Abstract: Technologies for cryptographic protection of I/O data include a computing device with one or more I/O controllers. Each I/O controller may generate a direct memory access (DMA) transaction that includes a channel identifier that is indicative of the I/O controller and that is indicative of an I/O device coupled to the I/O controller. The computing device intercepts the DMA transaction and determines whether to protect the DMA transaction as a function of the channel identifier. If so, the computing device performs a cryptographic operation using an encryption key associated with the channel identifier. The computing device may include a cryptographic engine that intercepts the DMA transaction and determines whether to protect the DMA transaction by determining whether the channel identifier matches an entry in a channel identifier table of the cryptographic engine. Other embodiments are described and claimed.

Abstract: Illustrative implementations are described for an automated email message and document shredding system. The implementations provide for generating electronic content and associating the content with a condition upon which the content may self-terminate. Based on the condition, a security context may be determined for the content. The security context determination facilitates the association of a security key corresponding to the security context associated with the content. The security key may be applied to the content to generate encrypted content. A notification of the security key used to encrypt the content, a notification of the condition upon which the content will self-terminate and the encrypted content may then be transmitted to a recipient.

Abstract: The present disclosure relates to a method, a device and a storage medium for determining a health state of an information system. At first, a baseline configuration document corresponding to the information system is received, and data records under inspection of the information system are acquired. The baseline configuration document defines baselines. Then, each of the data records under inspection is compared with at least one baseline defined in the baseline configuration document to obtain a comparing result between each of the data records under inspection and the at least one baseline. At last, the health state of the information system is determined according to the comparing result between each of the data records under inspection and the at least one baseline. A health-determining apparatus relative to the above-mentioned method is also provided. Therefore, by these method and apparatus, the health state of the information system is quantifiable.

Abstract: A data device controls distribution of data to user devices through an edge router via an encryption scheme. The data device encrypts data using a first key and a public key, and sends the data to the edge router. The edge router encrypts the encrypted data with a second key and sends the re-encrypted data to a user device. The data device then authenticates the user device and issues a decryption key derived from a private key corresponding to the public key, the first key, and the second key to the user device. The user device uses the decryption key to decrypt and access the data.

Abstract: Bridging encrypted datasets is provided. A system transmits, to a server, a first identifier vector encrypted with a first encryption that is commutative. The system receives an encrypted first identifier vector encrypted based on the first encryption and encrypted by a second encryption associated with the server. The system receives a second identifier vector encrypted based on the second encryption. The system encrypts the second identifier vector with the first encryption to generate an encrypted second identifier vector that is encrypted based on the second encryption and further encrypted based on the first encryption. The system determines a correlation count between the encrypted first identifier vector and the encrypted second identifier vector. The system generates one identifier key for both the first identifier and the second identifier. The system can provide the one identifier key for input into an application to process interactions.

Abstract: Methods, systems, and computer-readable media for selectively enabling and disabling biometric authentication are presented. In some embodiments, a computing platform may receive, from a device monitoring and management computer system, a device state indicator message comprising device state information associated with a mobile computing device. Subsequently, the computing platform may set a biometric authentication flag for the mobile computing device based on the device state indicator message received from the device monitoring and management computer system. Then, the computing platform may generate an authentication functionality message for the mobile computing device based on the biometric authentication flag set for the mobile computing device, and the authentication functionality message may be configured to selectively enable or disable one or more biometric authentication functions provided by the mobile computing device.

Abstract: Example implementations relate to key revocation. For example, a system for key revocation may comprise a processor, an embedded controller, a non-volatile memory storing a system instruction signing key authorization data element, wherein the data element includes a system instruction signing key, a signing key number and a signature. The embedded controller may include a plurality of keys to verify the data element, and a one-time programmable (OTP) memory and a key among the plurality of keys that is revocable using the OTP memory, wherein revocation of the key permanently prevents the embedded controller from utilizing the key.

Abstract: A portable computing device captures imagery from a screen of a second computer, decodes information steganographically-encoded in the screen display, and uses the decoded information to establish a secure session with the second computer. Such technology enables a help-desk staffer to interact with a client's desktop computer, without touching the keyboard of the desktop computer, and without interrupting the client's work. A great many other features and arrangements are also detailed.

Abstract: Provided herein are systems, methods and computer readable media for consumer monitor and tracking. An example method may include receiving client device ID and client device profile data, comparing client device ID and client device profile data to a plurality of known client device versions, generating an updated known client device version in an instance in which the client device ID correlates to at least one of the plurality of known client device versions and the client device profile data does not correlate to the at least one of the plurality of known client device versions and generating a new known client device version in an instance in which the client device ID does not correlate to at least one of the plurality of known client device versions.

Abstract: In one embodiment, a device in a network receives an output of an anomaly detection model. The device receives state information surrounding the output of the anomaly detection model. The device determines whether the state information supports the output of the anomaly detection model. The device causes the anomaly detection model to be adjusted based on a determination that the state information does not support the output of the anomaly detection model.

Abstract: System and method of a single machine or cluster of machines acting as a single machine that simplifies and consolidates the hosting of appliances using virtualization, containers, and or any type of sandboxing to host virtual appliances, however, interconnecting these appliance nodes in a manner of having one centralized node acting as the security center, firewall appliance, and information distributer for not only the local virtual network(s), machines, appliances, but physical and foreign virtual networks which includes but is not limited to wireless connectivity and or whatever the current ubiquitous connectivity, as well as multiple sub-networks via single or multiple networking adapters; using these methods allows for a completely secure customized network environment with all the needed appliances for the intended use case.

Abstract: Apparatus and methods to support location specific control to allow and/or disallow access to services through untrusted wireless networks by a wireless communication device are disclosed. One or more network elements obtain a location of the wireless communication device and selectively allow and/or disallow access to one or more cellular network services and/or one or more access point names (APNs) based on the location of the wireless communication device when connecting through an untrusted wireless network.

Abstract: A method relates to receiving, by an authentication server, an authentication request from a client device via a public network, selecting a first private key of the authentication server from a first range of numbers and a second private key of the authentication server from a second range of numbers, receiving, from the client device, a first public key of the client device and a second public key of the client device, calculating a third private key of the authentication server in view of the second private key of the authentication server and a numerical value of the password, receiving a third public key of the client device, calculating a session key of the authentication server in view of the second public key of the client device, the third public key of the client device, and the third private key of the authentication server, and validating the session key.

Abstract: Technologies for analyzing software similarity include a computing device having access to a collection of sample software. The computing device identifies a number of code segments, such as basic blocks, within the software. The computing device normalizes each code segment by extracting the first data element of each computer instruction within the code segment. The first data element may be the first byte. The computing device calculates a probabilistic feature hash signature for each normalized code segment. The computing device may filter out known-good code segments by comparing signatures with a probabilistic hash filter generated from a collection of known-good software. The computing device calculates a similarity value between each pair of unfiltered, normalized code segments. The computing device generates a graph including the normalized code segments and the similarity values. The computing device may cluster the graph using a force-based clustering algorithm.

Abstract: An appliance is capable of storing and processing data related to details surrounding its ownership, behavior, and history within itself in a secure and unalterable way. The appliance may experience multiple transfers in ownership during its lifetime. Certain data stored in the appliance may be encrypted such that only qualifying parties (e.g., owners) may be able to access the data. Some data may remain private to an individual owner while other data may be made available to subsequent owners by passing a shared secret that can be utilized to decrypt the other data. Data may be stored in the appliance in chronological order and may be signed by appropriate parties such that it is not possible to alter the data without detection.

Abstract: The invention relates to an authentication method for authenticating a client device having an authentication token generated by means of a pseudo-homomorphic function and based on a secret element (PIN) known only by the client device, to a server, comprising: the generation (A1), by the client device, of proof of knowledge of the secret element based on a proof generation key masked with a first mask data item, said masked proof generation key being dependent on said secret element, the transmission to the server by the client device, of said generated proof of knowledge of the secret element (A2) and of the authentication token (J) masked using the mask data item (A3), the verification of the validity of the masked authentication token (A4) and of the validity of the proof of knowledge by the server (A6) by a zero-knowledge proof, proving the knowledge of said secret element by the client device without revealing it.

Abstract: In an example, techniques of this disclosure include establishing, by a computing device, authentication data for authenticating a user of a service provided by a service provider, where the authentication data comprises one or more first data entries and one or more second data entries that correspond to the one or more first data entries. The techniques also include retrieving, from at least one third-party service provider, one or more second data entries maintained by the at least one third-party service provider that correspond to the one or more first data entries, and authenticating the user based on the authentication data, where authenticating the user comprises comparing the one or more first data entries to the one or more second data entries retrieved from the at least one third-party service provider.

Abstract: Techniques are disclosed for using a global unified session identifier across data centers. Upon creating an initial session in the data center for a user first accessing the data center, a session identifier is generated for the user session. Because the initial session is the first session created for that user, the initial session identifier is designated as the global unified session identifier for all sessions that may be created for the user in other data centers within the enterprise network. Data centers may then map the global unified session identifiers to locally generated session identifiers for the user. A global unified session identifier enables various user session actions to be performed globally across the data centers, including global logout, global session termination, global session updates, and/or the like. A global unified session identifier prevents the risk of collision that can occur between randomly generated numbers of different data centers.

Abstract: Example apparatus and methods provide a device (e.g., smartphone) that is more secure for electronic commerce. An example device includes a trusted platform module (TPM) that stores a public key and a private key. The device is provisioned with account information, user information, and device information. The TPM uses the account, user, and device information to acquire attestation credentials and endorsement credentials. The device uses the account, user and device information along with the attestation credentials and endorsement credentials to acquire limited use keys (LUKs) that are encrypted with the public key. The LUKs will only be decrypted as needed to support an actual transaction at the time of the transaction. Before decrypting an LUK, the TPM will authenticate a user of the device at the time of the transaction using. for example, a personal identification number (PIN), fingerprint, or other personal information.

Abstract: A content management system implementing methodologies providing retroactive shared content item links is disclosed. The content management system and methodologies allow a team administrator of a team to configure a team-wide shared link policy that determines whether non-team members can access content items associated with team accounts using shared links generated for the content items by team members. The team shared link policy has two settings. In a first setting, the content management system allows non-team members to use shared links generated by team members to access content items associated with team accounts. In a second setting, the content management system blocks access to the content items by non-team members. Shared links are retroactive in the sense they do not need to be regenerated after the team shared link policy has been changed from the second setting back to the first setting.