Abstract: A system provides cloud-based identity and access management. The system receives a request from a client for a resource, authenticates the request, and accesses a microservice based on the request. The system determines, by the microservice, whether the resource is cached in a near cache or in a remote cache, retrieves the resource from the near cache or from the remote cache when the resource is cached, and calls an administration microservice to obtain the resource when the resource is not cached. The system then provides the resource to the client.

Abstract: A security system comprises an access control node broadcasting a beacon including a time stamp and user devices generating replies to the beacon that are based on credential information for the user of the user device and the time stamp. The system relies on the users' wireless-capable mobile computing devices such as smartphones, tablets, or wireless fobs. A credential management system proves a system for the authentication of users and then issues security tokens as credential information to the users' mobile computing devices. These tokens are presented wirelessly by the devices to the security system's access control nodes, for example, where the access control nodes then decide whether to grant or deny access.

Abstract: Methods are described for constructing a secret key by multiple participants such that any quorum combination of participants can generate a fixed number of key components that can be combined by a recipient to generate the secret key. The methods permit an identical secret key to be generated by a different sized quorum from different participants if required. The keys may be used as private keys for encryption, decryption, digital signatures or authentication tokens and each key is generated from a key index. The circuits used by a quorum of participants for the generation of keys feature nested non-linear devices connected in series with outputs multiplied by stored secret values. Example applications are described including blinded cipher text generation, a multi-signature cryptocurrency system and an encrypted cloud storage system.

Abstract: Protecting the security of an entity by using passcodes is disclosed. A user's passcode device generates a passcode, where sometimes the device is called Alice. In an embodiment, the passcode is generated in response to receipt of user information. The passcode is received by another system (called Bob or the second party), which authenticates the passcode by at least generating a passcode from a passcode generator or nonce, and comparing the generated passcode with the received passcode. The passcode is temporary. At a later use a different passcode is generated from a different passcode generator. In these embodiments, there are asymmetric secrets stored on the passcode device (Alice's device) and by the administrator (Bob's device). This adds more security so that if the backend servers are breached, the adversary cannot generate valid passcodes. In some embodiments, the passcode depends on a nonce or the rounded time.

Abstract: To provide an information processing apparatus, a reading control method, and a computer readable storage medium that can improve the secrecy of information written in a secret area compared with the case of controlling access only by authentication, the information processing apparatus includes a nonvolatile memory that has a secret area where secret information is stored, an authentication controller that authenticates access to the nonvolatile memory, a flag information storage unit that stores flag information, and a memory controller that controls access to the nonvolatile memory by using the flag information stored in the flag information storage unit. The memory controller allows reading of the secret information from the secret area when a value of the flag information is a specified value and validity of access is authenticated by the authentication controller.

Abstract: Aspects of the present disclosure provide systems and methods for directly transferring tenant data hosted on a source domain to a target domain, wherein the source and target domains are associated with different server farms. Additionally, where the source domain is managed by a source management layer and the target domain is managed by target management layer, which source and target management layers are not in a trust relationship. Aspects describe establishing a secure, direct communication bus between the source and target management layers in order to accomplish a plurality of steps involved in transferring the tenant, wherein tenant data transferred thereon is encrypted. In example aspects, the direct communication bus terminates upon completion of the tenant data transfer.

Abstract: A portable device is provided. The portable device may include a display; an input device; a camera; a processor coupled to the display, the input device, and the camera; and a computer readable medium coupled to the processor, the computer readable medium comprising code, executable by the processor, to implement a method comprising: receiving authentication data from the input device, determining whether the received authentication data matches authentication data associated with an authorized user, and displaying, on the display, a credential, an item, and data associated with the item.

Abstract: A third party intermediary and a data protection method, system, and non-transitory computer readable medium, include a content request receiving circuit configured to receive a service request from a user, to communicate the service request to a provider, and to receive pre-approved versions of content from the provider, a content matching circuit configured to match a pre-approved version of content of the pre-approved versions of content to the user based on a condition of the user, a user data receiving circuit configured to receive user data to complete the pre-approved version of the content, and a zero-knowledge verifiable computing circuit configured to execute a program using zero-knowledge verifiable computing to remove private content from the pre-approved version of the content to ensure privacy of the condition of the user from the provider.

Abstract: Various embodiments are generally directed to techniques to load and run secure enclaves for use by kernel mode applications. An apparatus to provide kernel mode access to a secure enclave includes a kernel mode secure enclave driver to provide user mode support for a kernel mode application and to initialize a secure enclave on behalf of the kernel mode application and a user mode secure enclave manager to process an instruction from the kernel mode application to the secure enclave.

Abstract: Provided is a process of securing data in a distributed storage and processing application, the process including: obtaining a cluster of computing nodes, wherein: the cluster stores a plurality of ciphertexts; accessing a transformation key with a first computing node; transforming the ciphertext with the first computing node based on the transformation key into a transformed ciphertext configured to be decrypted with a temporary access key; decrypting the transformed ciphertext with the second computing node based on the temporary access key to obtain plaintext data.

Abstract: Method and system for routing communications traffic between a machine to machine, M2M, device connected to a telecommunications network and having an International Mobile Subscriber Identity, IMSI, and a server, the method comprising assigning an access point name, APN, from a plurality of APNs based on the IMSI of the M2M device. Routing, via the assigned APN, communications traffic between the M2M device and the server, wherein the server is determined based on one or more of: the IMSI, the APN and a characteristic of a communication traffic between the M2M device and the server.

Abstract: A system, method and computer program product obtains user data relating to a plurality of system users, who have previously been granted access to a resource in a context without complying with a ruleset defining criteria for automatically accessing the resource in the context. A combination of two or more user data properties having common values in user data of a subset of two or more of the plurality of system users is identified. A determination of whether the number of system users in the subset exceeds a predetermined threshold is made. If the number of system users in the subset exceeds the predetermined threshold, the ruleset is updated to include criteria based on the identified combination of two or more user data properties.

Abstract: An inconsistency in shares is detected with a small volume of communications traffic. n inconsistency detecting devices generate random numbers si and make the random numbers si public. The n inconsistency detecting devices generate a common random number s which is the sum total of the random numbers s0, . . . , sn?1. The n inconsistency detecting devices calculate shares [c]i. The n inconsistency detecting devices generate shares [r]i, each of which would become a random number r by reconstruction. The n inconsistency detecting devices calculate shares [d]i, each of which would become a judgment value d by reconstruction. One inconsistency detecting device receives shares [d]1, . . . , [d]n?1 from n?1 inconsistency detecting devices. The one inconsistency detecting device restores n?k shares [d]?k, . . . , [d]?n?1 from k shares [d]0, . . . , [d]k?1. The one inconsistency detecting device judges, for j=k, . . . , n?1, whether or not a share [d]j and a share [d]?j coincide with each other.

Abstract: A communication device to allocate shared keys to plural channels includes a storage, a receiver, a storage controller, an allocator, and an encryption processor. The storage includes a predetermined number of storage areas to store one or more shared keys shared with a destination device. The receiver is configured to receive a shared key. The storage controller controls storing the received shared key in any of the storage areas every time the shared key is received. The allocator can allocate the storage areas to communication channels used for communicating encrypted data between the communication device and the communication destination device, based on a ratio predetermined for each communication channel. The encryption processor can, according to a cryptosystem determined for the each communication channel, encrypt data and decrypt the encrypted data by using the shared key acquired from the storage area allocated to each communication channel.

Abstract: A material set, such as an asymmetric keypair, is processed using an associated workflow to prepare the material set for activation and/or use. In one embodiment, a material set is generated and information about the material set is communicated to a workflow manager. Based at least on the information, the workflow manager generates a workflow that when accomplished will allow the material set to be activated and/or used. In another embodiment, a service provider provides a key manager, workflow manager and destination for the key, such as a load balancer that terminates SSL connections. A key can be generated by the key manager, sent through the workflow manager for processing (potentially communicated to third parties such as a certificate authority, if needed) and installed at a destination.

Abstract: Program code intended to be copied into the cache memory of a microprocessor is transferred encrypted between the random-access memory and the processor, and the decryption is carried out at the level of the cache memory. A checksum may be inserted into the cache lines in order to allow integrity verification, and this checksum is then replaced with a specific instruction before delivery of an instruction word to the central unit of the microprocessor.

Abstract: There is provided a method of operating a security token, said security token comprising a secure element and a microcontroller unit being coupled to said secure element, wherein: the secure element receives an authentication command from a host device while the microcontroller unit is in a first sleep state; the secure element decodes the authentication command, sends a corresponding authentication request to the microcontroller unit and subsequently enters into a second sleep state; the microcontroller unit wakes up upon receiving the authentication request and subsequently determines an amount of available power; the microcontroller unit processes the authentication request only if the amount of available power exceeds a threshold. Furthermore, a corresponding computer program product and a corresponding security token are provided.

Abstract: A method includes generating a tokenized representation of a given software script, the tokenized representation comprising two or more tokens representing two or more commands in the given software script. The method also includes mapping the tokens of the tokenized representation to a vector space providing contextual representation of the tokens utilizing an embedding layer of a deep learning network, detecting sequences of the mapped tokens representing sequences of commands associated with designated types of script behavior utilizing at least one hidden layer of the deep learning network, and classifying the given software script based on the detected sequences of the mapped tokens utilizing one or more classification layers of the deep learning network. The method further includes modifying access by a given client device to the given software script responsive to classifying the given software script as a given software script type.

Abstract: Provided is a process including: encrypting each of a plurality of data encryption keys with a first public cryptographic key to form encrypted data encryption keys; obtaining a second public cryptographic key; generating a transformation key based on the first public-private cryptographic key pair and the second public cryptographic key; and transforming the encrypted data encryption keys with proxy re-encryption based on the transformation key; and obtaining the second private cryptographic key and the transformed encrypted data encryption keys.

Abstract: Provided is a computer system and method that enables delegated access to encrypted information for distributed messaging and queuing frameworks, or in general, to publish/subscribe architectures. In said frameworks and architectures, data is published by data producers and organized in channels or queues, which consumer applications can subscribe to, and that are managed by one or multiple broker entities.