Abstract: Technologies for attestation techniques, systems, and methods to confirm the integrity of a device for service discovery and more specifically, for proving trustworthiness of particular service devices and/or mDNS controller/network elements with respect to DNS/mDNS service discovery. Such attestation techniques may implement canary stamps (e.g., tokens or metadata elements containing or reflecting security measures taken at the device).

Abstract: This disclosure relates to systems and methods for managing the operation of unmanned vehicles within policy managed locations and/or areas. In some embodiments, an unmanned vehicle may issue an operator signed request to enter a policy managed area and/or use a certain sensor system within a policy managed area to an unmanned vehicle management system. The unmanned vehicle management system may verify the operator's identity and associated rights with a trusted authority, identify a policy associated with the policy managed area, and enforce the identified policy in connection with generating a response to the request. In this manner, the use of unmanned vehicles and/or associated systems may be managed in accordance with certain policies and/or rules associated with a particular operating location and/or area.

Abstract: Example data leakage detection apparatus disclosed herein include a fingerprinter to generate a first data fingerprint of a first data item accessed from a data source. Disclosed example data leakage detection apparatus also include a blockchain scanner to scan a blockchain to detect whether a first blockchain record includes a second data fingerprint that matches the first data fingerprint of the first data item. Disclosed example data leakage detection apparatus further include a blockchain writer to write a second blockchain record to the blockchain when the second data fingerprint matches the first data fingerprint, the second blockchain record to indicate the first data item is associated with a data leak of a protected data item represented by the second data fingerprint. In some examples, the second blockchain record is to include the first data fingerprint and a first timestamp.

Abstract: A distributed data store may implement passive distribution encryption keys to enable access to encrypted data stored in the distributed data store. Keys to encrypt a data volume stored in the distributed data store may be encrypted according to a distribution key and provided to a client of the distributed data store. Storage nodes that maintain portions of the data volume may receive the encrypted key from a client to enable access to the data volume. The storage nodes may decrypt the key according to the distribution key and enable access to the data volume at the storage nodes. In some embodiments, a key hierarchy may be implemented to encrypt the keys that provide access to the encrypted data. The key hierarchy may include a user key.

Abstract: A database management system receives a request to perform a transaction. The database management system commits the transaction, and in response to committing the transaction, generates a cryptographic hash based on an attribute of the transaction. The cryptographic hash is stored in a leaf-region of a hash tree. In response to a request to verify the transaction, signatures are retrieved from the tree based on a traversal of the tree to locate the node corresponding to the transaction. The retrieved signatures are used to verify the transaction.

Abstract: An authentication system includes a microcontroller having a unique identifier (ID) and a first key pair including a microcontroller secret key and a microcontroller public key. The microcontroller is configured to store the unique ID, the first key pair, a digital signature of the unique ID, the digital signature being generated using an external secret key of a second key pair, and a digital certificate of the microcontroller public key that is signed by the external secret key of the second key pair. The second key pair includes the external secret key and an external public key. The authentication system further includes a controller configured to perform a first authenticity validation check on the unique ID using the external public key and perform a second authenticity validation check on the microcontroller public key using the external public key.

Abstract: A method and system for performing federated identity management are described. The method and system include receiving a communication for a data source at a wrapper. The wrapper includes a dispatcher and a service. The dispatcher receives the communication and is data agnostic. The communication corresponds to end user credentials for an end user. The method and system include providing the communication from the dispatcher to the data source and to the service. The method and system also use the service to authenticate the end user based on the end user credentials and utilizing federated identity management.

Abstract: A method for authenticating devices and/or applications, specifically web applications, in a control system for an industrial plant, wherein the control system includes at least one local registration service and at least one software inventory, where the method includes determining by the at least one local registration service information about which communications protocols and/or applications are supported by the devices and/or applications and/or which communications protocols and/or applications are active, during authentication of the devices and/or applications within the control system, and storing the device-specific information determined by the local registration service in the at least one software inventory of the control system.

Abstract: Disclosed embodiments provide systems, methods, and computer-readable storage media for secure data communication between two devices. A disclosed system responds to a request from an originating communication device in a first network to connect with a communication device in a second network, for communication, by receiving a request from the communication device in the first network, the request including payload data and a destination network address in the second network. The system then transmits the received payload data to the destination address in the second network after analyzing the payload data for network intrusion. When the analysis does not indicate network intrusion, the system determines a route to the destination network address by looking up the destination address in a routing table and forwarding the payload data to the destination network address in the second network. If the analysis indicates network intrusion, the system discards the payload data.

Abstract: Methods, systems, and devices for data migration are described. In a system, databases may utilize different database-specific encryption keys for storage security. In some cases, the system may migrate data from a source database to a target database. To securely migrate the data, the source database may generate a temporary encryption key. The source database may decrypt the data using its database-specific key and may re-encrypt the data using this temporary encryption key. Additionally, the source database may wrap the temporary key with a public key corresponding to the target database. The source database may send the re-encrypted data and the wrapped temporary key to the target database. The target database may unwrap the temporary key using a private key associated with the public key and may decrypt the data using the temporary key before re-encrypting the data with its database-specific key for data storage.

Abstract: A system and method for a secure key exchange between two trains operating within a track network may include generating a first or second public key based on a secret random number, generating a shared secret key based on the first or second public key, authenticating one or more key exchange communications by a remote server based on a digital signature established with an on-board key associated with the first train, authenticating a communication by a remote server based on the digital signature of the second train signed with an on-board key associated with the second train, and establishing secure train-to-train communication between the two trains by generating a shared secret key based on a public key received from the other train, the secure key exchange protecting the two trains from a man-in-the-middle attack.

Abstract: A user permission allocation method includes acquiring currently collected facial feature information of a user; determining a difference degree of the current facial feature information of the user according to the acquired facial feature information of the user and facial feature information included in stored standard sample information; and allocating a user permission to the user according to the determined difference degree. Compared with a manner of using a fixed face threshold, a difference degree of current facial feature information of the user is determined, and when a user permission is allocated to the user, an external factor that affects the collected facial feature information is used as a reference factor.

Abstract: Improving a security configuration may include receiving a request to assign a single sign-on configuration for a user profile, present a user interface comprising input fields for configuration characteristics, receiving an indication from the user interface that an administrator is requesting the assign the configuration characteristics, in response to receiving the indication, performing a test connection using the configuration profile, and in response to determining that the test connection succeeded, prompting the administrator to activate the single sign-on communication for the user profile.

Abstract: The techniques herein are directed generally to a “zero-knowledge” data management network. Users are able to share verifiable proof of data and/or identity information, and businesses are able to request, consume, and act on the data—all without a data storage server or those businesses ever seeing or having access to the raw sensitive information (where server-stored data is viewable only by the intended recipients, which may even be selected after storage). In one embodiment, source data is encrypted with a source encryption key (e.g., source public key), with a rekeying key being an encrypting combination of a source decryption key (e.g., source private key) and a recipient's public key. Without being able to decrypt the data, the storage server can use the rekeying key to re-encrypt the source data with the recipient's public key, to then be decrypted only by the corresponding recipient using its private key, accordingly.

Abstract: A system for verifying information associated with a user can include at least three devices. The first device is configured to transmit, to the second device, user-associated information, a unique identifier associated with the user-associated information and an identity digital signature generated using an identity private key associated with the user and a message comprising a previously determined hash of a portion of the user-associated information combined with the unique identifier. The second device is configured to generate the hash of the portion of the user-associated information combined with the unique identifier and transmit the generated hash and the identity digital signature to the third device. The third device is configured to lookup the generated hash in a database, verify the identity digital signature using the identity public key related to the generated hash in the database, and upon successful verification, transmit a success response to the second device.

Abstract: The techniques herein are directed generally to a “zero-knowledge” data management network. Users are able to share verifiable proof of data and/or identity information, and businesses are able to request, consume, and act on the data—all without a data storage server or those businesses ever seeing or having access to the raw sensitive information (where server-stored data is viewable only by the intended recipients, which may even be selected after storage). In one embodiment, source data is encrypted with a source encryption key (e.g., source public key), with a rekeying key being an encrypting combination of a source decryption key (e.g., source private key) and a recipient's public key. Without being able to decrypt the data, the storage server can use the rekeying key to re-encrypt the source data with the recipient's public key, to then be decrypted only by the corresponding recipient using its private key, accordingly.

Abstract: A method and system may allow for authenticating a computing device. A computing device may send an authentication request over a network to an authentication computing device. The authentication request may include a user name and a password. The user name may include a credential and the password may be a digitally signed version of the user name. The authentication computing device may authenticate the requesting computing device by decrypting the password and comparing the received user name to the decrypted password.

Abstract: The present disclosure includes secure device communication. An embodiment includes a processing resource, a memory, and a network management device communication component configured to, send public information to a network attached device communication component, and receive a network attached device public key and an encrypted random string value from the network attached device communication component. The network attached device public key and the random string value are received independent of a type of the network attached device communication component due to the public information. The network management communication component is further configured to decrypt the random string value from the network attached device communication component and send, to the network attached device communication component, a message and a signature to authenticate independent of the type of the network attached device communication component due to the public information.

Abstract: Techniques are disclosed relating to multiway communications. In some embodiments, a first electronic device initiates a multiway call between a plurality of electronic devices and exchanges a first secret with a first set of electronic devices participating during a first portion of the multiway call, the first secret being used to encrypt traffic between the first set of electronic devices. The first electronic device receives an indication that first set of participating electronic devices has changed and, in response to the indication, exchanges a second secret with a second set of electronic devices participating during a second portion of the multiway call, the second secret being used to encrypt traffic between the second set of participating electronic devices. In some embodiments, the indication identifies a second electronic device as leaving the multiway call, and the second secret is not exchanged with the second electronic device.

Abstract: In described examples, a system on a chip (SoC) and method for sending messages in the SoC include determining locations of initiator-side firewall block and receiver-side firewall block memories using respective pointers to the firewall block memories stored in a single, contiguous memory. Addresses of the pointers within the single memory depend on respective unique firewall identifiers of the firewall blocks. An exclusive security configuration controller uses the pointers to configure the firewall blocks over a security bus which is electrically isolated from a system bus. The system bus is used to send messages from sending functional blocks to receiving functional blocks. The initiator-side firewall block adds a message identifier to messages. The message identifier depends on the initiator-side firewall block's configuration settings.