Abstract: This application provides a method, including: receiving, sent by a third-party server, a registration request which includes first information, second information, and third information, the first information is used to indicate a public key address of the third-party server, the public key address includes a first domain name, the second information is used to indicate a delivery address of event information, the delivery address includes a second domain name, the third information is used to indicate a target DNS record which includes a digital signature of the third-party server; when the first domain name is the same as the second domain name, obtaining a public key of the third-party server, and obtaining the target DNS record; performing signature authentication on the digital signature based on the public key, to obtain a signature authentication result; determining, based on the signature authentication result, whether to allow the third-party server to perform registration.

Abstract: Systems as described herein may implement non-persistent data caching using a dedicated web server. A non-persistent data caching system may determine that an application, executing on a computing device may require access to secure data located on a remote server external to the computing device. The non-persistent data caching system may initiate a dedicated web server on the computing device, retrieve the secure data from the remote server, and store the secure data in a volatile memory of the computing device. The non-persistent data caching system may subsequently redirect a request for at least a portion of the secure data from the application and to the dedicated web server, and the dedicated web server may send the requested portion to the application.

Abstract: A system disclosed herein may receive, from an application associated with a client identification, a request to perform a cryptographic operation with a specified application key, identify a gateway associated with the client identification, identify a respective characteristic of each self-encrypting key management service of a plurality of self-encrypting key management services that correspond to the gateway, identify a self-encrypting key management service with a characteristic satisfying a threshold criterion, and send the request to the identified self-encrypting key management service.

Abstract: A blockchain network may be used to improve upon public-key infrastructure by providing for fast and secure registration, revocation and update of digital certificates. A public key may be recorded on the blockchain by a certificate authority in such a manner that any third party may quickly and easily verify that the public key is certified by the certificate authority and that the certification has not been revoked. The certificate authority may be able to revoke the certification nearly instantaneously, and/or may be able to simultaneously certify a new key for the same entity while revoking the old key. In some cases, the ability to revoke a certification may be given to the owner of the public key or, in some cases, to one or even a group of other entities.

Abstract: A method that manages sensitive data. A computer system identifies the sensitive data for a group of application containers using configuration information for the group of application containers. The computer system encrypts the sensitive data identified for the group of application containers to form encrypted sensitive data. The computer system saves the encrypted sensitive data to a shared storage used by the group of application containers when the group of application containers is deployed.

Abstract: Cybersecurity is a critical requirement for current and future vehicles, to protect against catastrophic cyber attacks. Vehicles today (including land vehicles, waterborne vehicles, and aircraft including such embodiments as airplanes, helicopters, and air taxis) are constructed with myriad separate sensors and actuators, which generally have only limited cyber protections—a worrying vulnerability. Therefore, procedures are disclosed for a vehicle-wide 5G/6G network in which each ECU (electronic control unit) is a separate user device. Each ECU is also the manager of a set of sensors and actuators, forming a local sub-network with tightly regulated wireless protocols. Each ECU and each end sensor/actuator may include an AI model to detect and defeat cyber attacks.

Abstract: We disclose a blockchain e-voting system, where keeping the basic principles of voting does not require trusted-third parties. The system includes at least two vote nodes each having two sets of private and public keys, a voter management node, two smart contract modules, and a blockchain. A voter management node is configured to provide a cryptographic base for public key generation and to pre-register DIDs of vote nodes. A first smart contract module is configured to perform self-identification of vote nodes, encryption of votes, and generation of zero-knowledge proofs for the validity of their results, and to upload all the outputs to a blockchain. For the purpose, a vote node executes the first smart contract module, taking a voting decision, an asserted DID, the two sets of public and private keys as inputs, where one set of keys is for the self-identification, and another set is for the encryption.

Abstract: A method for data manipulation detection of numerical data values uses a testing device. A Benford vector is ascertained from the frequencies expected, according to the Benford's distribution, for predefined initial number groups in a transformation unit by use of a composition data transformation that reproduces the frequencies in relation to one another. A random number generator is repeatedly used to generate randomly distributed numerical values, and multiple simulation vectors are ascertained from the frequencies of the initial number groups of the randomly distributed numerical values by the transformation unit. A detection unit is used to ascertain a simulation deviation from the Benford vector for each simulation vector and to store it in a memory, after which a group of numerical data values is read in via an input interface. A test vector and a test deviation of the test vector are ascertained by the transformation unit.

Abstract: A method for slice authentication in a mobile telephone network. A WTRU performs, during a registration procedure with an Access and Mobility management Function, AMF, of a network, primary authentication of the WTRU, during which registration procedure the WTRU receives from the AMF a message indicating successful registration and including at least one of an indication of at least one network slice-specific authentication and authorization for slice access, SSSA, procedure to be executed following the registration procedure, a list of slices for which the WTRU is allowed access, and a list of slices for which SSSA is needed for access by the WTRU, and performs, after successful registration, at least one SSSA of the WTRU for accessing a first slice in the network.

Abstract: Systems and methods for implementing a software provisioning agent residing in a trusted execution environment. An example method comprises: receiving, by a software provisioning agent residing in a trusted execution environment (TEE) of a host computer system, a software provisioning command initiated by a software provisioning controller, wherein the software provisioning command identifies a target software application; receiving a file associated with the target software application; and performing, using the file, a software provisioning operation with respect to the target software application.

Abstract: Systems and methods comprising at least one node comprising an application container; a container image associated with the application container; a static analyzer module deployed to analyze the container image, with instructions configured to autonomously parse, code of an application, during compile time of the application, wherein the application is to be deployed in the application container; determine, based on the parsing, for at least one section of the code, at least one module necessary for execution of the at least one section; annotate, the at least one section of the code, based on the determined at least one module; and inject, at least one wrapper around the at least one section of the code, wherein the wrapper adds at least one restriction to an execution of the at least one section at runtime, wherein the restrictions are based on at least one condition.

Abstract: The disclosure provides an approach for logical switch level load balancing of Layer 2 virtual private network (L2VPN) traffic. A method of securing communications with a peer gateway generally includes establishing, at a virtual tunnel interface of a local gateway, a plurality of security tunnels with the peer gateway. Each of the plurality of security tunnels is associated with a different set of one or more layer 2 segments and with one or more security associations (SAs) with the peer gateway. The method generally includes receiving a packet, at the local gateway, via a first L2 segment. The method generally includes selecting one of the plurality of security tunnels and an SA associated with the selected security tunnel based on the L2 segment via which the packet was received. The method generally includes encrypting and encapsulating the packet based on the selected security tunnel and SA.

Abstract: The invention introduces an apparatus for detecting errors during data encryption. The apparatus includes a key generation circuitry and a key-error detection circuitry. The key generation circuitry is arranged operably to realize a key expansion operation for generating multiple round keys based on a root key in an encryption algorithm, where the encryption algorithm encodes plaintext or an intermediate encryption result with one round key in a corresponding round. The error detection circuitry is arranged operably to: calculate redundant data corresponding to each round key; and output an error signal to a processing unit when finding that any round key does not match corresponding redundant data at a check point during the key expansion operation.

Abstract: A method executed by a computing device includes obtaining, using a securely passing process, control over a first block of a blockchain of an object distributed ledger in response to a change of contingency status of the first block. The method further includes determining whether the triggered outcome is valid for a first contingency action token based on the change of contingency status of the first block. When the triggered outcome is valid for the first contingency action token, the method further includes updating the first contingency action token to indicate that the triggered outcome is valid for the first contingency action token to produce an updated first contingency action token. The method further includes generating a new block for the blockchain of the object distributed ledger in accordance with the securely passing process to represent the updated first contingency action token.

Abstract: Contents of client-initiated handshake messages of a security protocol are obtained at a handshake processing offloader configured for an application. The offloader uses a first security artifact (which is inaccessible from a front-end request processor of the application) and the contents of the handshake messages to generate a second security artifact. The second security artifact is transmitted to the front-end request processor, which uses it to perform cryptographic operations for client-server interactions of the application.

Abstract: A method of and system for virtual air-gapping of data in a network storage system. The method comprises creating a staging zone around a set of data within a global zone. The global zone is accessible over a network utilizing a network file system. The set of data is indexed generating a manifest containing metadata and a hash for each file within the set of data. The set of data and manifest is reallocated creating vaulted data. Access to the vaulted data is provided through an Application Programing Interface (API) configured to limit access to specified users and permissions which can exclude superusers. The API can be used to verify the vaulted data through recomputing the index manifest and hashes.

Abstract: A machine learning attack resistant strong PUF with a dual-edge sampling function comprises switch units, a first arbiter and a second arbiter. The first arbiter is for determining a sequential order of delays at a rising edge of signals input to a first input terminal and a second input terminal of the first arbiter. The second arbiter is for determining a sequential order of delays at a falling edge of signals input to a first input terminal and a second input terminal of the second arbiter. Each switch unit is composed of eight MOS transistors. The strong PUF has a high capacity to resist machine learning attacks and small hardware expenditure through simple structural design of the switch units, realizing machine learning attack resistance and small hardware expenditure at the same time, and generating a large number of challenge response pairs through dual-edge sampling realized by the two arbiters.

Abstract: Some embodiments provide a method for providing access in a scalable manner to resources in a first datacenter to clients operating in one or more public clouds. The method of some embodiments implements with multiple machines a public-cloud proxy to connect clients in the public cloud(s) to a reverse proxy in the first datacenter.

Abstract: There is herein disclosed a system for performing Quantum Key Distribution, the system including a transmitter adapted to transmit a plurality of optical pulses, a first receiver, a second receiver, an optical switch with an input which is in optical communication with the transmitter, the switch being switchable between a first switching position in which the input is optically connected to the first receiver, and a second switching position in which the input is optically connected to the second receiver, the system further including a guide for guiding a portion of the plurality of optical pulses to the first receiver via an optical path that bypasses the optical switch.

Abstract: Arrangements for controlling access to a protected entity include receiving a redirected request of the client to access the protected entity that was denied by the protected entity; granting, in response to the received redirected request, access tokens of a first type to the client; identifying a conversion transaction identifying a request to convert the first type of access tokens with access tokens of a second type, wherein the transaction designates at least the protected entity; converting, based on a determined conversion value, a first sum of the first type of access tokens into a second sum of the second type of access tokens wherein the conversion value is determined based on at least one access parameter; and granting the client access to the protected entity when the sum of the second type of access tokens is received as a payment from the protected entity.