Abstract: A system and method that utilize an encryption engine endpoint to encrypt data in a data storage system are disclosed. In the system and method, the client controls the encryption keys utilized to encrypt and decrypt data such that the encryption keys are not stored together with the encrypted data. Therefore, once data is encrypted, neither the host of the data storage system, nor the encryption engine endpoint have access to the encryption keys required to decrypt the data, which increases the security of the encrypted data in the event of, for example, the data storage system being accessed by an unauthorized party.

Abstract: The disclosed embodiments are related to securely updating a semiconductor device and in particular to a key management system. In one embodiment, a method is disclosed comprising storing a plurality of activation codes, each of the activation codes associated with a respective unique identifier (UID) of semiconductor device; receiving, over a network, a request to generate a new storage root key (SRK), the request including a response code and a requested UID; identifying a selected activation code from the plurality of activation codes based on the requested UID; generating the SHRSRK value using the response code and the selected activation code; associating the SHRSRK value with the requested UID and storing the SHRSRK value; and returning an acknowledgement in response to the request.

Abstract: A biometric data processing method implemented by a proof entity and a verification entity that are connected. The proof entity has a candidate biometric data, a reference biometric data, cryptographic footprints of the reference biometric data, and the candidate biometric data. The verification entity has a set of cryptographic footprints of reference biometric data of authorized users. The method includes generating the proof entity of a zero-knowledge proof of the fact that the candidate biometric data and the reference biometric data match. Transmitting to the verification entity the zero-knowledge proof of the cryptographic footprints of the candidate biometric data and the reference biometric data. Verifying that the zero-knowledge proof is valid, and the received cryptographic footprint of the reference biometric data belongs to the set of cryptographic footprints of reference biometric data in the possession of the verification entity.

Abstract: In some examples, a device includes a memory, a processor, and a controller separate from the processor to derive a security credential based on information comprising a key accessible by the controller. The controller communicates the derived security credential in a secure manner to a program code executable on the processor, and uses the derived security credential to protect data stored in the memory against unauthorized access.

Abstract: A service ecosystem for vehicles that includes various components that are connected to a cloud. One or more technicians wearing headsets can be verified and authenticated by the cloud to work on vehicles based on the technician's biometric information and on the vehicle service requested. The service ecosystem may provide instructions to the technicians to perform the vehicle service. The cloud may also provide requested technical service information to the technician and a service advisor and help to load balance technician so that the service can be completed as scheduled.

Abstract: A system for key storage and recovery includes an interface and a processor. The interface is configured to receive an indication to create a set of recovery encryption key shares. The processor is configured to receive a selection of one or more trusted entities from one or more categories; create a set of recovery encryption key shares based at least in part on one or more recovery encryption keys; and for a trusted entity of the trusted entities: 1) determine a trusted entity public key associated with the trusted entity; encrypt a recovery encryption key share of the set of recovery encryption key shares with the trusted entity public key to generate a trusted entity encrypted recovery encryption key share; and provide the trusted entity encrypted recovery encryption key share to the trusted entity.

Abstract: Methods for securing image, video and/or audio media data captured by a media recording device are disclosed. Various embodiments may include determining whether media data captured by the media recording device should be secured in response to the media recording device activating a media recording application, obtaining an encryption key in response to determining that media data captured by the media recording device should be secured, encrypting media data (e.g., image, video and/or audio data) captured by the media recording device using the obtained encryption key, and storing the encrypted media data. In some embodiments, determining that media data should be secured and obtaining the encryption key may be based on user inputs in response to prompts. In some embodiments, determining that media data should be secured may be based on whether the media recording device satisfies a geo-location criterion and the encryption key may be provided by a server.

Abstract: Embodiments described herein enable the generation of cryptographic material for ranging operations in a manner that reduces and obfuscates potential correlations between leaked and secret information. One embodiment provides for an apparatus including a ranging module having one or more ranging sensors. The ranging module is coupled to a secure processing system through a hardware interface to receive at least one encrypted ranging session key, the ranging module to decrypt the at least one encrypted ranging session key to generate a ranging session key, generate a sparse ranging input, derive a message session key based on the ranging session key, and derive a derived ranging key via a key derivation cascade applied to the message session key and the sparse ranging input, the derived ranging key to encrypt data transmitted during a ranging session.

Abstract: A method for allocating to a resource, in a system of addressable resources, a hybrid deterministic/random key for access to a second resource, includes maintaining a table of storage positions for key values, searching the table for an available storage position, determining an index, in the table, of the available storage position, generating a random key value associated with location of the second resource, storing the random key value in the storage position, and assembling the index and the random key value into the hybrid key. The index may be most significant bits of the hybrid key, with the random key value being the least significant bits. Alternatively, the index may be least significant bits of the hybrid key, with the random key value being the most significant bits, or the bits of the index may be distributed among bits of the random key value.

Abstract: Systems and methods for non-deterministic multi-party, multi-user sender-receiver authentication and non-repudiated resilient authorized access to secret data are described herein. In one aspect, a method for data access includes receiving, at a server, a request for data access from a user; transmitting to users, a prompt for identity verification corresponding to the identity of each user, where at least one of user is different than the user requesting data access; receiving, in response to the identity verification prompt, a plurality of identification key fragments from storage locations or devices associated with the users, where each identification key fragment is user specific; generating an organization-specific data object from the plurality of identification key fragments; confirming the organization-specific data object by the users whose identities were validated; and authorizing the request for data access based on confirming the organization-specific data object.

Abstract: Systems, apparatuses, methods, and computer-readable media are provided for reducing or eliminating cryptographic waste for link protection in computer buses. In various embodiments, data packets are encrypted/decrypted in accordance with advanced encryption standard (AES) Galois counter mode (GCM) encryption/decryption. Monotonically increased counter values are used as initialization vectors; and/or accumulated MAC is practiced to reduce or eliminate cryptographic waste. Other related aspects are also described and/or claimed.

Abstract: Aspects of the disclosure relate to a transmission logic for selecting an authorized signatory as a recipient for an electronic document for signature. The transmission logic forms a part of a communications platform. The platform, including a first electronic communications pathway and a second electronic communications pathway, conducts and supports communication between a first entity and a second entity. The logic may generate an electronic document together with a request for an electronic signature, flag the document and transmit the document along the first electronic communications pathway to an authorized signatory at the second entity. The logic may also select a signatory according to a predetermined protocol, determine the availability of the selected signatory, confirm the selection, and transmit the electronic document to the authorized signatory for signature. Upon notification of the electronic signature, the logic may transmit, along the second pathway, the document to the first entity.

Abstract: A method includes a controller detecting a signal state of a presence terminal that is associated with a bus device. The signal state is set by the bus device to indicate presence of the bus device in a connector, and the connector is connected to a bus. The method includes the controller communicating data over the bus; and in response to detecting the signal state, the controller communicating side channel data to the bus device to authenticate the data that is communicated over the bus as being provided by the controller. Communicating the side channel data with the bus device includes providing a signal to the presence terminal, which represents the side channel data.

Abstract: A communication system using a random code as an encryption code is disclosed. A first terminal transfers a request to the second terminal for providing a random code (rKey). The random code is used to encrypt commands in the proceeding communication process instead of using a master key (mKey) so as to avoid that the master key (mKey) is captured. The safety in data transmission is promoted greatly. In practical use, the encryption way can be used to a door access system which includes a mobile phone, a card reader, a door access controller, and a server program (such as ACX server program). The communication system using a random code as an encryption code assures that the communications between these devices are highly safe.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, apparatuses, and processes that dynamically and securely augment a programmatically established communications session, such as a chatbot session, to include one or more additional responsive applications. For example, an apparatus may receive messaging data during a first communication session programmatically established between a device and a first executed application program, and may determine that an additional apparatus is configured to perform operations consistent with the messaging data. The apparatus may transmit a digital token and at least a portion of the messaging data to an additional apparatus. A second application executed by the additional apparatus may validate the digital token and based on the portion of the messaging data, establish a second communication session between the device and the executed first and second application programs.

Abstract: The present disclosure relates to a method of creating a trusted bond between a hearing device and a user accessory device, wherein the method comprises: transmitting, by a hearing device fitting system, an authentication key to the hearing device; creating, by the hearing device fitting system authentication data comprising the authentication key in encrypted form; obtaining, by the user accessory device, the created authentication data; receiving, by the user accessory device, identification information from the hearing device the identification information identifying the hearing device; decrypting, by the user accessory device, the encrypted authentication key comprised in the obtained authentication data using at least the received identification information; establishing communication between the hearing device and the user accessory device based on the authentication key.

Abstract: The concepts, systems and methods described herein are directed towards a method for secure booting running on a security device. The method is provided to include: receiving a public key from a security device; validating the security device by comparing the received public key with a hash code; in response that the security device is validated, receiving custom codes from the security device and storing the custom codes in a microprocessor, wherein the microprocessor is located in a programmable memory of a primary processor; programming the programmable memory by executing the custom codes; and executing a boot sequence of the primary processor by the programmable memory.

Abstract: Methods and devices for secure data sharing with granular access control are described. A modified attribute-based encryption (ABE) scheme is used to perform cryptographically-enforced ABE using attributes of a file access policy. A sender sends to a receiver a file encrypted using a file encryption key, the file encryption key encrypted using ABE based on a file access policy set by the sender, and a set of private ABE keys decryptable using a key stored in a trusted execution environment (TEE) of the receiver. The private ABE keys are decrypted by the receiver TEE when the file is accessed, decrypting a file encryption key only when the attributes of the receiver access action satisfy the file access policy. The decrypted file encryption key grants access to the file contents via a trusted viewer application. A user password may also be required and cryptographically enforced as part of the ABE decryption.

Abstract: Various examples are directed to a cloud platform system that comprises a plurality of cloud platform deployments including a first cloud platform deployment implemented at a first geographic region and a second cloud platform deployment implemented at a second geographic region. An access manager system receives from a user computing device, a user logon request identifying a user. The access manager system also receives, from an identity provider system, group data associated with the user logon request, the group data indicating a first group to which the user belongs. The access manager system determines that a subaccount access map correlates the first group to a first subaccount that is implemented at the first cloud platform deployment. The access manager system also provides the user computing device an indication that the user is authorized to access the first subaccount.

Abstract: A data security technique for a data storage system includes in response to connection of an external storage device to a port of the data storage system, retrieving an authentication key encryption key (AKEK) for the data storage system from the external storage device to the data storage system. A random wrapper key (RWK) is generated based on the AKEK and an encrypted random wrapper key (ERWK) for the data storage system (retrieved from a first key repository of the data storage system). The ERWK is retrieved from a first key repository of the data storage system. A master key (retrieved from a second key repository of the data storage system) is decrypted for the data storage system using the RWK. A device access key (DAK) is derived based on the master key. The DAK is used to encrypt/decrypt data for a drive associated with the DAK.