Abstract: Dynamic compression with dynamic multi-stage encryption for a data storage system in accordance with the present description includes, in one aspect of the present description, preserves end-to-end encryption between a host and a storage controller while compressing data which was received from the host in encrypted but uncompressed form, using MIPs and other processing resources of the storage controller instead of the host. In one embodiment, the storage controller decrypts encrypted but uncompressed data received from the host to unencrypted data and compresses the unencrypted data to compressed data. The storage controller then encrypts the compressed data to encrypted, compressed data and stores the encrypted, compressed data in a storage device controlled by the storage controller. Other aspects and advantages may be realized, depending upon the particular application.

Abstract: The exemplary embodiments are related to a device, a system, and a method for implementing a mechanism that is configured to prevent the unauthorized execution of software. A user device is configured to execute a feature access function corresponding to an application feature included in an application. The feature access function is configured to receive one of a plurality of values each time the application is launched. During operation, the feature access function receives a value and determines whether a condition is satisfied. When the condition is satisfied, the value is returned which indicates that execution of the application feature is permitted.

Abstract: A tie cell includes a first flip-flop having a physically unclonable function (PUF), a second flip-flop that generates a PUF key value, and logic that logically combines the PUF value and the PUF key value to generate an output signal having a constant logical value. The PUF value is based on a power-up value stored in the first flip-flop, which power-up value is generated based on physical and/or electrical characteristics produced from a manufacturing process. The output value is generated to tie digital logic to the constant logical value.

Abstract: A system and method for early detection of a compromised client device includes a tamper detection service configured to monitor modifications to resource access privileges over time to identify unusual variations in jailbreak status that indicate compromise of the client device. For example, the tamper detection service may monitor the jailbreak status of system files over time to expose attempts to hide the jailbreak status of a protected resource. To validate that malware is attempting to hide the jailbreak status of a protected resources, the tamper detection process may launch multiple different resource accesses, targeting the protected resource, to determine whether different accessibility results are returned, indicating a compromised device.

Abstract: Systems and methods for processing and transmission of encrypted data are provided. The method includes: encrypting a first data set; encapsulating the encrypted first data set in a protective layer; and transmitting the encapsulated encrypted first data set to a destination over one or more communication channels. The encrypting is performed by using a homomorphic encryption (HE) technique. The encapsulating is performed by using a quantum key distribution (QKD) encapsulation technique to generate a QKD-protected layer. The communication channels may include a classical/non-quantum channel over which the QKD-encapsulated encrypted first set of data is transmitted and a quantum channel over which a quantum key distribution is conducted, or a single communication channel to conduct both.

Abstract: Various systems, mediums, and methods herein describe aspects of an authentication system. The system may receive a request from a user device to authenticate a user. The system may determine a route traveled by the user. The route can be determined based at least on data retrieved from the user device of the user. The system may determine one or more objects viewable along the route. At least one image of the one or more objects can be selected. The system may communicate the at least one image and at least one other image to the user device to be displayed on the user device. The system may receive a selection of the at least one image by the user through a display of the user device. The authentication of the user can be based, at least in part, on the user selection of the at least one image.

Abstract: A mobile terminal privacy protection method includes obtaining an application start instruction, actively obtaining a biometric feature of a user according to the application start instruction, and displaying an encrypted content list and an unencrypted content list of a corresponding application if the obtained biometric feature of the user matches a preset biometric feature. The encrypted content list of the application is generated according to encrypted content in the application, the unencrypted content list of the application is generated according to unencrypted content in the application, and the encrypted content in the application is content that is not presented when the obtained biometric feature of the user does not match the preset biometric feature.

Abstract: Methods, systems, and computer readable media can be operable to facilitate the encryption of a device identifier using an identification property of a Soc. A unique identifier of a cable modem may be encrypted using a unique key or other unique property of a SoC associated with the cable modem. When an authentication process is initiated at the cable modem, the encrypted unique identifier of the cable modem may be decrypted using the unique key or other unique property of the SoC, thereby producing the unique identifier of the cable modem. The decrypted unique identifier of the cable modem may be output from the cable modem to an upstream controller during the authentication process. In embodiments, an obfuscation key may be used to encrypt and decrypt the unique identifier of the cable modem, and the obfuscation key may be generated using a unique identifier of the SoC.

Abstract: A method for data security including receiving a first recordset, said first recordset including a first poly-identifier representing a first personally identifiable information (PII), and a first contextual information, said first poly-identifier associated with a name field of a record in a PII structured data store. Also receiving at the server a second recordset, said second recordset including a second poly-identifier representing a second personally identifiable information (PII) and a second contextual information, said second poly-identifier comprised of unique characters associated with the name field of a record in the PII structured data store. Then comparing the first and second contextual information to calculate a correlation score to create a match table entry as a result of said comparing, said match table entry including both an internal ID and an external anonymous ID. The IDs may associate the contextual information between records to a single person.

Abstract: A temperature sensing security token may include a first resistor having a first side connected to a voltage source, a second resistor having a first side connected to the voltage source, an analog comparator having a first input connected to a second side of the first resistor and a second input connected to a second side of the second resistor and an output that represents at least one bit of a key, and an analog to digital converter having an input connected to the second side of the first resistor wherein an output of said analog to digital converter is related to temperature by a temperature coefficient of resistivity of the first resistor. The first resistor and the second resistor may have the same nominal resistance. The first resistor, the second resistor and the analog to digital comparator may be encased in the same package. The package may be configured to inhibit inspection and discovery of components contained in said package.

Abstract: A layered secret sharing scheme in which a trust set of each of the parties receiving a share of the secret is received and used to generate an authorized set and an adversary set for reconstruction of a secret. In this regard, an access structure defining an authorized subset of participants may be based, at least in part, on the encoded trust subsets of the shares. The secret sharing scheme includes a secret generator that generates the shares distributed to the parties. In turn, an authorized subset of participants as defined by the access structure may provide shares to a dealer for reconstruction of the secret. However, if the participants requesting secret reconstruction are not an authorized subset of participants or if participants define an adversary subset, the secret reconstruction fails. In this regard, even if an authorized subset is present, if an adversary subset is present, the reconstruction may be “killed.

Abstract: Embodiments are directed to techniques for chaining, triggering, and/or enforcing entitlements in a constrained environment. A constrained environment may be provided within with shielded assets are required to exist or execute. An entitlement may be granted on a variety of shielded assets, including datasets, computations scripts, data privacy pipelines, and intermediate datasets generated by an intermediate step of a data privacy pipeline. Thus, a beneficiary may use a granted entitlement as an input into other data privacy pipelines, without the need for the grantor to approve each specific downstream operation. The constrained environment may enforce an entitlement by fulfilling applicable constraints upon accessing the entitlement, restricting the output of the entitlement to the constrained environment, and fulfilling applicable policies when executing downstream operations.

Abstract: A non-transitory computer readable storage medium has instructions executed by a processor to define a parent application executing on a secure runtime hardware resource. A state snapshot of the secure runtime hardware resource is maintained. A fork request for a child application to be derived from the parent application is received. An updated state snapshot of the state snapshot is formed. The child application is instantiated. Encrypted state is transferred from the parent application to the child application. The encrypted state is used to derive an encryption key shared by the parent application and the child application. The encrypted state in the child application is decrypted using the encryption key to spawn an independent child application operative as an additional secure runtime instance. The parent application on the secure runtime hardware resource and the child application operative as the additional secure runtime instance are executed independently.

Abstract: Authentication systems and methods can selectively authenticate a request to access a resource data store storing access rights associated with a user device. The systems and methods can scalably execute challenges workflows as part of the authentication process. For example, a request to access one or more access rights stored in the data store can be received from the user device. The user device can be authenticated using challenge workflows selected based on a device identifier of the user device. The selected challenge workflows can be executed to determine whether or not to grant access to the access rights stored in the resource data store.

Abstract: The disclosed systems and techniques enable an enterprise system to store contact phone numbers for users while avoiding storing and managing personal phone numbers for the user. For example, the enterprise system may forward personal phone numbers to an aliasing server configured to (i) generate alias phone numbers based on the personal email addresses and (ii) provide the alias phone numbers to the enterprise system. The aliasing server may operate as a “middle man” that receives phone calls or text messages directed to the alias phone numbers and that forwards the phone calls or text messages to the corresponding personal phone numbers (when appropriate). The enterprise system may store and maintain the alias phone numbers in lieu of storing the personal email addresses.

Abstract: A method for combining different partial data includes providing a secure connection between a connection unit in a first network and an analysis unit a second network, separating original data into at least two items of partial data comprised of analysis data and personal data as first and second partial data that can be assigned to each other by way of assigning information, pseudonymizing the second partial data, transmitting the first partial data and pseudonymized second partial data and the assigning information to the analysis unit, storing the second partial data on the connection unit, providing third partial data on the analysis unit in the form of analyzed first partial data, transmitting the third partial data and the pseudonymized second partial data with the assigning information to the connection unit via the secure connection, and combining the third partial data and the second partial data using the assigning information.

Abstract: An example operation may include one or more of splitting a session key into a plurality of partial shares, distributing the plurality partial shares to a plurality of content providers, respectively, where each content provider receives a different partial share of the session key, encrypting a stream of media content based on the session key, and transmitting the encrypted stream of digital content to a user device which has one or more partial shares among the plurality of partial shares.

Abstract: A method for performing a fully homomorphic encryption on a plain text is disclosed. The method includes computing a first subfunction based on a first computationally intractable problem and the plain text to generate a first section of a cipher text. The method also includes computing a second subfunction based on a second computationally intractable problem and the plain text to generate a second section of the cipher text. The method further includes generating a fully homomorphic function by integrating the first subfunction and the second subfunction. The method further includes encrypting the plain text to a fully homomorphic cipher text using the fully homomorphic function.

Abstract: A method for authentication of chat bots includes determining that a first chat bot is authenticated, by a server, for first session communication at a first chat session with a first chat application instance. The first chat session is hosted by a first chat service. The method includes determining authentication intent to authenticate, with the server, a second chat bot for a second session communication at a second chat session with a second chat application instance. The second chat session is hosted by a second chat service, where the first chat bot and the second chat bot simulate respective chat application instances. The method also includes providing authentication credentials, via the first chat session, to authenticate the second chat bot with the server for the second session communication.

Abstract: Disclosed herein are systems and method for inspecting archived slices for malware. In one exemplary aspect, the method comprises mounting, to a disk, a first slice of a plurality of slices in a backup archive, wherein the first slice is an image of user data at a first time. The method further comprises detecting a modified block of the mounted, identifying at least one file in the mounted first slice that corresponds to the detected modified block, and scanning the at least one file for viruses and malicious software. In response to detecting that the at least one file is infected, the method comprises generating a cured slice that comprises the user data of the mounted first slice without the at least one file.