Abstract: Disclosed is a process for testing a suspect model to determine whether it was derived from a source model. An example method includes receiving, from a model owner node, a source model and a fingerprint associated with the source model, receiving a suspect model at a service node, based on a request to test the suspect model, applying the fingerprint to the suspect model to generate an output and, when the output has an accuracy that is equal to or greater than a threshold, determining that the suspect model is derived from the source model. Imperceptible noise can be used to generate the fingerprint which can cause predictable outputs from the source model and a potential derivative thereof.

Abstract: Disclosed are methods for encrypting communications with a remote endpoint via a memory device. In one embodiment, a memory device is configured to receive, from the application, a request to establish a communications session with a remote computing device, establish a shared symmetric key, the shared symmetric key shared between the memory device and the remote computing device, receive a message from the application, the message including an identifier of the remote computing device and a payload, generate a ciphertext using the symmetric key and the payload, and return the ciphertext to the application.

Abstract: A method including encrypting, by a user device based at least in part on utilizing a symmetric key, a folder stored on the user device; encrypting, by the user device based at least in part on utilizing an assigned public key specific to the folder, the symmetric key to determine a single-encrypted symmetric key; encrypting, by the user device based at least in part on utilizing a trusted device key specific to the user device, the single-encrypted symmetric key to determine a double-encrypted symmetric key; encrypting, by the user device based at least in part on utilizing a trusted user key specific to the folder, an assigned private key that is associated with the assigned public key; and storing, by user device, the double-encrypted symmetric key and the encrypted assigned private key in an associated memory is disclosed. Various other aspects and techniques are contemplated.

Abstract: A method including decrypting, by a user device based at least in part on utilizing a first trusted key generated by a trusted device, an assigned private key associated with the user device; decrypting, by the user device based at least in part on utilizing a second trusted key generated by the trusted device, a double-encrypted symmetric key to determine a single-encrypted symmetric key; decrypting, by the user device based at least in part on utilizing the assigned private key, the single-encrypted symmetric key to determine a symmetric key; and decrypting, by the user device based at least in part on utilizing the symmetric key, an encrypted folder stored on the user device to provide access to data included in the encrypted folder. Various other aspects and techniques are contemplated.

Abstract: Described herein are a system and techniques for enabling biometric authentication without exposing the authorizing entity to sensitive information. In some embodiments, the system receives a biometric template from a user device which is encrypted using a public key associated with the system. The encrypted biometric template is then provided to a second entity along with a biometric identifier. Upon receiving a request to complete a transaction that includes the biometric identifier and a second biometric template, the second entity may encrypt the second biometric template using the same public key associated with the system and perform a comparison between the two encrypted biometric templates. The resulting match result data file is already encrypted and can be provided to the system to determine an extent to which the two biometric templates match.

Abstract: A non-transitory computer-readable storage medium, a secure application framework, a system, and a computer implemented method for enabling secure processing of data are disclosed. The method comprises steps performed within a secure application framework running in a trusted execution environment. The data encrypted using a first random key are received, the first random key is received in a secure way, and the encrypted data is decrypted using the first random key. The data are then input to the processing application, the processing application is executed to process the input data, and output data are received from the processing application. A second random key is generated, the output data are encrypted using the second random key, the second random key is encrypted using a public key of a storage device, and the encrypted output data and the encrypted second random key are sent to the storage device.

Abstract: A method of data communication includes receiving, by a first wireless access gateway (WAG), at least a first data packet corresponding to a first data flow transmitted from user equipment (UE) and receiving, by a second WAG, at least a second data packet transmitted from the UE. In response to receiving the second data packet, the second WAG determines an identity of the first WAG, and in response to determining the identity of the first WAG, the method includes establishing a tunnel connection between the first WAG and the second WAG. After establishing the tunnel connection, the method includes receiving by the second WAG at least a third data packet corresponding to the first data flow transmitted from the UE, and the second WAG transmits to the first WAG, via the tunnel connection, the third data packet.

Abstract: The present disclosure provides a method, system, and device for distributing a software release. To illustrate, based on one or more files for distribution as a software release, a release bundle is generated that includes release bundle information, such as, for each file of the one or more files, a checksum, meta data, or both. One or more other aspects of the present disclosure further provide sending the release bundle to a node device. After receiving the release bundle at the node device, the node device receives and stores at least one file at a transaction directory. After verification that each of the one or more files is present/available at the node device, the one or more files may be provided to a memory of a node device and meta data included in the release bundle information may be applied to the one or more files transferred to the memory.

Abstract: A method including configuring, by an infrastructure device, a user device to encrypt authentication information associated with authenticating the user device with a service provider, the authentication information including first factor authentication information for determining a first factor and second factor authentication information for determining a second factor; configuring, by the infrastructure device, the user device to detect an attempt to access a service to be provided by the service provider; configuring, by the infrastructure device, the user device to determine, based on detecting the attempt, the first factor based on decrypting the first factor authentication information and the second factor based on decrypting the second factor authentication information; and configuring, by the infrastructure device, the user device to enable authentication of the user device with the service provider based on utilizing the first factor and the second factor. Various other aspects are contemplated.

Abstract: A verifier device of an authentication system comprises physical layer circuitry and processing circuitry coupled to the physical layer circuitry. The processing circuitry is configured to encode an authentication command for sending to a credential device; decode a response communication received from the credential device, wherein the response communication includes a first random number; encrypt the first random number, a second random number, and verifier keying material for sending to the credential device; decrypt encrypted information received from the credential device, wherein the encrypted information includes the first random number, the second random number, and receiver keying material; and calculate a session encryption key using the verifier keying material and the receiver keying material.

Abstract: There is provided mechanisms for initial network authentication between a communications device and a network. A method is performed by the communications device. The communications device comprises an identity module supporting remote subscription profile download. The identity module comprises credentials for remote subscription profile download. The method comprises performing a first message exchange with an authentication server. The first message exchange comprises an identity module challenge obtained from the identity module being transmitted to the authentication server from the communications device. The method comprises receiving a second message from the authentication server. The second message comprises an ephemeral public key of the authentication server, an authentication server challenge and an authentication server signature.

Abstract: An apparatus for validating user data includes a resource data storage system that stores data identifiers, data entries, and authorization sets. Resource data storage system may use an immutable sequential listing to store data. Resource data system may be used to evaluate and fulfill an authorization transfer request, in which, a user may request to transfer an authorization set with a lost identifier to a known identifier. User may be requested to commit to a user secret to validate user identity.

Abstract: A method including transmitting, based on verifying first biometric information, a first decryption request including an encrypted first cryptographic key in association with a first identifier to indicate that the encrypted first cryptographic key is to be decrypted by utilizing a first master key; decrypting, based on receiving a decrypted first cryptographic key, first factor authentication information to enable determination of a first factor; transmitting the first factor for authentication; transmitting, based on successful authentication of the first factor and on verifying second biometric information, a second decryption request including an encrypted second cryptographic key in association with a second identifier to indicate that the encrypted second cryptographic key is to be decrypted by utilizing a second master key; decrypting, based on receiving a decrypted second cryptographic key, second factor authentication information to enable determination of a second factor; and transmitting the second

Abstract: Methods and systems for remote, asynchronous key entry and extraction are provided. A credential device can store a first key thereon, and can store an encrypted key component. A hardware security module manages a key template including a plurality of key components. The hardware security module manages a complementary key to the first key. The key component on the credential device can be encrypted with the first key for storage on the credential device and decrypted by the complementary key at the hardware security module. Alternately, the key component can be encrypted with the complementary key and provided to the credential device for decryption at a secure system via the first key. Accordingly, a key custodian may supply or extract a key component at a hardware security module remotely and at a time convenient to that key custodian.

Abstract: A system and method for securely computing an inference of two types of tree-based models, namely XGBoost and Random Forest, using secure multi-party computation protocol. The method includes computing a respective comparison result of each respective node of a plurality of nodes in a tree classifier. Each node has a respective threshold value. The respective comparison result is based on respective data associated with a data owner device being applied to a respective node having the respective threshold value. The method includes computing, based on the respective comparison result, a leaf value associated with the tree classifier, generating a share of the leaf value and transmitting, to the data owner device, a share of the leaf value. The data owner device computes, using a secure multi-party computation and between the model owner device and the data owner device, the leaf value for the respective data of the data owner.

Abstract: A secure cartridge-based storage system includes a set of read/write control electronics on a control board adapted to removably couple with each of a plurality of storage cartridges. The read/write control electronics are adapted to transmit a public key to a target storage cartridge in response to a read/write command received from a host device. The target storage cartridge includes and encryption circuit that authenticates the transmitted public key against a stored public key, accesses a locally-stored encryption key responsive to successful authentication of the public key; and utilizes the locally-stored encryption key to encrypt or decrypt data of the read/write command that is in transit between the storage media and the control board.

Abstract: Disclosed is a method that includes training, at a client, a part of a deep learning network up to a split layer of the client. Based on an output of the split layer, the method includes completing, at a server, training of the deep learning network by forward propagating the output received at a split layer of the server to a last layer of the server. The server calculates a weighted loss function for the client at the last layer and stores the calculated loss function. After each respective client of a plurality of clients has a respective loss function stored, the server averages the plurality of respective weighted client loss functions and back propagates gradients based on the average loss value from the last layer of the server to the split layer of the server and transmits just the server split layer gradients to the respective clients.

Abstract: This disclosure relates to systems and methods for performing cryptographic operations in connection with the management of electronic content using multiple license services. In some circumstances, a content service may not wish to share unencrypted content keys with a single license service for a variety of security reasons. Embodiments of the disclosed systems and methods may use multi-party cryptographic methods in connection with the management of protected content keys and/or associated licenses and/or the distribution of content keys and/or licenses to authorized users and/or devices. In various embodiments, a content service may split a content key into a plurality of key shares and may transmit the key shares to a plurality of different license services. The license services may coordinate operations to generate a protected content key without revealing unencrypted content key to any of the participating license services.

Abstract: A request to establish an encrypted VPN connection between a network external to a provider network connected to the provider network via a dedicated direct physical link and a set of resources of the provider network is received. A new isolated virtual network (IVN) is established to implement an encryption virtual private gateway to be used for the connection. One or more protocol processing engines (PPEs) are instantiated within the IVN, address information of the one or more PPEs is exchanged with the external network and a respective encrypted VPN tunnel is configured between each of the PPEs and the external network. Routing information pertaining to the set of resources is provided to the external network via at least one of the encrypted VPN tunnels, enabling routing of customer data to the set of resources within the provider network from the external network via an encrypted VPN tunnel implemented over a dedicated direct physical link between the external network and the provider network.

Abstract: A method of authenticating devices for secure data exchange. A system receives a scheduling request and generates a ledger of participants authorized to be admitted to a communication session during a time window. For each participant, the ledger includes a participant identifier, a participant key, and a meeting identifier corresponding to the communication session. The participant key and meeting identifier are encoded into a short-code which is redeemed, by the participants, for an access token authorizing a peer-to-peer connection between devices within a meeting room during the communication session. The participants include a host who has special privileges during the communication session, and one or more clients.