Abstract: A system and method to tie a removable component to a host device. A first pairing key is stored into a security module on a host device such as a server rack. A removable component is inserted into the server rack for the first time. In response to this first insertion the first pairing key is burned into the removable component using a plurality of physically modifiable internal components. The server rack/security module receives a request form the removable component to operate on the server rack, the request includes a burned in pairing key. The security module compares the received pairing key with the first pairing key and permits operation of the removable component in response to a match between the received pairing key and the first pairing key.

Abstract: In embodiments detailed herein describe an encryption architecture with fast zero support (e.g., FZ-MKTME) to allow memory encryption and integrity architecture to work efficiently with 3DXP or other far memory memories. In particular, an encryption engine for the purpose of fast zeroing in the far memory controller is detailed along with mechanisms for consistent key programming of this engine. For example, an instruction is detailed which allows software to send keys protected even when the controller is located outside of a system on a chip (SoC), etc.

Abstract: In an embodiment, processing of biometric data is split between a processor on a peripheral device and a processor of a host device that is coupled with the peripheral device. One embodiment provides a method comprising, on a peripheral device coupled with a host device, capturing biometric data using a biometric sensor of a peripheral device and pre-processing the captured biometric data using a processor of the peripheral device. The processor of the peripheral device is separate from a processor of the host device and resides within a chassis or housing of the peripheral device. The method additionally includes pre-validating the pre-processed biometric data to determine whether the pre-processed biometric data meets a minimum quality threshold and transmitting the pre-validated biometric data to the host device for validation.

Abstract: A method of providing secure communication between first and second devices comprises the first device and the second device connecting to a server via a secure communication channel. Encryption keys for the devices are generated and data relating to the encryption keys are exchanged via the server in the secure communication channel. A peer-to-peer connection for exchanging data is generated using encrypted connection information for the devices.

Abstract: A system comprises a plurality of computing devices. Requests received by the system are distributed at random among the computing devices. A computing device, in response to receiving a request, stores a record of utilization of the computing device by a source of the request. The computing device determines to throttle requests from the source based, at least in part, on the utilization of the computing device by the source within the time period.

Abstract: A mechanism for providing secure feature and key management in integrated circuits is described. An example integrated circuit includes a secure memory to store a secret key, and a security manager core, coupled to the secure memory, to receive a digitally signed command, verify a signature associated with the command using the secret key, and configure operation of the integrated circuit using the command.

Abstract: Generally discussed herein are devices, systems, and methods for binding with cryptographic key attestation. A method can include generating, by hardware of a device, a device public key and a device private key, based on the device private key, signing a first attestation resulting in a signed first attestation, the first attestation claiming the device private key originated from the hardware, based on the device public key and the signed first attestation, registering the device with a trusted authority, generating, by the hardware, a first application private key and a first application public key, and based on the device private key, signing a second attestation resulting in a signed second attestation, the second attestation claiming the first application private key originated from the hardware, and based on the first application public key and the signed second attestation, registering a first application of the device to a first server.

Abstract: A system and method that utilize an encryption engine endpoint to encrypt data in a data storage system are disclosed. In the system and method, the client controls the encryption keys utilized to encrypt and decrypt data such that the encryption keys are not stored together with the encrypted data. Therefore, once data is encrypted, neither the host of the data storage system, nor the encryption engine endpoint have access to the encryption keys required to decrypt the data, which increases the security of the encrypted data in the event of, for example, the data storage system being accessed by an unauthorized party.

Abstract: Techniques are disclosed for securely managing data. In one example, a service provider receives user image data and user biometric data associated with a user. The service provider generates a user profile cryptographic key based on hashing this data, which may be associated with a user identifier. The service provider may further generate a public/private key pair associated with the user identifier. The public key and the user profile cryptographic key are stored, in association with the user identifier, to a consortium blockchain network. The service provider then receives a request, signed with the private key, to store a document in association with the user identifier. The service provider generates a document cryptographic key of the document, and executes a request to store the document cryptographic key to the blockchain in association with the user profile cryptographic key, the request verified using the public key.

Abstract: Various systems, mediums, and methods herein describe aspects of personal information platforms accessible with client devices over communication networks in data infrastructures. A system may determine data associated with a user. The system may determine a personal information platform (PIP) based on the data associated with the user, where the PIP is configured to identify a number of data types from the data associated with the user. The system may determine accesses for one or more entities to the number of data types based on one or more services provided by the one or more entities to the user. The system may cause a client device to display an indication of the PIP, where the indication provides the one or more accesses of the one or more entities.

Abstract: In some examples, a computing device may communicate with a plurality of network storage systems, such as a first network storage system provided by a first service provider employing a first storage protocol and a second network storage system provided by a second service provider employing a second storage protocol different from the first storage protocol. The computing device receives a first object, and determines, for the first object, a first remote bucket at the first network storage system and a second remote bucket at the second network storage system. The computing device may add a synchronization event to a queue for replicating the first object to the first remote bucket and the second remote bucket. Based on consuming the synchronization event from the queue, the computing device replicates data and metadata of the first object to the first remote bucket and the second remote bucket.

Abstract: A network device is capable of transmitting and/or receiving packets that are encrypted according to a particular network security protocol, while being encapsulated according to any of a variety of tunneling protocols independent of the particular network security protocol. In such embodiments, a customer or network administrator can use the particular network security protocol while having the freedom to choose a particular tunneling protocol that is best suited for a network implementation instead of being limited to a specific tunneling protocol for a particular network security protocol.

Abstract: This document describes systems and techniques for deriving identity and root keys for embedded systems. In aspects, a boot process and key manager of an embedded system may implement a secure or trusted boot process for embedded systems in which code of next-level boot loader or software image is verified using root keys or other protected information before execution of the boot process is passed to the next stage in the boot process. Alternatively or additionally, the key manager may enable sealing and attestation of various levels of root and identity keys to enable respective verification of software or hardware throughout a life cycle of a device to prevent unauthorized access to protected or private code of an embedded system. By so doing, the described aspects may enable an embedded system with a secure boot process and robust identity and root key management system.

Abstract: System and method for protecting a payment terminal are disclosed. The system includes a data encryption key, a monitoring module for measuring a physical parameter, and a counter unit of a microcontroller. The counter unit can be slaved to a clock for incrementing a counter value. The method includes measuring a physical parameter by the monitoring module, comparing the physical parameter with a predetermined threshold value corresponding to a physical attack, resetting the counter unit, and if the physical parameter is indicative of the physical attack on the payment terminal or the counter value is greater than a predefined threshold value, removing access to the encryption key.

Abstract: Device-implemented methodology for enabling and/or performing crypto-erase via internal action and external action. In one illustrative aspect, a request to read data is received at a device configured to perform data operations on a storage medium, the data being stored on the storage medium in encrypted form. In one approach, a first key stored within the device is accessed. In another approach, a first key stored on and/or with the storage medium is retrieved. A second key is received from an external source. A media encryption key is generated using the first and second keys. The encrypted form of the data is read from the storage medium. The encrypted form of the data is decrypted using the media encryption key. The decrypted data is output. Methodology for writing encrypted data is also presented.

Abstract: The disclosed embodiments are related to securely updating a semiconductor device and in particular to a key management system. In one embodiment, a method is disclosed comprising storing a plurality of activation codes, each of the activation codes associated with a respective unique identifier (UID) of semiconductor device; receiving, over a network, a request to generate a new storage root key (SRK), the request including a response code and a requested UID; identifying a selected activation code from the plurality of activation codes based on the requested UID; generating the SHRSRK value using the response code and the selected activation code; associating the SHRSRK value with the requested UID and storing the SHRSRK value; and returning an acknowledgement in response to the request.

Abstract: Embodiments govern cloud environments using a policy engine. A plurality of policy definitions for governing a plurality of managed environments can be received at a policy engine, each policy definition including one or more conditions and one or more actions, where the managed environments implement cloud based virtual machines that host cloud based applications. Events that relate to one or more of the managed environments can be received at the policy engine. Conditions for the policy definitions can be evaluated by the policy engine, where conditions for a first policy definition are triggered based on one or more of the received events. Based on the evaluating, one or more actions of the first policy definition can be performed, the one or more actions changing a first managed environment that is governed by the first policy definition.

Abstract: Techniques to pre-authenticate an identity for an electronic account are described and claimed by the present disclosure. The electronic account may enforce a multi-factor authentication procedure that involves a number of steps. In addition to the electronic account, a user may have other accounts requiring authentications. Successful authentications with respect to those other accounts may provide evidence of the user's identity. If sufficient evidence is present, one or more steps of the multi-factor authentication procedure may be bypassed. Other embodiments are described and claimed.

Abstract: Systems, apparatuses, methods, and computer program products are disclosed for hardware security module communication management. An example method includes deriving, by a first HSM, a first cryptographic key based on an initial key and a first set of seed bits. The method also includes receiving a message comprising a second cryptographic key from a key exchange management device, wherein the second cryptographic key is associated with a second HSM. The method also includes deriving, a third cryptographic key based on the first cryptographic key and the second cryptographic key, wherein deriving the third cryptographic key establishes secure communication between the first HSM and the second HSM based on the second HSM having also derived the third cryptographic key. The method also includes performing, a first cryptographic data protection action using the third cryptographic key.

Abstract: A method for detecting a cyberattack on a control system of a wind turbine includes providing a plurality of classification models of the control system. The method also includes receiving, via each of the plurality of classification models, a time series of operating data from one or more monitoring nodes of the wind turbine. The method further includes extracting, via the plurality of classification models, a plurality of features using the time series of operating data. Each of the plurality of features is a mathematical characterization of the time series of operating data. Moreover, the method includes generating an output from each of the plurality of classification models and determining, using a decision fusion module, a probability of the cyberattack occurring on the control system based on a combination of the outputs. Thus, the method includes implementing a control action when the probability exceeds a probability threshold.