Abstract: Systems and processes are described for establishing and using a secure channel. A shared secret may be used for authentication of session initiation messages as well as for generation of a private/public key pair for the session. A number of ways of agreeing on the shared secret are described and include pre-sharing the keys, reliance on a key management system, or via a token mechanism that uses a third entity such as a hub to manage authentication, for example. In some instances, the third party may also perform endpoint selection (e.g., load balancing) by providing a particular endpoint along with the token.

Abstract: The invention relates to a system for controlling access to a device protected by at least one pre-configured authentication factor, comprising an access control unit comprising a short-range wireless communication device, a module for receiving keys, a module for verifying authentication factors, at least one access path, and at least one controllable switch, configured to open or close the path for accessing the protected device in case of receiving an access authorisation coming from the verification module. The system further comprises an administration unit, adapted to allow to pre-configure each authentication factor and a user unit, configured to transmit at least one key to the module for receiving keys.

Abstract: A method of uploading blockchain data includes: a sub-institution node group receiving a data upload request sent by a sub-institution; the sub-institution node group looking up a node in an idle state according to the data upload request; the sub-institution node group receiving data uploaded by the sub-institution through the node in the idle state and uploading the received data to a blockchain temporary storage area; and the master institution node of the master institution corresponding to the sub-institution downloading the data uploaded by the sub-institution from the temporary storage area, and then uploading the downloaded data to a blockchain data storage area.

Abstract: A method for performing a blockchain operation includes receiving an indication of a number of a plurality of endpoints in a processing network. The method further includes assigning nonce offsets to each endpoint of the plurality of endpoints and assigning communication randomization windows to each endpoint of the plurality of endpoints. The communication randomization windows stagger communication windows of the endpoints to a head-end. Additionally, the method includes sending a message to each of the endpoints indicating an operation to perform and an expected result. Further, the method includes receiving a success indication from a first endpoint of the plurality of endpoints. The success indication including a nonce match value from the nonce offset of the first endpoint. Furthermore, the method includes verifying a nonce match value with the expected result.

Abstract: Apparatus and methods are disclosed for performing dynamic vulnerability correlation suitable for use in enterprise information technology (IT) environments, including vulnerability filtering, patch correlation, and vulnerability paring. According to one disclosed embodiment, a method of vulnerability filtering includes attempting to execute vulnerability scanning rules according to a specified order in a rule hierarchy, and depending on the type of the rule hierarchy and on whether the attempt was successful, not executing additional rules in the rule hierarchy. In another disclosed embodiment, a method of patch correlation includes executing vulnerability scanning rules based on a correlation associations including, if a particular vulnerability is detected, then not executing other correlated scanning rules for a particular software patch.

Abstract: A monitoring device configured to monitor a network to which plural controllers are connected which includes a decoder configured to extract target data belonging to a target data group from data received from the plural controllers, a first comparator configured to determine whether an immutable part of the target data is known or anomalous, a second comparator configured to determine whether a reception interval of the target data group is normal or anomalous, a third comparator configured to determine whether the number of the target data having been received and included in the target data group is normal or anomalous, and determine whether each reception interval between the target data is normal or anomalous, and a warning counter configured to individually count the number of anomalies determined by the first comparator, the number of anomalies determined by the second comparator, and the number of anomalies determined by the third comparator.

Abstract: A method of event-based distribution of a cryptographic digital asset includes receiving, from a computing device associated with a user, an indication that the computing device is located at a predetermined venue within a predetermined window of time; receiving a unique owner identification (ID) code associated with the user; receiving a unique code acquired by the user; determining a unique digital asset ID code corresponding to the received unique code, the unique digital asset ID code being representative of the cryptographic digital asset; and transmitting a cryptographic block to a distributed blockchain ledger to record transfer of the cryptographic digital asset to the user, the cryptographic block comprising both the unique digital asset ID code and the unique owner ID code.

Abstract: Within a mobile device, a method and system to produce a probability the mobile device is in possession of a known person, the first user. Sensors are used to detect and quantify the behavioral biometrics of the human traits of the person in possession of the device. On a continuous basis, a machine learning process collects the biometrics of several traits of the first user memorizing the artifacts of neural networks used for learning. Subsequently, a prediction neural network provisioned with these artifacts and processing new biometric inputs of the present user of the device produces a probability the present user of the device is the first user. Affirmation of identity can then be made based on that probability.

Abstract: Disclosed is a secure semiconductor chip. The semiconductor chip is, for example, a system-on-chip. The system-on-chip is operated by connecting normal IPs to a processor core included therein via a system bus. A secure bus, which is a hidden bus physically separated from the system bus, is separately provided. Security IPs for performing a security function or handling security data are connected to the secure bus. The secure semiconductor chip can perform required authentication while shifting between a normal mode and a secure mode.

Abstract: Provided are techniques for authenticating a device. Accepted communication patterns representing accepted modes of communication between devices in an internet of things network are stored. In response to receiving a new communication from a requesting device of the devices, it is determined whether the new communication matches at least one of the accepted communication patterns. In response to determining that the new communication matches, there is a response to the new communication. In response to determining that the new communication does not match, flagging the new communication as an anomaly and determining how to process the new communication based on the flagging.

Abstract: Memory scanning methods and apparatus are disclosed. An example apparatus includes an address identifier to, when an entry of a paging structure has been accessed, determine a first address corresponding to a page of physical memory when the entry of the paging structure maps to the page of the physical memory; and a scanner to: scan a threshold amount of memory beginning at a physical memory address corresponding to the first address; and determine whether the threshold amount of memory includes a pattern indicative of malware.

Abstract: An authentication passphrase is analyzed to identify a first set of parts of speech in the passphrase. Based on comparing the first set with a second set of parts of speech corresponding to a stored passphrase, it is determined that the first set and the second set have less than a threshold number of common elements. In response to the determining, the passphrase is analyzed to score a level of a previously-set emotional tone in the passphrase. Access to a protected resource is allowed in response to the score being above a threshold.

Abstract: Controlling execution of software is provided. In response to receiving an input to execute a software module on a data processing system, a set of measurements are performed on the software module performing a process to prepare the software module for execution on the data processing system. In response to determining that the set of measurements meets a predetermined criterion, an authorization to proceed with the process of preparing the software module for execution on the data processing system is requested from a trusted third party computer. In response to receiving the authorization to proceed with the process of preparing the software module for execution on the data processing system from the trusted third party computer, the software module is executed.

Abstract: An information handling system includes a processor, a baseboard management controller (BMC) agent that establishes a Transport Layer Security (TLS) session including a first cryptographic parameter shared between the BMC and the BMC agent, receives a request to register the BMC agent with the BMC via the TLS session, and provides a second cryptographic parameter to the BMC agent. The BMC establishes a second TLS session including a third cryptographic parameter, determines that the second TLS session is suspected of being from a malicious agent, and renegotiates with the BMC agent using the second cryptographic parameter within the TLS session to share a fourth cryptographic parameter between the BMC and the first BMC agent in response to determining that the second TLS session is suspect.

Abstract: A managed directory service receives, from a computer system operated in a first network, a request to obtain a set of credentials usable to access resources in a second network. In response to the request, the managed directory service determines, based at least in part on a first set of permissions in a directory maintained in the second network, that the computer system is authorized to receive the set of credentials. The managed directory service provides the set of credentials to the computer system, which enables use of the set of credentials to identify a second set of permissions for accessing resources in the second network.

Abstract: An electronic book distribution system includes electronic devices that reset their passcodes after specified authentication failures. The passcodes of an individual electronic device is reset to a value that is generated using a predefined function of a randomly generated support code. The support code is displayed to the user, and the user is instructed to contact a support service in order to obtain the new passcode. The support service independently authenticates the user, calculates the new device passcode using the same predefined function used by the electronic device, and provides the new passcode to the user.

Abstract: Disclosed is a method of customizing an appliance. The method includes steps of pre-storing a public key in the appliance; connecting the appliance to an external storage device; and booting up the appliance to automatically proceed with the following customization process: obtaining a customization file from the external storage device; authenticating the customization file with the public key; and executing customization with the customization file if the authentication succeeds.

Abstract: One embodiment provides a system that implements a 1-bit protocol for differential privacy for a set of client devices that transmit information to a server. Implementations may leverage specialized instruction sets or engines built into the hardware or firmware of a client device to improve the efficiency of the protocol. For example, a client device may utilize these cryptographic functions to randomize information sent to the server. In one embodiment, the client device may use cryptographic functions such as hashes including SHA or block ciphers including AES to provide an efficient mechanism for implementing differential privacy.

Abstract: The presently disclosed subject matter includes various inventive aspects, which are directed to direct access of a host computer device to a share storage space in a storage system, as well as secured access control of the direct access of the host computer device by a control computer device in the storage system, the direct access including direct read access and direct write access.

Abstract: A requestor and a responder may conduct secure communication by making API calls based on a secure multi-party protocol. The requestor may send a request data packet sent in a API request to the responder, where the request data packet can include at least a control block that is asymmetrically encrypted and a data block that is symmetrically encrypted. The responder may return a response data packet to the requestor, where the response data packet can include at least a control block and a data block that are both symmetrically encrypted. The requestor and the responder may derive the keys for decrypting the encrypted portions of the request and response data packets based on some information only known to the requestor and the responder. The secure multi-party protocol forgoes the need to store and manage keys in a hardware security module.