Abstract: An encrypted data storage system and method based on offsite key storage are provided, comprising the system includes a key control center, an offsite key storage system, and a data encryption/decryption storage system. The offsite key storage system includes a first key control device, a key storage device, and a first quantum key distribution device. The data encryption/decryption storage system includes a second key control device, a data encryption/decryption storage device, and a second quantum key distribution device. The first quantum key distribution device is in quantum communication connection with the second quantum key distribution device. The first key control device is communicatively connected with the key storage device and the first quantum key distribution device, respectively.

Abstract: A cryptographic key of a first instance of a group of one or more cloud nodes providing a service is managed. A request to share the cryptographic key with a second instance of a different group of one or more cloud nodes is received. A determination is made whether the second instance is allowed to access the cryptographic key. In response to a determination that the second instance is allowed to access the cryptographic key, the cryptographic key is encrypted with a target key of the second instance and the encrypted cryptographic key is signed using a cryptographic signature of the first instance. The signed encrypted cryptographic key is provided to the second instance.

Abstract: The technology disclosed herein provides network bound encryption that enables a trusted execution environment to persistently store and access recovery data without persistently storing the decryption key.

Abstract: The present disclosure relates to a method of creating a trusted bond between a hearing device and a user accessory device, wherein the method comprises: transmitting, by a hearing device fitting system, an authentication key to the hearing device; creating, by the hearing device fitting system authentication data comprising the authentication key in encrypted form; obtaining, by the user accessory device, the created authentication data; receiving, by the user accessory device, identification information from the hearing device the identification information identifying the hearing device; decrypting, by the user accessory device, the encrypted authentication key comprised in the obtained authentication data using at least the received identification information; establishing communication between the hearing device and the user accessory device based on the authentication key.

Abstract: There is provided an information processing system including: a first apparatus (10a) that divides a user key (UK) of a share-source user through a secret distribution process to generate a plurality of distribution keys (S1 and S2); a second apparatus (10b) that sends a processing request to execute a predetermined process by using one of a plurality of the distribution keys generated by the first apparatus; and a third apparatus (20) that makes a determination based on one of a plurality of the distribution keys generated by the first apparatus and the processing request received from the second apparatus.

Abstract: An Information Handling System (IHS) includes multiple hardware devices, and a baseboard Management Controller (BMC) in communication with the plurality of hardware devices. The BMC includes instructions for executing an assistance application (APP) in an untrusted domain of the BMC. The assistance APP configured to monitor a custom BMC firmware stack executed in the untrusted domain. The instructions are further executed to verify an integrity of the assistance APP from a trusted domain of the BMC by encrypting communications between the trusted and untrusted domains using an encryption key that comprises a function of a time counter value.

Abstract: An encrypted data storage system includes a storage system that is configured to store encrypted data, and a first client device that is coupled to the storage system. The first client device performs a hash operation on first data to generate a Data Encryption Key (DEK), and uses the DEK to perform a data encryption operation on the first data to generate encrypted first data. The first client device then uses a first Key Encryption Key (KEK) to perform a first key encryption operation on the DEK to generate a first encrypted DEK, associates the first encrypted DEK with the encrypted first data, and transmits the encrypted first data to the storage system for storage.

Abstract: A storage apparatus sends a request for a key encryption key to a key management server using a storage apparatus ID as a parameter, acquires the key encryption key, for which a request has been sent to the key management server, and its attribute information, and stores the key encryption key and its attribute information in a key encryption key list while eliminating the key encryption key that is duplicated. Then, in the order listed in the key encryption key list, decryption of the encryption key is attempted by the key encryption key stored in the key encryption key list, and the success or failure of the decryption of the encryption key is determined. When the decryption of the encryption key using the key encryption key fails, the decryption of the encryption key is attempted using a key encryption key, which has not been attempted yet, in the key encryption key list.

Abstract: Embodiments of the present invention provide a system for providing enhanced cryptography based response mechanism for malicious attacks. The system is configured for generating one or more tracker seeds, storing the one or more tracker seeds in at least one entity system associated with an entity, identifying a malicious event associated with data in the at least one entity system, in response to identifying the malicious event, identifying an encryption algorithm key pair for the malicious event based on the one or more tracker seeds, and decrypting the data in the at least one entity system based on the encryption algorithm key pair.

Abstract: Techniques to protect a subscriber identity, by encrypting a subscription permanent identifier (SUPI) to form one-time use subscription concealed identifiers (SUCIs) using a set of one-time ephemeral asymmetric keys, generated by a user equipment (UE), and network provided keys are disclosed. Encryption of the SUPI to form the SUCIs can mitigate snooping by rogue network entities, such as fake base stations. The UE is restricted from providing the unencrypted SUPI over an unauthenticated connection to a network entity. In some instances, the UE uses a trusted symmetric fallback encryption key KFB or trusted asymmetric fallback public key PKFB to verify messages from an unauthenticated network entity and/or to encrypt the SUPI to form a fallback SUCIFB for communication of messages with the unauthenticated network entity.

Abstract: A customer premises device may include a memory configured to store day 0 configuration instructions, a first network interface to couple to an out-of-band network, a second network interface operatively coupled to a customer network, and at least one processor configured to automatically and without user input execute the day 0 configuration instructions. The at least one processor is configured to establish and maintain a secure tunnel connection with a security gateway device via the out-of-band network and to establish a connection with a configuration platform on the provider network via the secure tunnel connection. Orchestration instructions for configuring one or more VNFs are received from the configuration platform via the tunnel connection. The at least one processor is further configured to receive VNF management instructions via the secure tunnel connection, wherein the VNF management instructions include one of: updates, reconfigurations, or patches.

Abstract: A method for filtering communication data arriving from a communication partner via a communication connection, which provides access to at least one storage means of a receiving data processing device having at least one computation unit, in the data processing device, wherein PCI Express, in an interface unit, receiving the communication data, of the data processing device, a filter means, at least part of which is embodied as hardware, is used so that, according to configuration information, prescribed on the data processing device, containing at least one approval condition that rates the at least one property of the useful data contained in the communication data, only the communication data meeting at least one approval condition are forwarded from the interface unit to at least one further component of the data processing device.

Abstract: Example methods and systems disclosed herein facilitate the introduction and use of client-specified object encryption within a computing environment using remote third-party storage systems, where data objects stored on the remote third-party storage systems were previously either stored in unencrypted form or encrypted with a single key tied to an account that owns the data. In some embodiments, the encryption is introduced into the system in gradual stages, so as to minimize or entirely eliminate data availability downtime. In some embodiments, the introduction of client-specified object encryption involves registration of a user function on the third-party storage system, where the user function handles object decryption in response to requests of content consumers for data objects stored by the third-party storage system.

Abstract: Provided is a method for erasing security-relevant information in a device, having the method steps of: ascertaining at least one movement parameter of the device over time, monitoring the ascertained movement parameters over time on the basis of at least one prescribed movement pattern, and triggering an erase process for the security-relevant information if the ascertained movement parameter over time is consistent with the at least one prescribed movement pattern. An apparatus and a computer program product for carrying out the method to ensure that security-relevant data of the device are erased reliably and completely even in the event of an accident or another unforeseen event is also provided.

Abstract: In general, techniques are described for supporting bulk delivery of change of authorization data in authentication, authorization, and accounting (AAA) protocols, where delivery is performed as a change of authorization after a subscriber has successfully authenticated and initially authorized. In one example, the techniques are directed to a method including determining, by a RADIUS server for a service provider network, change of authorization data for services to which the subscriber of the service provider network has subscribed. The method further includes generating, by the RADIUS server, RADIUS messages that form a transaction between the RADIUS server and a network access server acting as a RADIUS client. The RADIUS messages provide all of the change of authorization data to the network access server prior to the network access server provisioning the services. The method further includes outputting, by the RADIUS server, the RADIUS messages to the network access server.

Abstract: A computer-implemented method and device for analyzing network packet traffic flow affected by a network security device in a communication network. Received in a network monitoring device is packet traffic flow data from a network security device that filters network traffic based upon prescribed security filter settings. The network monitoring device analyzes the received packet traffic flow data by correlating the received traffic flow data with the security filter settings prescribed in the network security device. Certain statistics are identified regarding the network traffic flow affected by the security filter settings of the network security device based upon the correlating of the received traffic flow data with the security filter settings prescribed in the network security device. A report regarding the identified statistics is preferably sent to a network administrator.

Abstract: In accordance with some embodiments, an apparatus for privacy protection is provided. The apparatus includes a housing arranged to hold a personal communication device and a peripheral interface supported by the housing, where the peripheral interface is connectable to a supplemental functional device. The apparatus further includes a local communication device coupled to the peripheral interface and supported by the housing, where the local communication device includes a personal communication device interface modem operable to provide a communication channel between the peripheral interface and the personal communication device. The apparatus further includes a controller coupled to the peripheral interface and the local communication device, where the controller is operable to manage the communication channel between the supplemental functional device and the personal communication device.

Abstract: Systems, computer program products, and methods are described herein for enhanced data security using versioned encryption. The present invention is configured to electronically receive, from a computing device of a user, a confidential data entry at a first server; encrypt the confidential data entry using a public key at the first server to generate an encrypted confidential data entry; transmit the encrypted confidential data entry to a second server, wherein the encrypted confidential data entry comprises a hash value, wherein the hash value indicates a numbered version of the public key used to encrypt the confidential data entry; and store the encrypted confidential data entry in a database associated with the second server.

Abstract: Systems and methods described herein provide for assigning classifications to signals and corresponding messages for prioritization and transmission across a vehicle CAN bus. The assigned classifications are used to select authentication keys specific to each classification of message. Nodes of the CAN bus can include different sets of keys based on the classifications of messages handled at the nodes. Keys are distributed and localized to reduce any potential impact on critical functions of the vehicle system that may result from compromise of an authentication key.

Abstract: Method, device and computer program product for managing a plurality of encryption keys using a keystore seed that defines a seed bit set. A key management process defines a key mapping between the seed bit set and the plurality of encryption keys. The key management process enables each encryption key to be generated from the seed bit set using a corresponding keying material value and the key mapping. The key mapping specifies that an encryption key is generated by partitioning the seed bit set into a plurality of seed bit partitions, determining a keying value from the keying material value, determining a key sequence using the plurality of seed bit partitions and the keying value, and determining the encryption key from the key sequence. Management of a large number of encryption keys can be simplified through indirect management via the keystore seed and the key management process.