Abstract: Disclosed herein is a method of accessing a cache, the method comprising: mapping respective physical line addresses (PLAs) of a plurality of PLAs to respective cache locations of a plurality of cache locations in a cache, each PLA of the plurality of PLAs having an associated memory line; encrypting, with a block cipher using a first key, a first PLA of the plurality of PLAs to provide a first encrypted line address (ELA), the first ELA having an associated first encrypted cache location; upon receiving a request to access a first memory line associated with the first PLA, encrypting, using the first key, the first PLA into the first ELA to determine the associated first encrypted cache location; and accessing the first encrypted cache location. Also disclosed herein are systems for implementing the same.

Abstract: A method comprises receiving a current instruction for metadata processing performed in a metadata processing domain that is isolated from a code execution domain including the current instruction. The method further comprises determining, by the metadata processing domain in connection with metadata for the current instruction, whether to allow execution of the current instruction in accordance with a set of one or more policies. The one or more policies may include a set of rules that enforces execution of a complete sequence of instructions in a specified order from a first instruction of the complete sequence to a last instruction of the complete sequence. The metadata processing may be implemented by a metadata processing hierarchy comprising a control module, a masking module, a hash module, a rule cache lookup module, and/or an output tag module.

Abstract: Various embodiments relate to a method and system for resuming a secure communication session with a server by a device, including: sending a message to the server requesting the resumption of a secure communication session; receiving from the server a server identifier, a server nonce, and a salt; determining that the device has a shared key with the server based upon the server identifier; determining that the received salt is valid; calculating a salted identifier based upon the shared key and the salt; sending the salted identifier to the server; and resuming the secure communication session with the server.

Abstract: Computer-implemented methods are provided herein for quantifying correlated risk in a network of a plurality of assets having at least one dependency, where each asset belongs to at least one entity. The method includes generating a dependency graph based on relationships between the assets, at least one dependency, and at least one entity, and executing a plurality of Monte Carlo simulations over the dependency graph. Executing a plurality of Monte Carlo simulations includes generating a seed event in the dependency graph, where the seed event has a probability distribution, and propagating disruption through the dependency graph based on the seed event. The method further includes assessing loss for each of the assets, and aggregating losses for two or more assets to determine correlated risk in the network.

Abstract: A method performed by a computing device of establishing a secret shared between a first communications device and at least one second communications device is provided. The method comprises acquiring, using a first means of communication with the first communications device, a first data representation from which the shared secret can be derived. The method further comprises generating a second data representation from the first data representation, from which second data representation the shared secret can be derived. Moreover, the method comprises providing, using a second means of communication, the second communications device with the second data representation, the first means of communication being different from the second means of communication.

Abstract: A received message sent from a first message account to a second message account is received. A security risk associated with the received message is determined. It is determined that the security risk associated with the received message meets one or more criteria. Based on the determination that the security risk associated with the received message meets the one or more criteria, a responsive message in response to the received message is automatically generated and sent. An interaction with the responsive message is analyzed. Based on a result of the analysis of the interaction with the responsive message, a security risk associated with the first message account is classified.

Abstract: A container-based software implementation uses separate containers for software libraries and application code. A storage system may have multiple applications executing to control various aspects of operation of the storage system, and to enable access to the storage system by hosts. These applications are containerized separately from the libraries referenced by the applications, and the libraries are commonly housed in a separate container. The libraries may be open-source libraries, proprietary libraries, or third-party dependent libraries. A vulnerability management system scans the application containers to determine dependencies between applications and libraries, including the number of containers that reference a particular library and the frequency with which microservices of the containerized application reference the library.

Abstract: Systems and methods for protecting block cipher computation operations, from external monitoring attacks.

Abstract: Systems and processes for improved processing of biometric data may include a hash controller including a processor, a server, and a registry. The hash controller can receive biometric information, such as a biometric scan, and apply an EGH transformation to convert the biometric information into an irreversible, unlinkable, and revocable EgHash. The EGH transformation can include blending biometric information with non-biometric information and permuting the biometric representation for additional security. The permuted biometric representation can be projected based on a randomly generated matrix and the output permuted to obtain an EgHash. The resultant EgHash can be lossy such that the EGH transform causes an irreversible loss of biometric information between the original biometric information and the EgHash. The EgHash can be compared and retrieved at speed and scale by the processor to support operations including, but not limited to, verification, identification, and database deduplication.

Abstract: Circuits and methods for performing a hash algorithm are disclosed. A circuit includes: an input module receiving data; and an operation module calculating a hash value based on the received data. The operation module includes multiple operation stages (0th operation stage, 1st operation stage, up to P-th operation stage, P being a fixed positive integer greater than 1 and less than the number of operation stages in a pipeline structure) arranged in the pipeline structure. Each of the 1st operation stage to P-th operation stage includes: cache registers storing intermediate values of a current operation stage and operating at a first frequency, and extension registers storing extension data of the current operation stage and the extension registers comprising a first set of extension registers operating at the first frequency and a second set of extension registers operating at a second frequency which is 1/N times the first frequency.

Abstract: A method and apparatus for a certificate authority system providing authentication to a plurality of devices associated with an organization are described. The method may include receiving, at the certificate authority system, a request from a device to sign authentication information of the device, wherein the device is associated with the organization. The method may also include sending a challenge to the device to perform an action with a system other than the certificate authority system, and receiving the response to the challenge from the device. Furthermore, the method may include verifying that the response was generated correctly based on the challenge, and signing the authentication information of the device with one or more keys of the certificate authority system as an authentication of an identity of the device.

Abstract: Aspects of the disclosure relate to extending single-sign-on to relying parties for federated logon providers. An enterprise identity provider server may receive a first authentication token previously issued to an enterprise server by the enterprise identity provider server. Subsequently, the enterprise identity provider server may retrieve, from a token store, a second authentication token associated with a federated identity service provided by a federated identity provider server. The enterprise identity provider server may refresh the second authentication token with the federated identity service provided by the federated identity provider server to obtain a refreshed authentication token. Finally, the enterprise identity provider server may send the refreshed authentication token to the enterprise server, which may enable user devices managed by the enterprise server to access one or more resources provided by a third party system using the federated identity service.

Abstract: An electronic device and method of operating an electronic device are provided. The electronic device includes an integrated circuit including at least one key, at least one processor including the integrated circuit, and a memory operatively connected to the at least one processor. The memory stores instructions that, when executed, cause the at least one processor to obtain at least one piece of hardware information related to the electronic device, generate a signed certificate signing request including the at least one piece of hardware information, based on the at least one key, transmit the signed certificate signing request to an external electronic device, receive an attestation certificate generated based on the signed certificate signing request, from the external electronic device, and store the received attestation certificate in the memory.

Abstract: Techniques for encrypting data using a key generated by a physical unclonable function (PUF) are described. An apparatus according to the present disclosure may include decoder circuitry to decode an instruction and generate a decoded instruction. The decoded instruction includes operands and an opcode. The opcode indicates that execution circuitry is to encrypt data using a key generated by a PUF. The apparatus may further include execution circuitry to execute the decoded instruction according to the opcode to encrypt the data to generate encrypted data using the key generated by the PUF.

Abstract: Techniques for encrypting data using a key generated by a physical unclonable function (PUF) are described. An apparatus according to the present disclosure may include decoder circuitry to decode an instruction and generate a decoded instruction. The decoded instruction includes operands and an opcode. The opcode indicates that execution circuitry is to encrypt data using a key generated by a PUF. The apparatus may further include execution circuitry to execute the decoded instruction according to the opcode to encrypt the data to generate encrypted data using the key generated by the PUF.

Abstract: A verification device provides an approach to identification and authorization by requiring an authorized biometric presence before permitting the input of a sequence of signals. Furthermore, the device may be configured to recognize incorrect inputs, and to respond by transmitting an alert code while providing limited functionality to convince an unauthorized user that access has been granted until a location of the device has been determined.

Abstract: Aspects of the disclosure relate to edge-computing (“EC”)-based systems and methods for fraud mitigation. The systems and methods may utilize a multi-layer architecture. The architecture may include a set of N gatekeeper units, and each gatekeeper unit may be associated with an EC device. When a transaction request is received, the request may be processed at a first gatekeeper unit, and, if validated, successively processed by the set of N gatekeeper units. If any gatekeeper unit flags the request as suspicious, the unit may emit an audible alert that may be sensed by the associated EC device. The EC device may transmit a signal to one or more of the other gatekeeper units to perform additional processing for the request. When the request reaches the Nth gatekeeper unit and achieves validation, the transaction may be executed via a central server connected to a transaction network.

Abstract: Disclosed in a processor chip configured to perform neural network processing. The processor chip includes a memory, a first processor configured to perform neural network processing on a data stored in the memory, a second processor and a third processor, and the second processor is configured to transmit a control signal to the first processor and the third processor to cause the first processor and the third processor to perform an operation.

Abstract: A memory controller for controlling a non-volatile memory device includes a key management unit configured to control an access right to a secure key based on a biometric authentication message and a unique value, which are received from an external device; and a data processing unit configured to encrypt data received from a host and decrypt data stored in the non-volatile memory device based on the secure key.

Abstract: The present disclosure relates to a method and system for securely transferring master keying material between to a slave dongle (12). Each slave dongle (12) is connected to a data transfer system. The slave dongle (12) contains a public key and a private key and the data transfer system holds a master keying material source that contains master keying material to be transferred securely to the slave dongle (12). The slave dongle's public key is transferred to the master keying material source. The master keying material source encrypts the master keying material with the slave dongle's public key to produce an encrypted master keying material. The encrypted master keying material is sent to the slave dongle (12) and the slave dongle (12) decrypts the encrypted master keying material with the slave dongle's private key. This allows multiple users, each having a slave dongle (12a-n) that has been configured in this manner, to use the same master keying material to securely communicate with one another.