Abstract: The present disclosure relates to a computing architecture configured to run a first operating system (512) and an isolated operating system (520), wherein the computing architecture is configured to load and run the isolated operating system before loading and running the first operating system.

Abstract: A method for storing data in a tamper-proof manner in a data block structure. The method includes, for a group of data blocks, determining functions, which are assigned to the data blocks of the group and dependent on the data stored in the corresponding data block; creating a combination of all functions assigned to the data blocks of the group; and determining a combination-dependent coefficient for each function of the combination, so that the combination meets a predefined condition; and for each data block of the group, determining a control group of data blocks of the group assigned to the corresponding data block; and storing the coefficient that was determined for the function of the corresponding data block in all data blocks of the control group.

Abstract: A computer implemented method of protecting data in a message for communication from a sender to a receiver, the sender and receiver sharing a secret, the method including splitting the message into a plurality of ordered message blocks, the order being a proper order such that an aggregation of the blocks in the proper order constitutes the message; generating a hash value for each message block, each hash value being generated on the basis of at least a content of the block and the secret; generating, for each block, an encoded indication of a position of the block in the proper order of blocks, the encoding being reversible and based on at least the hash value for the block and a position of the block in the proper order; communicating the blocks to the receiver in an order different to the proper order so as to obfuscate the message; and communicating the encoded indications to the receiver such that the blocks can be reassembled by the receiver in the proper order on the basis of the shared secret.

Abstract: Techniques are disclosed to provide enhanced online security. A network server actively monitors data between a network server hosting a website and a computing device. Some of the disclosed techniques leverage “cookie stitchers” to associate user data, which may include a website identifier, to the user's computing devices. These techniques allow the network server to block access to explicitly identified computing devices, or to trigger two-factor authentication.

Abstract: An external trusted time source is implemented over a network for conditional access system (CAS)/digital rights management (DRM) client devices. A client device includes untrusted software and a trusted execution environment (TEE) for processing an entitlement management message (EMM) that includes an epoch sequence number (ESN) transmitted from an EMM server using a first network connection. A remaining client key set (CKS) lifetime value is stored and updated in the TEE based on the ESN processed.

Abstract: A system and method for securely recording voice communications, comprising a network-connected computer server and an authentication system which verifies the validity of voice communications.

Abstract: Various embodiments may include methods and systems for providing secure in-memory device access of a memory device by a system-on-a-chip (SOC). Various methods may include receiving a configuration message from the SOC for configuring a memory access control of the memory device, and configuring the memory access control based on the configuration message. Various embodiments may include receiving an access request message from the SOC requesting access to a memory base address and a memory access range of a memory cell array of the memory device, wherein the access request message includes a read/write operation. Various embodiments may include comparing the access request message with the configured memory access control to determine whether the access request message is allowable. Various embodiments may further include performing the read/write operation in response to determining that the access request message is allowable.

Abstract: A method includes receiving, for metadata processing, a current instruction with associated metadata tags. The metadata processing is performed in a metadata processing domain isolated from a code execution domain including the current instruction. Each respective associated metadata tag represents a respective policy of the composite policy. For each respective metadata tag, the method includes determining, in the metadata processing domain and in accordance with the metadata tag and the current instruction, whether a rule exists for the current instruction in a rules cache. The rules cache may include rules on metadata used by the metadata processing to define allowed instructions. The determination of whether a rule exists results in a respective output, which may include generating a new rule and inserting the new rule in the rules cache. Control Status Registers, and associated tags, may be used to accomplish the metadata processing.

Abstract: Disclosed are various embodiments for facilitating the cancellation or reversion of unauthorized operations. An operation initiated to be executed with respect to a user account is received from a computing device that has been authenticated. A notification of the operation is sent through at least one communication channel in response to receiving the operation. The notification facilitates a reply that causes the operation to be cancelled when the reply is sent within a first time period and causes the operation to be reverted when the reply is sent within a second time period after an expiration of the first time period.

Abstract: A distributed ledger management method performed by each of nodes 211 configuring a distributed ledger system, includes: holding, in an end block 102, signatures of respective organizations operating the respective nodes, hash values of respective groups of blocks into which a blockchain 215 is divided by a number of the operating organizations, information on organizations by which the group of blocks is to be held, and a verification frequency for the hash value between the organizations; specifying a group of blocks to be held by the organization; deleting a block other than the group of blocks in the blockchain 215; and performing a tamper verification of requesting a node 211 of another organization to transmit the hash value of the group of blocks to be held by the other organization at a verification frequency, and collating the hash value with the hash value included in the end block 102.

Abstract: An electronic apparatus having a memory arrangement, which is configured to store a plurality of sets of private-key material, and a data processor, which is configured to sign a message in accordance with two or more sets of private-key material from the plurality of sets of private-key material.

Abstract: Systems and methods of generating a software module, including: receiving a cryptographic key identification (ID) and a cryptographic operation type from at least one executable program, generating a software module configured to perform the cryptographic operation with a cryptographic key, sending the software module to the at least one executable program, and performing the operation having the cryptographic operation type with the software module, wherein the software module is generated based on at least one of: a transformation of the cryptographic key corresponding to the received cryptographic key ID, and the received cryptographic operation.

Abstract: Systems and methods are provided for improved security services. In one aspect, a method is provided for controlling an autonomous data machine situated near a monitored environment. The method comprises: obtaining security data from a plurality of data sources; analyzing the security data to generate an analysis result; determining, based on the analysis result, an action to be performed by the autonomous data machine; and transmitting a command to the autonomous data machine causing it to perform the action.

Abstract: Techniques for encrypting data using a key generated by a physical unclonable function (PUF) are described. An apparatus according to the present disclosure may include decoder circuitry to decode an instruction and generate a decoded instruction. The decoded instruction includes operands and an opcode. The opcode indicates that execution circuitry is to encrypt data using a key generated by a PUF. The apparatus may further include execution circuitry to execute the decoded instruction according to the opcode to encrypt the data to generate encrypted data using the key generated by the PUF.

Abstract: Described are techniques for securing a most recent block in a data structure such as a blockchain. Techniques include configuring a data processing node that is deployable to a physical location, with a module that generates a verification signing key (VSK) pair, the VSK pair including a private VSK key that is known only to the data processing node, and a public VSK key, receiving by the data processing node, an indication of the deployment to the physical location, generating in response to the indication, by the data processing node the verification signing key (VSK) pair, and transmitting from the data processing node the public VSK key to one or more electronic devices. These techniques assure to a high degree that the generated private key remains unknown and thus can be used to secure the most recent block that is added to a data structure such as a blockchain.

Abstract: A method (400) for accessing one or more service processes (222) of service (250) includes executing at least one service enclave (220) and executing an enclave sandbox (200) that wraps the at least one service enclave. The at least one service enclave provides an interface to the one or more service processes. The enclave sandbox is configured to establish an encrypted communication tunnel (210) to the at least one service enclave interfacing with the one or more service processes, and communicate program calls (302) to/from the one or more service processes as encrypted communications through the encrypted communication tunnel.

Abstract: Techniques are disclosed securely communicating traffic over a network. In some embodiments, an apparatus includes a first circuit having a local clock configured to maintain a local time value. The first circuit is configured to determine a synchronized time value based on the local time value, the synchronized time value being an expected time value of a reference clock. The first circuit is further configured to generate a first encryption key by calculating a key derivation function based on the synchronized time value and encrypt a portion of a packet using the first encryption key, the portion of the packet being to be communicated to a second circuit. In some embodiments, the apparatus further includes a first network node coupled to the first circuit and configured to communicate the packet to a second network node coupled to the second circuit and to include the synchronized time value in the packet.

Abstract: An authentication method is disclosed, the method comprising: receiving at least one request for an action in relation to an electronic device, wherein performance of the action requires verification of an association of a group of IDs specified by the request; verifying, via cryptographic verification, whether the group of IDs specified by the request match a cryptographically attested group of IDs associated with the electronic device, to determine whether the at least one request for an action is an authentic request; and, having determined the at least one request for an action is an authentic request, approving the at least one request, wherein the group of IDs comprises at least an Integrated Circuit Card Identifier (ICC ID) of a Subscriber Identity Module (SIM) of the electronic device and a device identifier associated with the electronic device.

Abstract: An authentication method and system for mutual authentication between a first entity and a third entity via a second entity, based on an authentication protocol used by the first entity and the third entity. The second entity forwards mutual authentication messages between the first entity and the third entity. An apparatus is configured to perform an authentication method for a mutual authentication between a first entity and a third entity via a second entity, based on an authentication protocol used by the first entity and the third entity, the second entity forwards mutual authentication messages between the first entity and the third entity.

Abstract: Certain aspects relate to encryption systems and methods for medical devices. A medical device can include a connectivity module for establishing a communication channel with a cloud system. After obtaining a test result, the device can generate an unencrypted data block comprising a device identifier and an encrypted data block comprising a serial number of the device and the test result using an encryption key associated with the device identifier. The device can securely send the test result to the cloud system by transmitting the unencrypted data block and the encrypted data block to the cloud system via the communication channel.