Abstract: A method of digitally signing a message is disclosed. The method comprises distributing first shares of a first secret value among a plurality of participants, wherein the first secret value is a private key accessible by means of a first threshold number of the first shares, and is inaccessible to less than the first threshold number of the first shares; distributing second shares of a second secret value among the participants, wherein the second secret value is an ephemeral key, wherein said ephemeral key is inaccessible to less than said first threshold number of said second shares; and distributing third shares of a third secret value among the participants, wherein each third share is adapted to be applied to a message to generate a respective fourth share of a fourth secret value, wherein the fourth secret value is the message signed with the private key and using the ephemeral key.

Abstract: Various embodiments of the present invention relate to a method and an electronic device for authenticating a user by using a voice command. Here, the electronic device may comprise a memory, an input apparatus, and a processor, wherein the processor is configured to: receive a voice command from the input apparatus; acquire user identification information and voice print information from the voice command; search reference voice print information of each of multiple users stored in the memory, for reference voice print information corresponding to the acquired user identification information; and perform authentication on the basis of the acquired voice print information and the reference voice print information. Other embodiments are also possible.

Abstract: A system for providing policy-controlled communication over the Internet includes a client endpoint function that executes on a client device while coupled to a first VPN tunnel, a service endpoint function that operates a remote service of a plurality of remote services, and a mid-link server coupled to the first VPN tunnel and a second VPN tunnel. The client endpoint function includes a first VPN endpoint component, and the service endpoint function includes a second VPN endpoint component. A router component operates to route network packet traffic between the first and second VPN tunnels via a route specified by a plurality of policies, an inspection component that analyzes network packet traffic in accordance with the plurality of policies. The plurality of policies for the network packet traffic and the content mediation selected dynamically on the basis of one or more of a user, an application, an endpoint, and a session.

Abstract: A secret sharing scheme with yes and no shares and having a hidden access structure. The secret sharing scheme may include share generation in which yes shares and no shares are generated for, and distributed to, each party in the secret sharing scheme. In turn, upon an attempt to reconstruct the secret, participants in the reconstruction each provide a share, which is unknown to be a yes share or a no share to the other participants. The secret is only reconstructable if the shares used in the reconstruction include yes shares of a minimal authorized subset of the parties. However, prior to secret reconstruction, the access structure remains hidden and the participants in a reconstruction are unaware of the character of the shares provided by other participants in the reconstruction attempt.

Abstract: A system for communicating images, comprises an imaging device configured to capture and image and generate a digital image file, the imaging device comprising a device identifier; a set of routines configured to label the digital image file, associated account information with the digital image file, associate the device identifier with the digital image file, and communicate the digital image file to a server; a server configured to receive digital image files and process the digital image file according to at least one of a label associated with the digital image file, account information associated with the digital image file, and a device identifier associated with a device that captured the digital image file.

Abstract: A disclosed example gateway node includes network communicator circuitry, memory, instructions, and processor circuitry. The network communicator circuitry is to send a first portion of a multi-part secret key to a first secret holder node, and send a plurality of shares of a second portion of the multi-part secret key to second secret holder nodes. The processor circuitry is to execute the instructions to combine responses from the first secret holder node and at least one of the second secret holder nodes to generate a combined authentication message, the network communicator circuitry to send the combined authentication message to a terminal node for authentication.

Abstract: Described is a data transmission method, comprising: a first terminal negotiating a shared key with a second terminal by means of a handshake message; and the first terminal transmitting application data to the second terminal by means of a content message, the content message being encrypted and decrypted by using the shared key, wherein the handshake message and the content message have the same message format, the message format comprises a message serial number and a message load, the message serial number comprises a key epoch identifier and a message seq identifier, and the key epoch identifier is characterized by bit information less than a first number of bits, and the message seq identifier is characterized by bit information less than a second number of bits.

Abstract: A computer system with multiple security levels, the system comprising a high-power processing device (130), a low-power processing device (110), and an interface unit (120) comprising functions for moving classified information between the high-power device (130) and the low-power device (110) according to formal rules for confidentiality and/or integrity. Additional security aspects, e.g. availability, may readily be accommodated. A method for implementing multiple levels of security along a number of independent security axes on the system is also disclosed.

Abstract: When a software update is provided to a device that implements a facial recognition authentication process, a new authentication algorithm to operate the facial recognition authentication process may be included as part of software update. For a period of time, the new authentication algorithm may operate a “virtual” facial recognition authentication process alongside operation of the existing facial recognition authentication process using the existing (e.g., earlier version) authentication algorithm. The performance of the new authentication algorithm in providing facial recognition authentication (as assessed by the “virtual” process) may be compared to the performance of the existing authentication algorithm in providing facial recognition authentication during the period of time.

Abstract: In one embodiment, a service receives administration traffic data in a network associated with a remote administration session in which a control device remotely administers a client device. The service analyzes the administration traffic data to determine whether any portion of the administration traffic data is resulting from an administration session involving a trusted administrator. The service flags a first portion of the administration traffic data as authorized when the first portion of the administration traffic data is determined to result from an administration session involving a trusted administrator, and a second portion of the administration traffic data is non-flagged. The service assesses the second portion of the administration traffic data using a machine learning-based traffic classifier to determine whether the second portion of the administration traffic data is malicious.

Abstract: A first copy of a True Random Number (TRN) pool comprising key data of truly random numbers in a pool of files may be stored on a sender and a second copy of the TRN pool is stored on a receiver. An apparent size of the TRN pool on each device is expanded using a randomizing process for selecting and re-using the key data from the files to produce transmit key data from the first copy and receive key data from the second copy.

Abstract: The present disclosure discloses a vehicle and a vehicle security control method and system based on an open platform. The open platform includes a software development kit in which a control protocol is encapsulated, the software development kit provides an API function interface, and the method includes: receiving a call request from a third-party device for a target API function interface of the open platform; converting the call request by using the software development kit to generate a control signal that meets a requirement of the control protocol and that is used for controlling a first vehicle component in a vehicle; and transmitting the control signal to a security gateway through a first bus, to enable the security gateway to perform protocol conversion on the control signal, and transmitting the control signal to an in-vehicle network to control the first vehicle component in the vehicle.

Abstract: A device or space existed in a physical space is registered in the form of a digital object in a virtual space, a digital twin service is provided through connection between an offline device or space and the digital object in the virtual space.

Abstract: Provided herein are systems and methods for automatically limiting video surveillance collection to authorized uses and authorized users. To achieve this control, the authorization system can be configured to manage and secure a plurality of crypto keys associated with encrypting a plurality of corresponding video footages and release a crypto key for a video footage at approved times to limit user access to the video footage. In particular, the surveillance system can generate a video collection including a copy of portions of a received video footage that include one or more approved events from a watchlist of a user. Thereafter, the video footage can be encrypted by a first key managed by the authorization system and prevents the user from accessing video content of the video footage once encrypted. Accordingly, the user may be limited to accessing the video collection and not all the portions in the encrypted video footage.

Abstract: A share generating device obtains N seeds s0, . . . , sN?1, obtains a function value y=g(x, e)?Fm of plaintext x?Fm and a function value e, and obtains information containing a member yi and N?1 seeds sd, where d?{0, . . . , N?1} and d?i, as a share SSi of the plaintext x in secret sharing and outputs the share SSi. It is to be noted that the function value y is expressed by members y0?Fm(0), . . . , yN?1?Fm(N?1) which satisfy m=m(0)+ . . . +m(N?1).

Abstract: The present disclosure relates to a system and method for performing anti-malware scanning of data files that is data-centric rather than device-centric. In the example, a plurality of computing devices are connected via a network. An originating device creates or first receives data, and scans the data for malware. After scanning the data, the originating device creates and attaches to the data a metadata record including the results of the malware scan. The originating device may also scan the data for malware contextually-relevant to a second device.

Abstract: A method includes receiving an indication of a request from a client device. The request is for establishing an access session to perform one or more actions on data of a data processing platform. The method includes receiving data indicative of a context of the access session request and establishing a challenge session associated with the request that indicates one or more challenges required of a user associated with a client device to successfully respond to in order to establish the requested access session, a number or a type of the one or more challenges being determined based on the context, and establishing an access session to enable the user to perform the one or more actions on the data of the data processing platform if responses to all challenges in the challenge session are successful.

Abstract: The technology disclosed herein enables efficient launching of trusted execution environments. An example method can include: receiving, by a first computing device, a request from a second computing device to establish a set of trusted execution environments (TEEs) in the first computing device; establishing a first TEE of the set of TEEs in the first computing device, wherein the trusted execution environment comprises an encrypted memory area and executable code; receiving, by the first TEE, cryptographic key data from the first computing device; establishing, by the first TEE, a second TEE of the set of TEEs in the first computing device, wherein the second TEE comprises a copy of the executable code; providing, by the first TEE, the cryptographic key data to the second TEE; and causing the executable code of the second TEE to communicate with the first computing device using the cryptographic key data.

Abstract: In one embodiment, a domain controller (a) quarantines unknown devices at a first quarantine point at a first layer of a multi-layer communication model; (b) communicates with a domain name system (DNS) service to self-allocate and register a domain name with the DNS service; (c) receives a provisioning request for a first device via an access point, wherein the access point comprises a second quarantine point at a second layer of the multi-level communication model; (d) verifies a device type of the first device with the DNS service; and (e) responsive to that verification, provisions the first device into the domain. The domain controller may also send a provisioning response to the access point to enable the first device to be removed from the second quarantine point, to enable the first device to communicate with the domain controller. Other embodiments are described and claimed.

Abstract: An adversarial robustness testing method, system, and computer program product include testing a robustness of a black-box system under different access settings via an accelerator.