Abstract: A system includes a privacy vault storing user-associated contents. The vault also stores access permissions defined for third-parties with whom the user has a sharing relationship. An access permission defines, for at least one third party, procurement and utilization policies for vault contents accessed by the third-party. The system may access a user account to recover user-associated contents stored by the accessed account and stores the recovered contents in the privacy vault. The system receives a request from a third-party to access identified contents stored in the privacy vault and determines if the contents are procurable by the third party based on an access permission defined, in the privacy vault, for the third-party. The system provides procurable contents to the third party along with indication of any constraints on the contents defined by utilization policies of the access permission defined for the third party.

Abstract: This disclosure relates to secure optical communication links. In particular, this disclosure relates to data storage devices, random access memories, host interfaces, and network layers that comprise a secure optical communication link. A data storage device comprises an optical data port to connect to an optical communication link external to the data storage device and a non-volatile storage medium to store user content data received over the optical communication link. A controller controls access to the user content data stored on the non-volatile storage medium. A cryptography engine uses a cryptographic key to perform cryptographic operations on data sent and received through the optical data port. An optical key distribution device coupled to the optical data port performs quantum key distribution over the optical communication link to provide the cryptographic key to the cryptography engine.

Abstract: A device may receive real time telecommunications data associated with a telecommunications network, and may select a first machine learning model from a first plurality of machine learning models based on the real time telecommunications data. The device may select a second machine learning model from a second plurality of machine learning models based on the real time telecommunications data. The device may process, in a first stage, the real time telecommunications data, with the first machine learning model, to determine a probability score indicating whether a customer technical problem telephone call will occur. The device may process, in a second stage and based on the probability score satisfying a threshold, the real time telecommunications data, with the second machine learning model, to determine a category associated with the customer technical problem telephone call, and may perform one or more actions based on the category.

Abstract: A method includes receiving registration information regarding a telematics unit and a respective control system for a plurality of equipment pieces; receiving a seed from a control system of a first equipment piece via a telematics unit of the first equipment piece based on receiving a telematics session request by the control system of the first equipment piece; authenticating the telematics unit and the control system of the first equipment piece based on information included with the seed and the registration information; generating a first encrypted key and a second encrypted key based on the authentication; providing the first key to the telematics unit for the first equipment piece; and providing the second encrypted key to the control system of the first equipment piece via the telematics unit of the first equipment piece to establish a data communication channel.

Abstract: A method executing an instruction (300) to execute a query (q) for a data block (102) and determining whether the data block is stored in a block stash (370). When the data block is stored in the block stash during a download phase, the method includes removing the data block from the block stash, sending a fake query (304) to a distributed system (140) to retrieve a random data block stored in memory (114) of a distributed system (140), and discarding the random data block. When a current version of the data block is stored in the block stash during an overwrite phase, the method includes sending a fake query to the distributed system to retrieve another random data block stored in the memory of the distributed system, decrypting and re-encrypting the random data block with fresh randomness, and re-uploading the re-encrypted random data block onto the distributed system.

Abstract: A subscriber identity module (eUICC), comprises profiles for the utilization of a mobile terminal that include at least a first profile and at least a second profile, of which the second profile (Pr1, Pr2) is devised as an active profile. The first profile is designed as a root profile (PrR) which in a normal state of the subscriber identity module is in an inactive state, and which is devised to be activated in response to an authentication command (AUTHENTICATE) received at the subscriber identity module. The authentication command is specially parameterized for the root profile (PrR) with a specific root value of the network parameter (P2) to be activated during a change-over period. The initially active second profile (Pr1, Pr2) is deactivated during the change-over period. After the end of the change-over period, the first profile (PrR) is again deactivated and the second profile (Pr1, Pr2) is again activated.

Abstract: A system for credential authentication includes and interface and a processor. The interface is configured to receive a request for authorization to access from an application. The processor is configured to determine a set of credentials that can enable authorization to access; generate a proof request challenge; receive a proof response; determine that the proof response is valid based at least in part on information stored in a distributed ledger; generate a token; and provide the token.

Abstract: Methods, systems, and computer programs are presented for secure data encryption in a multi-tenant service platform. One method includes an operation for detecting a write request to write index data to storage. The write request is from a first user from a group of users, and the storage is configured to store index data for the group of users. Further, the method includes operations for authenticating that the first user is approved for access to the storage, and for identifying a first encryption key for the first user, where each user from the group of users has a separate encryption key. Further yet, the method includes encrypting the index data with the first encryption key and storing the encrypted index data in the storage.

Abstract: A system and method for constructing an improved computing model that preserves use rights for data utilized by the model. A first dataset is accessed to build a computing model. The first data set is subject to terminable usage rights provisions. A portion of the first dataset is sampled to generate a second dataset. Vectors present in the first dataset and the second dataset are discretized. In response to determine that the usage rights associated with the primary dataset have been terminated, a coverage depletion for the second dataset is computed based on the usage rights termination associated with the first dataset. An estimated mean time to coverage failure for the first model based on the depletion coverage is determined for the second dataset. One or more data points are removed from the first dataset due to the termination of usage rights.

Abstract: A device can (i) operate a primary platform (PP) within a tamper resistant element (TRE) and (ii) receive encrypted firmware images for operating within the primary platform. The TRE can store in nonvolatile memory of the TRE (i) a PP static private key (SK-static.PP), (ii) a server public key (PK.IDS1), and (iii) a set of cryptographic parameters. The TRE can generate a one-time PKI key pair of SK-OT1.PP and PK-OT1.PP and send the public key PK-OT1.PP to a server. The TRE can receive a one-time public key from the server comprising PK-OT1.IDS1. The TRE can derive a ciphering key using an elliptic curve Diffie Hellman key exchange and the SK-static.PP, SK-OT1.PP, PK.IDS1, and PK-OT1.IDS1 keys. The TRE can decrypt the encrypted firmware using the derived ciphering key. The primary platform can comprise a smart secure platform (SSP) and the decrypted firmware can comprise a virtualized image for the primary platform.

Abstract: A system for credential storing and verifying includes an interface and a processor. The interface is configured to receive an indication to register a credential. The processor is configured to indicate to store in a distributed ledger a DID document associated with a holder identifier using a smart contract. Storing using the smart contract employs a dual signature authentication scheme to authorize storing based at least in part on an individual signature and a ledger writer signature. The processor is further configured to indicate to store in the distributed ledger a schema associated with an issuer of the credential using the smart contract and indicate to store in the distributed ledger a credential definition associated with the schema using the smart contract.

Abstract: A system for providing access is configured to receive an application access request from an application for authorization to access and a sensitive data access request from the application for authorization to access a document that includes sensitive data. The system is further configured to determine to authorize access to the application in response to the application access request; to determine the user authentication device in response to the sensitive data access request; to provide a secondary request for authorization to access sensitive data to the user authentication device in response to the sensitive data access request, receive a secondary request response from the user authentication device to the secondary request; and to provide the secondary request response to the application enabling access to the sensitive data, where the document is encrypted for delivery to the application for the user using a blinding secret and an identity private key.

Abstract: A device includes a power button and a fingerprint sensor, where the power button is integrated with the fingerprint sensor. A method is applied to a process in which a user presses the power button to start up the device. The method includes obtaining fingerprint information acquired by the fingerprint sensor, and saving the fingerprint information. The method further includes obtaining a fingerprint authentication request. The method further includes providing the fingerprint information to perform fingerprint authentication to log in to an operating system of the device.

Abstract: A system for credential authentication include an interface configured to receive a create indication to create a location aware credential, wherein the location aware credential specifies visit location data and receive a check in indication to check in from an authentication device, wherein the authentication device provides the check in indication to check in in response to determining that a detected location is within a geographic boundary designated in the visit location data of the location aware credential, and a processor configured to provide a proof request, receive a proof response, validate the proof response using a distributed ledger, and provide a success indication of successful check in.

Abstract: Permission to execute a remote procedure call as requested by a first vehicle-enabled application over a first connection is validated using permissions assigned to the first vehicle-enabled application according to a policy table of the vehicle. Permission to execute the remote procedure call as requested by the second vehicle-enabled application over the second connection as forwarded to vehicle over the first connection is validated using permissions assigned to the second vehicle-enabled application according to the policy table of the vehicle.

Abstract: A method for representing certificate expiration includes obtaining, from a root certificate authority, a root digital certificate and generating a chain of intermediate certificate authorities. Each intermediate certificate authority includes a respective intermediate certificate digitally signed by the intermediate certificate authority that is immediately higher in the chain and a respective validation time period indicating a range of times when the intermediate certificate authority is permitted to digitally sign certificates. The respective validation time period includes the validation time period of each intermediate certificate authority that is lower in the chain. The method includes generating a certificate revocation list and generating, from the lowest intermediate certificate authority in the chain, a plurality of end entity certificates.

Abstract: Some embodiments of the invention provide a method for deploying network elements for a set of machines in a set of one or more datacenters. The datacenter set is part of one availability zone in some embodiments. The method receives intent-based API (Application Programming Interface) requests, and parses these API requests to identify a set of network elements to connect and/or perform services for the set of machines. In some embodiments, the API is a hierarchical document that can specify multiple different compute and/or network elements at different levels of compute and/or network element hierarchy. The method performs automated processes to define a virtual private cloud (VPC) to connect the set of machines to a logical network that segregates the set of machines from other machines in the datacenter set. In some embodiments, the set of machines include virtual machines and containers, the VPC is defined with a supervisor cluster namespace, and the API requests are provided as YAML, files.

Abstract: Disclosed are apparatus, systems, computer readable media, or methods wherein user interface user interactions may be electronically logged and stored based on various inputs and outputs of data from the user interface forming a digital chain of events and interactions (e.g., a blockchain). An interaction logging system is disclosed including a user tracking or logging engine configured to derive session data and user interface data storing the same into interaction tracking chains or blockchains. A validation blockchain may co-exist with a session blockchain that may be formed independently and include version data of user interface software acting as a secure verifiable history of the versions of the user interface. In a session block of the session blockchain, a pointer may be stored with the session data, wherein the pointer indicates a particular block on the validation blockchain that may assist in the validation of information stored in the session blockchain.

Abstract: According to one embodiment, a memory system includes a nonvolatile memory and a controller. In response to receiving from a host a write request designating a first address for identifying data to be written, the controller encrypts the data with the first address and a first encryption key, and writes the encrypted data to the nonvolatile memory together with the first address. In response to receiving from the host a read request designating a physical address indicative of a physical storage location of the nonvolatile memory, the controller reads both the encrypted data and the first address from the nonvolatile memory on the basis of the physical address, and decrypts the read encrypted data with the first encryption key and the read first address.

Abstract: Techniques are described that enable maintaining of session stickiness across authentication and authorization channels in an access management system, through the use an identifier for an access manager from a plurality of access managers. The access manager authenticates a user of a client device based on an authentication request. In response to response to successful authentication of the user, the access manager creates a session. The access manager also generates the identifier and causes the identifier to be stored for the session. The access manager can then receive a second request, which is sent to the access manager based on identifying the access manager using the stored identifier.