Abstract: Disclosed are various examples for dynamically generating restriction profiles for updated software platforms. A management system can determine that updated restrictions and/or settings are included in an updated or new version of a definition file. The updated settings identified and categorized according to risk for a given enterprise group without administrator input. An updated restriction profile can be generated according to the updated settings and distributed to managed devices.

Abstract: Provided is an analysis device with which it is possible to find information relating to the intention and purpose of an attacker. The analysis device is provided with a purpose estimating means that estimates the purpose of behavior, based on predetermined behavior in the computer and knowledge information that includes the relation between the behavior and the purpose of executing the behavior.

Abstract: Subsequent to registration of a client device with a server device such that credentials by which the client device is authenticated are securely stored at the client device, the client device provides a user device and a server device a recovery identifier and a recovery secret key associated with the client device. Upon the credentials no longer being stored at the client device such that the client device has to be reregistered with the server device to store new credentials by which the client device is authenticated, the user device generates and provides a recovery code to the client device, which provides the recovery code to the server device. Upon validating the recovery code based on the recovery identifier and the recovery secret key, the server device reregisters the client device with the server device such that the new credentials are securely stored at the client device.

Abstract: A data processing system is provided, which comprises receiving circuitry for receiving, from a requester, a request to use decrypted data obtained by decrypting encrypted data. Trusted execution circuitry provides a trusted execution environment. The trusted execution circuitry is configured to: securely store a policy, acquire a key within the trusted execution environment, where the key is associated with the decrypted or encrypted data, and respond to the request based on the policy and one or more characteristics of the requester.

Abstract: A disclosed method for managing encryption keys, which may be performed by a key management server, responds to receiving, from a first client, a request to create a new key for a self-encrypting drive (SED) associated with the first client by retrieving unique identifiers of the first client and the SED, generating and storing the new key and a corresponding key identifier (KeyID), and associating the unique identifiers of the SED and first client with the new key. Upon receiving, from a second client, a locate key request that includes the SED identifier, providing the new key, the KeyID, and the first client identifier to the second client. Associating the SED and first client identifiers with the new key may include adding the identifiers as attributes of the KeyID. Embodiments may be implemented in accordance with a key management interoperability protocol (KMIP) standard.

Abstract: Methods and systems for improved and novel encryption that make it difficult or impossible in any practical way to extract data that has been protected on the computing system. A computing device may receive authentication data from a client device. The computing device may generate an encryption key and a corresponding decryption key. The computing device may receive, from the client device, information associated with a timed access window. The computing device may send, to the client device, the encryption key. The computing device may receive, from the client device, a request for the corresponding decryption key. The computing device may calculate that the request for the corresponding decryption key is during the timed access window and send, to the client device, based on the request and the calculation that the request for the corresponding decryption key is during the timed access window, the corresponding decryption key.

Abstract: Methods and systems for improved generation of biometrics using biometrics and secure storage of biometrics are provided. In one embodiment, a method is provided that includes scanning and digitizing a plurality of biometrics to form a plurality of digitized biometrics. An encryption key for use in cryptographic applications may be generated based on the plurality of digitized biometrics. A biometrics encryption seed may be received and may be used to encrypt the plurality of digitized biometrics to generate a plurality of encrypted biometrics. The plurality of encrypted biometrics may then be stored.

Abstract: An electronic device includes a memory storing data from an external source, an application processing unit (APU) transmitting a secret key and public key generation command, an isolated execution environment (IEE) generating a secret key in response to the secret key generation command, generating a public key based on the secret key in response to the public key generation command, and storing the secret key, and a non-volatile memory performing write and read operations depending on a request of the APU. When the data are stored in the memory, the APU transmits a public key request to the IEE and in response the IEE transfers the public key to the APU through a mailbox protocol. The APU generates a ciphertext by performing homomorphic encryption on the data based on an encryption key in the public key, and classifies and stores the public key and the ciphertext in the non-volatile memory.

Abstract: A mechanism and method are provided for attesting a platform entity. The method is performed by a verification entity. The method may include performing mutual authentication between a TEE of the verification entity and a TEE of the platform entity. The method may include sending, towards the TEE of the platform entity, a first piece of protected secret data. The method may include sending, towards the TEE of the platform entity, at least one protected nonce. The method may include receiving, from the TEE of the platform entity, a protected concatenation of the secret data and the at least one nonce. The method may include attesting the platform entity by, in the TEE of the verification entity, verifying that the secret data and the at least one nonce received from the platform entity are identical to the sent secret data and at least one nonce.

Abstract: Various implementations described herein may refer to a compliance platform for use with identity data. In one implementation, a method may include receiving a compliance data package from a user, where the compliance data package includes encrypted evidence data corresponding to digital identity data of the user. The method may also include encrypting the compliance data package using a first cryptographic key. The method may further include generating a user key shard, a requestor key shard, and a regulator key shard based on the first cryptographic key. The method may include generating an unlock data package that includes the requestor key shard and encrypting the unlock data package using a second cryptographic key. The method may also include transmitting the user key shard, the encrypted unlock data package, and the encrypted compliance data package to the user. The method may include transmitting the regulator key shard to a regulator.

Abstract: A method can include storing host code executable by a host device in a nonvolatile memory (NVM) device and NVM code executable by the NVM device. The NVM device can validate the integrity of the NVM code in response to predetermined conditions and generate a code integrity value for validating the NVM code. The code integrity value having a size independent of a size of the host code. An authentication code can be sent to the host device that is generated with at least the code integrity value. In response to read requests from the host device, returning at least portions of the host code for execution by the host device. Corresponding devices and systems are also disclosed.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, apparatuses, and processes that dynamically and securely augment a programmatically established communications session, such as a chatbot session, to include one or more additional responsive applications. For example, an apparatus may receive messaging data during a first communication session programmatically established between a device and a first executed application program, and may determine that an additional apparatus is configured to perform operations consistent with the messaging data. The apparatus may transmit a digital token and at least a portion of the messaging data to an additional apparatus. A second application executed by the additional apparatus may validate the digital token and based on the portion of the messaging data, establish a second communication session between the device and the executed first and second application programs.

Abstract: A first terminal holds first encrypted data encrypted by using a first key by a first encryption scheme having deterministic and commutativity, a second terminal holds second encrypted data encrypted by using a second key by the first encryption scheme, the first terminal transmits the first encrypted data to the second terminal, the second terminal transmits the second encrypted data to the first terminal, the first terminal generates third encrypted data by encrypting the second encrypted data by using the first key by the first encryption scheme, the third encrypted data is transmitted to the second terminal, the second terminal decrypts the third encrypted data with the second key, and calculates a common part between the second encrypted data and the decrypted third encrypted data, and transmits the common part to the first terminal, and the first terminal decrypts the common part with the first key.

Abstract: An in-vehicle encryption system for use in a vehicle comprising a plurality of vehicle subsystems. The system comprises a security ECU module that communicates with a remote cryptographic module, the security ECU module comprising a processor and a per vehicle master secret (PVMS) value stored in the security ECU module. The security ECU module uses the PVMS value to authenticate with the remote cryptographic module and to establish an external encrypted communication link with the remote cryptographic module. The system further comprises a first subsystem ECU module that generates a first globally unique identifier (GUID) and a second subsystem ECU module that generates a second GUID. The security ECU module uses the first GUID value to establish a first encrypted communication link with the first subsystem ECU module.

Abstract: A method and system for certificate management for services in a container orchestrator. The method includes requesting a certificate for a service from a cloud certificate manager, in response to detecting a request from a control plane of the container orchestrator for the certificate for the service, receiving the certificate from the cloud certificate manager, storing the certificate in a secret storage, and returning the location of the secret storage to a requester of the certificate.

Abstract: Disclosed is a method of witnessing electronic signing of a document. The method may include identifying an eligible witness device from a signature request. Furthermore, the witness electronic device may be configured to verify the signor electronic device before making a document available to a signor electronic device based on a witness action from the witness electronic device. Additionally, the method may include transmitting the document to the signor electronic device upon verification of the signor electronic device. Furthermore, the signed document may include the electronic signature of the signor.

Abstract: A system is provided for secure client-side cryptographic key retrieval using cryptographic key splitting and wrapping. In particular, the system may generate an encryption key that may be wrapped using a wrapping key. The wrapping key may in turn be split into a plurality of parts that may be stored in a distributed manner on a client computing system and a cryptographic database. Furthermore, the wrapping key may be generated using an encryption algorithm that allows the wrapping key to be reconstituted with fewer than all of the plurality of parts. In this way, the system provides a secure way to restrict access to sensitive data to authorized parties.

Abstract: A system includes an electronic circuit. The electronic circuit includes a first set of electronic circuit elements electrically coupled to receive first secret data that was encrypted externally to the electronic circuit according to a data key and decrypt the first secret data based in part on parameters included in the data key. The electronic circuit further includes a second set of electronic circuit elements coupled to generate second secret data by executing one or more operations on the first secret data and a third set of electronic circuit elements coupled to encrypt the second secret data based in part on the parameters included in the data key, thereby providing encrypted second secret data for output.

Abstract: Techniques to pre-authenticate an identity for an electronic account are described and claimed by the present disclosure. The electronic account may enforce a multi-factor authentication procedure that involves a number of steps. In addition to the electronic account, a user may have other accounts requiring authentications. Successful authentications with respect to those other accounts may provide evidence of the user's identity. If sufficient evidence is present, one or more steps of the multi-factor authentication procedure may be bypassed. Other embodiments are described and claimed.

Abstract: Generally discussed herein are devices, systems, and methods for binding with cryptographic key attestation. A method can include generating, by hardware of a device, a device public key and a device private key, based on the device private key, signing a first attestation resulting in a signed first attestation, the first attestation claiming the device private key originated from the hardware, based on the device public key and the signed first attestation, registering the device with a trusted authority, generating, by the hardware, a first application private key and a first application public key, and based on the device private key, signing a second attestation resulting in a signed second attestation, the second attestation claiming the first application private key originated from the hardware, and based on the first application public key and the signed second attestation, registering a first application of the device to a first server.