Abstract: A method for managing security keys for an I/O device may include loading a first security key from a primary memory to a security engine, performing a first data transfer operation between a host and the I/O device using the first security key with the security engine, loading a second security key from a secondary memory to the security engine, and performing a second data transfer operation between the host and the I/O device using the second security key with the security engine. The method may further include storing the first security key in the primary memory based on a frequency of use of the first security key. The frequency of use of the first security key may be determined by a pattern of transfers between the host and the I/O device.

Abstract: A system includes an application instance or application environment instance and a first cloud service of a trusted cloud provider. The first cloud service is configured to receive an encrypted disk image and to launch the application instance or application environment instance. The system also includes a second cloud service of a first alternate cloud provider, which is configured to launch a first attestation service instance from an attestation disk image that includes a secret and to provide the secret to the application instance or application environment instance.

Abstract: A computer-implemented method includes receiving, by a storage system, encrypted data and a set of key identifiers. Each key identifier is associated with information specifying a storage location for which the key identifier is authorized. The method also includes storing, by the storage system, the encrypted data in at least one storage location and receiving, by the storage system, at least one key identifier of the set of key identifiers with a data access request. The method includes determining, by the storage system, whether the data access request is authorized for the at least one key identifier.

Abstract: A method for updating a cryptographic key via a computation unit configured with one or more processors and a memory coupled to the one or more processors is disclosed. The method includes loading a base key into a cryptographic storage unit integrated with a cryptographic application. The method includes generating a temporal key based on the base key using a one-way key update algorithm via cryptographic application logic integrated within the cryptographic application. The temporal key is assigned an update count based on the number of updates performed on the temporal key. The method further includes comparing the update count value to a required update count, updating the temporal key if the update count is less than the required update count, and zeroizing the temporal key if the update count is more than the required update count, in which the temporal key may be regenerated with the required update count.

Abstract: Embodiments described herein provide a compressed container format that enables the container to be decrypted and decompressed in a streaming manner. One embodiment provides a container format for encrypted archives in which data is compressed and encrypted in a segmented manner. A segment of the archive can be decompressed, decrypted, and checked for integrity before the entire archive is received. Metadata for the encrypted archive is also encrypted to secure details of data stored within the archive.

Abstract: A method of secure data deletion in a multitenant environment, performed by a storage system is provided. The method includes associating a key with a tenant, in the multitenant environment, as a result of the storage system receiving data from the tenant through a virtual local area network (VLAN) or from an Internet protocol (IP) address. The method includes storing the data, encrypted by the key, in the storage system, and determining that the key, as retained in the storage system, is to be deleted, so that the data is to be inaccessible in unencrypted form, responsive to a request from the tenant to delete the data.

Abstract: Methods, systems, and apparatuses are described herein for improving the accuracy of synthetic authentication questions by analyzing third party account data. A request for access to a first account associated with a user may be received. The first account may be managed by a first organization. A transactions database might be queried for first account data. Second account data corresponding to a second account associated with the user might be received. That second account may be managed by a second organization different from the first organization. One or more second transactions, unique to the second account, may be identified. A synthetic transaction, configured to be different from transactions in the first account and the one or more second transactions, may be generated. An authentication question may be generated based on the synthetic transaction. Access to the first account might be provided based on a response to the authentication question.

Abstract: A system includes a memory, an application TEE instance, an escrow TEE instance, and a server. The server is configured to receive a request to start the application TEE instance and launch the escrow TEE instance provisioned with a secret. The secret is initially accessible from a first location until the escrow TEE instance is provisioned and accessibility to the secret in the first location is restricted after provisioning the escrow TEE instance with the secret. The escrow TEE instance is configured to obtain a cryptographic measurement associated with the application TEE instance, validate the application TEE instance, and provide the secret from a second location to the application TEE instance.

Abstract: A matching apparatus generates a random number and transmits second encrypted data obtained by performing an operation of first encrypted data of each of first values related to a first binary vector encrypted and the random number to a matching request apparatus; transmits third encrypted data obtained by performing an operation of the second encrypted data and elements of a matching target second binary vector; based on a second value related to the first binary vector encrypted with the encryption key, the encrypted data and the random number, generates and transmits encrypted data and transmits the generated data to a verification apparatus as a query; and determines whether a count number of mismatched elements between the second binary vector and the first binary vector is less than or equal to a predetermined number based on values obtained by decrypting the encrypted data in the query.

Abstract: The present technology includes a controller and an electronic system including the same. The electronic system includes a memory device including a plurality of zones, each zone capable of storing data, a plurality of hosts configured to output access requests for accessing a selected zone, among the plurality of zones, and a controller configured to select one of the plurality of hosts according to order in which the access requests are received, generate and store a key for confirming the selected host, and transmit the key to the selected host, when the access requests to access the selected zone are received from the plurality of hosts, wherein the selected host transmits an operation request including the key to the controller, and the controller executes the operation request when the key is included in the operation request received from the selected host.

Abstract: A processor may incorporate one or more keys in a media. The one or more keys may each be associated with a specific instance and the one or more keys may be included in a blockchain. The processor may identify that a first specific instance has been encountered. The processor may provide a first key associated with the first specific instance. The processor may determine to allow access to content of the media.

Abstract: This disclosure relates to, among other things, key generation systems and methods. Certain embodiments disclosed herein provide for generation of cryptographic keys based on one or more defined key generation rules. Key generation consistent with various aspects of the disclosed embodiments may increase the difficultly and/or cost of producing public keys and, by extension, discourage the generation of fake keys used in connection with a key flooding attack. In certain embodiments, generated keys and/or associated key generation rules may depend, at least in part, on associated binding data.

Abstract: An apparatus and method for encryption key recovery based on memory analysis. The apparatus may include one or more processors and executable memory for storing at least one program executed by the one or more processors. The at least one program may collect memory information pertaining to an encrypted part of a file, in which ransomware is detected, based on dynamic binary instrumentation, analyze memory read operation data corresponding to an encryption key that is used for encryption of the file in the memory information, recover the encryption key based on the result of analysis of the memory read operation data, and output the result of recovery of the encryption key.

Abstract: Physical unclonable functions (PUFs) are described. The PUFs utilize intrinsic information to determine the confidence level of comparison values. The information about confidence levels may be used to simplify the process of recovering the PUF secret. Since the information about confidence levels may be intrinsic, and not know outside the PUF, the PUF may be secure.

Abstract: A method, system, and computer program product for key in lockbox encrypted data deduplication are provided. The method collects a set of deduplication information by a host in communication with a storage system via a communications network. A fingerprint is generated for a data chunk to be stored on a storage system. The method encrypts the data chunk using a first encryption key to generate an encrypted data chunk. The fingerprint is encrypted with a second encryption key to generate an encrypted fingerprint. The method encrypts the first encryption key with a third encryption key to generate a first encrypted key. The method encrypts the first encryption key with a fourth encryption key to generate a second encryption key. A data package is generated for transmission to the storage system. The method transmits the data package to the storage system.

Abstract: A computer implemented method and system for secure initial secret delivery for collocated containers with shared resources techniques is disclosed. The method comprises providing an application type identifier and a token for accessing a secrets management service; creating asynchronously, a plurality of collocated containers with shared resources; initiating a request for a creation for an initial secret; validating the request, requesting an identity for the collocated containers; validating the identity; starting an application instance; and using the initial secret to retrieve other secrets for the application instance.

Abstract: A method for electing a representative node device is performed at a blockchain system, including: obtaining voting transaction data from the node devices, the voting transaction data being used for voting for one or more node devices of the blockchain system as representative node devices; generating and storing the voting transaction data into a target blockchain of the blockchain system when a plurality of node devices of the blockchain system verify the voting transaction data by consensus; and when a quantity of blocks in the target blockchain generated using the voting transaction data reaches a preset quantity, determining an election result according to quantities of votes of the node devices determined from the voting transaction data, the election result identifying a plurality of representative node devices in the blockchain system being configured to generate new blocks for the target blockchain and perform verification on the new blocks by consensus.

Abstract: Provided are a computer program product, system, and method for determining key server type and key server redundancy information to enable encryption. A first key server type for a first protocol is indicated in a key server type field in response to determining a current protocol used to communicate with the key server comprises the first protocol. A query information request is submitted to the key server to determine a key server type in response to determining that the current protocol comprises the second protocol. The second key server type indicated in the response to the query information request is indicated in the key server type field in response to the response indicating the second key server type. The first or second type of key server indicated in the key server type field is used to determine information to include in a key retrieval request.

Abstract: A system may include a first processing component arranged in a secure domain of the system. The system may include a second processing component arranged outside of the secure domain of the system. The system may include one or more hardware accelerators to perform operations in association with providing communication security for the system. The one or more hardware accelerators may be accessible by the first processing component via a channel in the secure domain. The one or more hardware accelerators may be accessible by at least the second processing component via a channel outside of the secure domain.

Abstract: In a method to utilize a secure public cloud, a computer receives a domain manager image and memory position-dependent address information in response to requesting a service from a cloud services provider. The computer also verifies the domain manager image and identifies a key domain key to be used to encrypt data stored in a key domain of a key domain-capable server. The computer also uses the key domain key and the memory-position dependent address information to encrypt a domain launch image such that the encrypted domain launch image is cryptographically bound to at least one memory location of the key domain. The computer also encrypts the key domain key and sends the encrypted domain launch image and the encrypted key domain key to the key domain-capable server, to cause a processor of the key domain-capable server to create the key domain. Other embodiments are described and claimed.