Abstract: A first server exchanges with a second server a master (symmetric) key(s). The first server sends to the first application the master key(s). The second server generates dynamically a first derived key by using a generation parameter(s) and a first master key. The second server sends to the second application the first derived key and the generation parameter(s). The second application generates and sends to the first application a first (key possession) proof and the generation parameter(s). The first application verifies successfully by using the generation parameter(s), the first master key and the first proof, that the first proof has been generated by using the first derived key, generates and sends to the second application a second (key possession) proof. The second application verifies successfully that the second proof has been generated by using the first derived key, as a dynamically generated and proven shared key.

Abstract: Various systems and methods for discovery and onboarding in an interconnected network framework of Internet of Things (IoT) devices are described. In an example, a technique for onboarding and provisioning a device onto an interconnected network framework includes operations to: receive a unique temporary device identifier from a device instance, the device instance indicating availability for onboarding onto a network; onboard the device instance onto the network; establish a secure session with the device instance via the network; receive, in the secure session, a secure device identifier; and initiate provisioning of the device instance in a secure directory based on the secure device identifier. In a further example, techniques are provided to securely identify and provision a second device instance (a doppelganger device instance) operating on a physical device that hosts both the first device instance and the second device instance.

Abstract: For verifying authorization associated with a first electronic device by a second electronic device, using symmetric key encryption, the second electronic device receives from the first electronic device encrypted data and metadata with a key space identifier and positional information. The key space identifier defines a cryptographic key hierarchy and the positional information defines in the cryptographic key hierarchy the cryptographic key used to generate the encrypted data. The second electronic device derives the cryptographic key by way of a one-way function from cryptographic keys stored in the second electronic device, using the key space identifier and the positional information received from the first electronic device. The second electronic device decrypts the encrypted data, using the derived cryptographic key, for verifying the authorization associated with the first electronic device.

Abstract: One embodiment provides for an electronic device, comprising a network interface, a memory coupled with the network interface, at least one application processor coupled with the memory, the at least one processor to execute instructions stored in the memory, and a secure processor including a cryptographic engine, wherein the cryptographic engine is to generate a sealed encrypted message to be transmitted via the network interface, the sealed encrypted message encrypted on behalf of the at least one application processor and includes a signature to enable integrity verification of the sealed encrypted message, the signature generated based on an identity key of the electronic device and data including ciphertext of the encrypted message and a public key of a recipient of the sealed encrypted message.

Abstract: Theft identification, prevention, and remedy are provided. A determination is made that a client device has been compromised. When the device makes the determination, a message is conveyed to the server and the server replies with a security challenge. When the server makes the determination, the security challenge is automatically sent to the device. An intelligence manager on the device attempts to answer the security question without interaction from the user. If there is an anomaly, a challenge is output to the user. Based on a false response to the challenge, a current data stream may be disrupted and removed from the device. Further, other devices in the network may be notified about the compromised device.

Abstract: A method, computer program product, and a system to globally serialize transactions where a processor(s) monitors issuance of access tokens by one or more applications. The processor(s) determines that a portion of the issued access tokens comprise a set of access tokens that provide access to an application provided as a service in the shared computing environment. The processor(s) generates a super token, where the generating comprises mapping the super token to the set of access tokens. The processor(s) stores the super token in a repository. The processor(s) provides the super token to authorized users requesting access to the application.

Abstract: An apparatus for adapting authorization information for a terminal is provided. The apparatus has a communication unit for communicating with the terminal, the communication unit being configured to carry out the communication as a test communication using an encryption protocol, a checking unit for checking a configuration of the encryption protocol on the terminal, and a control unit for adapting the authorization information for the terminal on the basis of a result of the check. A corresponding method for adapting authorization information for a terminal is also proposed. The proposed apparatus makes it possible to check the options supported by a terminal in an encryption protocol. In this case, the check can be carried out, in particular, using an encrypted communication connection which could not be monitored by a firewall.

Abstract: Embodiments described herein enable the interoperability between processes configured for pointer authentication and processes that are not configured for pointer authentication. Enabling the interoperability between such processes enables essential libraries, such as system libraries, to be compiled with pointer authentication, while enabling those libraries to still be used by processes that have not yet been compiled or configured to use pointer authentication.

Abstract: The present invention relates to a network guard unit for an industrial embedded system and a guard method. The specific method is to form the network guard unit (NGU) through security technologies, such as integrated access control, identity authentication and communication data encryption, to provide active guard for a site control device. The NGU comprises an access control module, an identity authentication module, a data encryption module, a key negotiation module and a PCIE communication module, and supports the communication modes of dual network cards and PCIE bus. The present invention builds a secure and trusted operating environment for industrial control systems in combination with an active guard technical means in the field of information security on the basis of ensuring the correctness and the feasibility of security of various terminal devices in the industrial control systems.

Abstract: A method for executing a trusted execution environment (TEE) based application in a cloud computing system. The method includes executing a proxied attestation procedure with a client to enable the client to attest that an enclave management layer (EML) application provided by the cloud computing system runs on a TEE-enabled platform. The method also includes receiving, by the cloud computing system from the client, application code corresponding to the TEE-based application and receiving, by the EML application from the client, application parameters corresponding to the TEE-based application. In addition, the method includes writing, by the EML, application to a secure storage layer, the application parameters corresponding to the TEE-based application and creating, by the cloud computing system, an enclave configured to execute the TEE-based application.

Abstract: Mechanisms support machine-to-machine service layer sessions that can span multiple service layer hops where a machine-to-machine service layer hop is a direct machine-to-machine service layer communication session between two machine-to-machine service layer instances or between a machine-to-machine service layer instance and a machine-to-machine application. Mechanisms are also disclosed that illustrate machine-to-machine session establishment procedures for oneM2M Session Management Service supporting multiple resources.

Abstract: Disclosed embodiments relate to a unified Advanced Encryption Standard (AES), SMS4, and Camellia (CML) accelerator. In one example, a processor includes fetch circuitry to fetch a cipher instruction specifying an opcode, a datum, and a key, the opcode to specify one of three cryptographic modes and an operation, decode circuitry to decode the fetched cipher instruction, and execution circuitry to respond to the decoded cipher instruction by performing the operation using a selected one of three block ciphers corresponding to the specified cryptographic mode and a unified cipher datapath shared by the three block ciphers, the unified cipher datapath comprising a plurality of hybrid substitution boxes (Sboxes) to perform Galois Field (GF) multiplications and inverse computations, wherein the unified cipher datapath is to implement an eighth-order polynomial isomorphically equivalent to each polynomial used by the three block ciphers by calculating and then combining two fourth-order polynomials.

Abstract: A method and system for authenticating software licenses of a software includes a request for a software authentication received from one or more software subscribers and one or more electronic licenses distributed between one or more software vendors and the one or more software subscribers. Further, one or more tokens are validated through an authentication engine at a delivery packet delivered to the software subscriber. A license key associated with each validated token is generated and distributed through a licensing engine. The software is initiated to be enabled through the license key.

Abstract: A single architected instruction to verify a signed message is executed. The executing includes determining a verify function of a plurality of verify functions supported by the instruction to be performed and obtaining input for the instruction. The input includes a message and a key. Based on the verify function to be performed and the input, a signature of the message is verified.

Abstract: A system for securing a secret word during a read of the secret word from a read-only memory (ROM) is disclosed. The system includes a memory controller coupled to the ROM and a random number generator coupled to the memory controller. The random number generator is configured to generate a random number. The system further includes a number shuffler coupled to the random number generator and the memory controller. The number shuffler is configured to generate a bit read order based on the random number and the memory controller is configured to read bits of the secret word from the ROM according to the bit read order.

Abstract: A data processing method may include: determining, by a transaction initiation node in a blockchain, transaction data of a transaction and information to be hidden in the transaction data; obtaining, by using the transaction data as an input of a predetermined one-way function, a transaction root of the transaction, and constructing, based on the transaction root, proof data corresponding to the information to be hidden; and, after signing the transaction root, initiating a transaction request to write the transaction root and the proof data on the blockchain, for a node in the blockchain to perform consensus verification on the transaction root and the proof data, and approve or reject the transaction request based on a verification result.

Abstract: Application information is received by a client and from a server, and the application information includes an application identifier corresponding to a digital certificate application request transmitted by the client to the server. The application information is delivered to a secure element associated with the client by the client. A public and private key pair are generated by the secure element. The application identifier is signed using the private key to generate terminal signature data. Specified format data is generated by encapsulating the terminal signature data and the public key into the specified format data. The specified format data is transmitted from the secure element to the client. The specified format data is transmitted by the client to the server.

Abstract: Device to device (D2D) communication can be performed with packet data convergence protocol (PDCP) based encapsulation without internet protocol (IP) addressing. The non-IP D2D PDCP-encapsulated communication can further include two forms of secure data transfer. A first non-IP D2D PDCP-encapsulated communication can be a negotiated non-IP D2D PDCP-encapsulated communication. A second non-IP D2D PDCP-encapsulated communication can be a non-negotiated non-IP D2D communication. The non-negotiated non-IP D2D PDCP-encapsulated communication can include a common key management server (KMS) version and a distributed KMS version. The encapsulated communication can be used with various protocols, including a PC5 protocol (such as the PC5 Signaling Protocol) and wireless access in vehicular environments (WAVE) protocols.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for embedding copyright information in one or more pages for presenting digital content. One of the methods includes generating, by a computing device, a unique identifier (ID) based on copyright information associated with the digital content; identifying one or more attributes associated with a page design of one or more blank pages of an electronic file; embedding the unique ID in the one or more blank pages by changing the one or more attributes to be representative of the unique ID; allocating the digital content to at least one of the one or more information-embedded pages; and distributing, by the computing device, the one or more information-embedded pages allocated with the digital content to the blockchain network.

Abstract: Virtual desktops are hosted on one or more remote desktop hosts at one or more private locations of an enterprise, remote from a service provider location, and behind a firewall on a private computer network. The desktops are remotely managed through resources at a service provider data center, optionally along with other virtual desktops hosted on desktop hosts at the service provider data center. The remote desktop hosts can be pre-configured with known storage, compute and connectivity resources. The remote desktop hosts can be remotely managed through a resource management appliance, i.e., a management system running resource management software, which can be located at either the service provider data center or the tenant data center.