Abstract: Polynomial multiplication for side-channel protection in cryptography is described. An example of an apparatus includes one or more processors to process data; a memory to store data; and polynomial multiplier circuitry to multiply a first polynomial by a second polynomial, the first polynomial and the second polynomial each including a plurality of coefficients, the polynomial multiplier circuitry including a set of multiplier circuitry, wherein the polynomial multiplier circuitry is to select a first coefficient of the first polynomial for processing, and multiply the first coefficient of the first polynomial by all of the plurality of coefficients of the second polynomial in parallel using the set of multiplier circuits.

Abstract: Techniques are described for storing customer data in compliance with data retention policies, including data retention policies that may imposed by law or regulation. A merchant website may be configured to gather customer information using an inline form obtained from a service provider, where the inline form protects the customer information from being accessed by the website. The customer information is provided from the inline form to the service provider, and the service provider stores the customer information for the merchant, while applying appropriate data retention policies. The merchant may avoid potential violations of retention policies by accessing the stored information without committing it to local persistent memory. In some cases, the stored information may be presented to the merchant through an inline form that protects the information from being accessed by computing components of the merchant.

Abstract: Techniques for deriving system architecture from security group relationships are described. One or more security group rules can be obtained for an application, the one or more security group rules controlling communication of one or more security groups. The one or more security group rules can be analyzed to determine placement data for the one or more security groups. The placement data can be provided to a placement service, and the placement service can be caused to deploy at least one virtual machine using the placement data.

Abstract: Methods, apparatuses, and computer program products are disclosed for securely delivering digital content to a user. An example method includes receiving a request for digital content for presentation by a first user device associated with a first user profile and receiving contextual device data of the first user device. The example method further include comparing the contextual device data of the first user device and a secure context dataset to determine a device delivery context of the first user device. In instances in which the contextual device data of the first user device fails to satisfy one or more security thresholds defined by the secure context dataset, the method determines an unsecure delivery context and generates secured digital content. The example method further includes causing presentation of the secured digital content via a second user device associated with the first user profile.

Abstract: A processing pipeline for supporting machine-learning processes for network monitoring and information management as well as specific analytics for particular use cases. The processing pipeline 500 takes in system data (502) and pre-processes (504) the system data. The system data (502) may include any of the types of data described above including text log files, and categorical data from various sources. The illustrated processing pipeline 500 includes two branches; a data fitting branch (506) where a model is developed for the data and a data transformation branch (508) where the developed model is leveraged to transform live data. For certain event detection use cases, the output of the data transformation branch (508) includes a score (510) (e.g., a threat level score) and an attribution (512).

Abstract: A method comprises receiving, by a computing system from a signing party, a signing party identifier and a token. The token includes an encrypted biometric sample encrypted using an encryption key and an encrypted record of an electronic agreement encrypted using the encryption key, the encrypted record cryptographically bound with the encrypted biometric sample. The method further includes receiving, by the computing system from the signing party, a message and determining, based on the message, that the signing party is rescinding the electronic agreement. The computing system then retrieves a stored knowledge factor associated with the signing party identifier, generates a decryption key using the stored knowledge factor as an input to a password authenticated key exchange protocol, decrypts the encrypted biometric sample from the token using the decryption key to retrieve a biometric sample, and transmits the biometric sample to the signing party.

Abstract: Systems and methods are provided for quantum-resistant secure key distribution between a peer and an EAP authenticator by using an authentication server. The systems and methods include receiving requests for a COMMON-SEED and a quantum-safe public key from a peer and an EAP authenticator. The COMMON-SEED is encrypted using the quantum-safe public key of the peer and the quantum-safe public key of the EAP authenticator, and the encrypted COMMON-SEED is sent to the peer along with a request for a PPK ID from the peer to complete authentication of the peer. The PPK ID is received from the peer, and the encrypted COMMON-SEED and PPK ID is sent to the EAP authenticator. A quantum-resistant secure channel is established between the peer and the EAP authenticator when the peer and the EAP authenticator share the same COMMON-SEED and the same PPK-ID.

Abstract: Techniques for sharing or borrowing communication lines are discussed herein. For example, a system can distinguish between a communication line borrower and a communication line owner based on unique user identifiers. The system can identify the communication line borrower as an intended recipient of communication information and user information based on a unique identifier of the communication line borrower that is associated with the communication information and user information by one or more network nodes. The system can secure the shared communication line against activation by the communication line owner and additional communication line borrowers while the shared communication line is assigned to the communication line borrower.

Abstract: A system, computer-readable storage medium, and method for secure network communication. A first device employs a first secret to establish a stream between the first and a second device. A third key, first ciphertext based on a first key, and hash of the first key are received from the second device by the first. A second key is applied to recover a second secret from the first ciphertext. The third key is encrypted to generate a second ciphertext including a third secret. Fourth and fifth keys are derived based on the first, second, and third secrets. A message authentication code is generated based on the fourth and third keys, first ciphertext, hash of the first key, and second ciphertext. The second ciphertext and message authentication code are transmitted by the first to the second device, and the fifth key is employed by the first device to modify the stream.

Abstract: Methods and systems for using ephemeral URL passwords to deter high volume attacks is described. A request to access one of several protected URLs is detected from a client computing device. A URL password is received from the client computing device. The request is redirected to the protected URL upon determining that the received URL password is valid for the one of the several of protected URLs.

Abstract: An information security system that includes a data control engine configured to receive a data file and to segment the data file into a set of data blocks that each contain a portion of data from the data file. The data control engine is further configured to associate the set of data blocks with a reference tag and to store an association between the set of data blocks and the reference tag. The data control engine is further configured to identify an access key for encrypting each data block, to encrypt each data block with a corresponding access key, and to store an association between each data block and each corresponding access key. The data control engine is further configured to store each data block in a memory and to store location information identifying the location of each data block in the memory.

Abstract: A method of classifying electronic communications includes receiving an electronic message. A whitelist is input comprising at least one entry associated with an authoritative entity. At least one similarity score is computed based on an extent to which the message matches the entry in the whitelist. When the similarity score exceeds that threshold value, an indicator is output of a risk that the message appears to be associated with the authoritative entity. It is determined whether the message was sent from the authoritative entity based on at least one of attempting to verify an email authentication, and comparing an email address of a sender of the message to an email address associated with the authoritative entity. Responsive to determining that the message was sent from the authoritative entity, the message is delivered. Responsive to determining that the message was not sent from the authoritative entity, a security action is performed.

Abstract: Tools are provided for distributing access-restricted content in an internet protocol television (“IPTV”) environment based on portable entitlement keys. Such tools can include a decoder, an encoder, and a network entitlement handler. The decoder may be configured to receive a key associated with entitlement information, and transmit the entitlement information over a network. The encoder may be configured to receive content from content providers, and to encode the content to create IP-compatible content, with access restrictions based on entitlement. The network entitlement handler may be configured to receive a request for requested content from the decoder; receive the access-restricted content (including the requested content) from the encoder; and transmit the requested content over the network to the decoder using IP, when the decoder is entitled to receive the requested content.

Abstract: In an example embodiment, A PICNEEC is provided. It includes one or more Virtual Customized Rules Enforcer (VCRE) instances, each VCRE instance corresponding to a group of mobile devices and defining a set of policies personalized for the group of mobile devices. Each VCRE is configured to, upon receiving a data packet communicated between a packet-based network and a mobile device in the corresponding group via a radio network, execute one or more policy rules stored in the VCRE instance to the data packet prior to forwarding the data packet. Each VCRE instance is controlled independently of one another via direct accessing of the VCRE instance by a different customer of the mobile network provider.

Abstract: Apparatus and methods for encrypting captured media. In one embodiment, the method includes capturing media data via use of a lens of an image capture apparatus; obtaining a number used only once (NONCE) value from the captured media data; obtaining an encryption key for use in encryption of the captured media data; using the obtained NONCE value and the obtained encryption key for encrypting the captured media data; and storing the encrypted media data. In some variants, the media is encrypted prior to storage, thereby obviating any instances in which the captured media data resides in a wholly unencrypted instance. Apparatus and methods for decrypting encrypted captured media are also disclosed.

Abstract: Examples described herein include systems and methods for performing distributed encryption across multiple devices. An example method can include a first device discovering a second device that shares a network. The device can identify data to be sent to a server and calculate a checksum for that data. The device can then split the data into multiple portions and send a portion to the second device, along with a certificate associated with the server for encrypting the data. The first device can encrypt the portion of data it retained. The first device can receive an encrypted version of the second portion of the data sent to the second device. The first device can merge these two portions and send the merged encrypted data to the server, along with the checksum value. The server can decrypt the data and confirm that it reflects the original set of data.

Abstract: In one example, a management node and an infrastructure node external to the management node may be identified in a cloud computing environment. The management node may execute a centralized management service and the external infrastructure node may execute a first infrastructure service that handles at least one infrastructure network function for the centralized management service. Further, a second infrastructure service may be deployed on the management node. Data in the first infrastructure service may be replicated to the second infrastructure service. Furthermore, the centralized management service in the management node may be repointed to the second infrastructure service such that the second infrastructure service is to operate within the management node.

Abstract: An approach is provided that receives a set of actual hardware power consumption details and a set of software activity details with all of the details pertaining to the use of a computer system at a first time. Based on the set of software activity details, the approach determines a set of expected hardware power consumption details. The set of actual hardware power consumption details are compared to the set of expected hardware power consumption details. If the comparison identifies variances between the actual and expected data, then a security threat is flagged and threat responses are performed.

Abstract: The disclosed computer-implemented method for running applications on a multi-tenant container platform may include (1) receiving, at a host administrator service on a container host computing device and via a host administrator service socket handle, a request for a privileged operation from an application running in a non-privileged container, (2) performing, based on a user identifier of the application, a security check of a user associated with the application, (3) comparing, when the security check results in approval, a process identifier of the requested privileged operation against a whitelist of permitted operations to determine the requested privileged operation is permissible, and (4) initiating running, when the requested privileged operation is permissible, the requested privileged operation. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: An electronic device is provided. The electronic device includes a near-field communication (NFC) communication circuit, an ultra-wideband (UWB) communication circuit connected with the NFC communication circuit, at least one secure element operatively connected with the NFC communication circuit and configured to store security information, and a processor disposed in the NFC communication circuit and operatively connected with the UWB communication circuit, wherein the processor is configured to receive a data request from an external electronic device via the UWB communication circuit, access at least part of the security information stored in the at least one secure element, based on a routing table matching the data request with the at least one secure element, and transmit the at least part of the security information to the external electronic device via the UWB communication circuit.