Abstract: Techniques for using padding in format preserving encryption are provided. In one aspect, it may be determined if padding of a plaintext undergoing format preserving encryption is needed. A pseudo random padding length may be calculated when it is determined that padding is needed. The calculated length of padding may be added to the plaintext when it is determined that padding is needed. The plaintext and added padding may be encrypted using format preserving encryption to create a cipher text.

Abstract: A security system scans application programming interfaces (APIs) to detect security vulnerabilities by receiving API documentation from a third-party system associated with the API and organizing it in an API specification that describes the hostname of the API and one or more endpoints of the API. For each of the endpoints, the API specification includes a uniform resource identifier, a method term, an input content type, an output content type (if applicable), authorization details, and any associated parameters or arguments. The security system performs an audit job for each combination of endpoints, potential security vulnerabilities, and (in some embodiments) authentication flows. In some embodiments, the security system is able to access portions of the API requiring authentication by using authentication flows received from the third-party system and detect security vulnerabilities related to authentication by manipulating the authentication units that make up the authentication flow.

Abstract: There is described a method and data processing gateway comprising: data processing circuitry for performing data processing operations in response to program code; a first execution environment (FEE) and a second execution environment (SEE) for storing data and program code, wherein data and program code stored in the FEE when accessible to the data processing circuitry configured to operate in the FEE is inaccessible to the data processing circuitry when configured to operate in the SEE, the FEE comprising: a data ingestion store for receiving a device decryption mechanism into the FEE to decrypt encrypted device data, the data ingestion store further for receiving encrypted device data into the FEE and for decrypting the encrypted device data using the device decryption mechanism; and a subscriber client manager for receiving a first subscriber encryption mechanism into the FEE, and further for encrypting device data using the first subscriber encryption mechanism and further for transmitting encrypted dev

Abstract: Embodiments of the present disclosure include a method, computer program product, and system for determining to push a data packet to a device. A processor may receive a first data packet. The processor may execute the first data packet in a secure environment. The secure environment may simulate a first state of a device. The device may include a firewall. The processor may determine, from the execution of the first data packet, that the first state changed to a second state. The processor may identify that the second state is a predetermined secure state. The processor may push the data packet to the device in response to identifying that the second state is the predetermined secure state.

Abstract: Disclosed are techniques that use devices with corresponding identity wallet applications that execute on an electronic processor device of the devices, and which identity wallets store identity information and encrypt the stored identity information. A distributed ledger system, and a broker system that interfaces to the wallet and the distributed ledger are used for various information exchange cases pertaining to access to facilities. In particular, disclosed is a registration process to register an identity wallet with a facility.

Abstract: A Data Storage Device (DSD) includes a Non-Volatile Memory (NVM) including a private partition with a write-once partition only internally accessed by a controller of the DSD. Data stored in at least one memory of the controller and in the private partition is encrypted. According to one aspect, the NVM includes a firmware partition, and at least one key associated with the DSD stored in the write-once partition is descrambled or decrypted using a scrambler key or decryption key stored in the firmware partition. According to another aspect, a method for establishing a root of trust includes generating a scrambler key or a decryption key, and generating at least one key associated with the DSD. The scrambler key or the decryption key is stored in a firmware partition of an NVM of the DSD, and the at least one key associated with the DSD is stored in a write-once partition.

Abstract: A set of candidate malicious activity identification models are trained and evaluated against a production malicious activity identification model to identify a best performing model. If the best performing model is one of the candidate models, then an alert threshold is dynamically set for the best performing model, for each of a plurality of different urgency levels. A reset threshold, for each urgency level, is also dynamically set for the best performing model.

Abstract: Technologies for provisioning cryptographic keys include hardcoding identical cryptographic key components of a Rivest-Shamir-Adleman (RSA) public-private key pair to each compute device of a plurality of compute devices. A unique cryptographic exponent that forms a valid RSA public-private key pair with cryptographic key components hardcoded into each compute device is provided to each compute device so that each compute device has a unique public key. The public key of each compute device may be used to provision unique secrets to the corresponding compute device.

Abstract: A method, a computer program product, and a data processing system for determining a database signature of a database includes determining a set of characteristics of the database; identifying at least one unique characteristic of the database that is unique among characteristics of other databases, which characteristics of other databases are stored in a signature data store; generating the database signature from the at least one unique characteristic; and storing the database signature and the unique characteristic in the signature data store.

Abstract: A method includes receiving marketing campaign associated data. The marketing campaign associated data is data associated with telephony communications from one or more telemarketing sources to a plurality of users. The method further includes applying a machine learning algorithm to the received marketing campaign associated data that determines anomalies associated with a subset of users of the plurality of users. The anomalies are determined based on audio signature of the telephony communications or based on telephony communications from a same source being disguised as different sources. The method includes identifying a marketing content within the telephony communications for the subset of users. The method also includes determining one or more common attributes between users within the subset of users and identifying a source of data breach based on the marketing content and further based on the one or more common attributes.

Abstract: Techniques are disclosed for managing data of an application. One embodiment presented herein includes a computer-implemented method, which includes scanning a distributed system to identify one or more blocks comprising data associated with the application. The method further includes generating a witness block based on the one or more blocks. The witness block may comprise a state of the data from the one or more blocks. The method further includes adding the witness block to the distributed system.

Abstract: A method for performing a security procedure by a terminal in a wireless communication system, and an apparatus thereof. The method includes transmitting a first access request message for accessing a first network of a core network to a first radio access network (RAN) node, performing an authentication procedure for mutual authentication with a node performing an authentication server function (AUSF) of the core network, generating a common key commonly used in one or more networks included in the core network based on an authentication vector obtained through the mutual authentication procedure, generating a first base key of the first network based on the common key and a network code corresponding to a type of the first network, and receiving an access accept message indicating an access accept of the first network from the first RAN node.

Abstract: A method for verification of a data value via a Merkle root includes: storing, in a memory of a processing server, a Merkle root; receiving at least a data value, a nonce, and a plurality of hash path values; generating a combined value by combining the data value and the nonce; generating a first hash value via application of a hashing algorithm to the combined value; generating a subsequent hash value via application of the hashing algorithm to a combination of the first hash value and a first of the plurality of hash path values; repeating generation of the subsequent hash value using a combination of the next hash path value of the plurality of hash path values and the most recent subsequent hash value; and verifying the data value based on a comparison of the Merkle root and the last generated subsequent hash value.

Abstract: The following description is directed to encrypting the characteristics of network traffic. In one example, a method can include receiving an unencrypted link layer packet including a first payload of a first size. The method can include encrypting the first payload of the unencrypted link layer packet. The method can include generating an encrypted link layer packet including a second payload. The second payload can include the encrypted payload and a variable length padding field so that the second payload of the encrypted link layer packet is a different size than the first size of the first payload. The encrypted link layer packet can then be transmitted.

Abstract: Techniques for routing a request based on a vulnerability in a processing node are disclosed. A vulnerability analyzer determines a set of detected vulnerabilities in each of a set of processing nodes. Based on the detected vulnerabilities, the vulnerability analyzer determines a respective vulnerability score for each processing node. A routing engine receives a request to be processed by at least one of the set of processing nodes. The routing engine selects a particular node for processing the request based on the detected vulnerabilities in one or more of the set of processing nodes. The routing engine may select the particular node based on the vulnerability scores of the set of processing nodes. Additionally or alternatively, the routing engine may select the particular node based on whether the particular node includes any vulnerability that may be exploited by the request.

Abstract: Representative embodiments disclose mechanisms for automatically granting access to information based on a derived trust level. Communications between two users are evaluated to identify commonalities in user characteristics, data characteristics, and context of the communications to establish a trust level from one user to another. This information is utilized to establish a trust model between the two users. In future communications, the trust model is used to determine whether to grant access to information based on the current user characteristics, data characteristics and context. Requests for data are passed through the trust model to grant or deny access. Alternatively, data can be injected into a conversation when the appropriate characteristics are met. In alternative embodiments, security model parameters can be automatically adjusted and access granted or denied based on the security model.

Abstract: In one example, a system for format preserving encryption utilizing a key version can include a processor, and a memory resource storing instructions executable by the processor to determine a quantity of significant bits for a value to be encrypted, mask the value to include the quantity of significant bits, perform format preserving encryption on the masked value to generate an encrypted value, and append a key version to the encrypted value.

Abstract: Systems and methods for determination of a policy in a virtual desktop infrastructure (VDI) system. The system includes a virtual machine (VM) server providing VMs, and a VDI controller connected to the VM server. When the VDI controller receives a login request by a user from a computing device, the VDI controller authenticates the login request, and controls the VM server to assign one of the VMs to the computing device. In doing so, the VDI controller may obtain user information corresponding to the user and device information corresponding to the computing device based on the login request, and retrieve VM information of the VM being assigned to the computing device. Then the VDI controller may determine, from a plurality of policies, a specific policy for the user based on the user information, the device information and the VM information to define permission states of functionalities provided by the VM.

Abstract: An application processor includes a security processor. An operating method of the security processor includes generating a recoder input including a digit-unit multiplier and a reference bit. At least one random bits having a random value are generated. When the recoder input has a predetermined pattern, the recoder input is converted into a first recoding value or a second recoding value according to a random bit corresponding to the recoder input to generate a recoding result.

Abstract: Aspects of the subject disclosure may include, for example, a method for use in a waveguide system that includes: receiving a wireless authentication request from a communication device, the wireless authentication request including a fiber authentication key; comparing, by the waveguide system, the fiber authentication key to fiber authentication data of the waveguide system to determine when the fiber authentication key is authenticated, wherein the fiber authentication data corresponds to a microwave fiber of the waveguide system; and when the fiber authentication key is authenticated, enabling communications with the communication device, wherein the communications include generating, by the waveguide system and in response to first wireless signals received from the communication device, first electromagnetic waves on a surface of a transmission medium, and wherein the first electromagnetic waves have a frequency within a microwave frequency range.