security services. The device may selectively permit the encrypted traffic, associated with the secure session, to bypass inspection by the one or more security services based on the information associated with the offload service.