Abstract: A system and method for the decentralized storage of data is provided that pre-processes data files to generate multiple subsets of encrypted data that includes randomly selected portions of data from different data files. The subsets of encrypted data are then transmitted to multiple remote servers that are randomly chosen for each subset of encrypted data. The local encryption key that was used to encrypt the data is required to reconstruct the data file. The system and method is particularly suited for the decentralized storage of medical data.

Abstract: Credential and authentication management in scalable data networks is described, including detecting a request from an extension installed on a browser to access a data network, initiating another request from the extension to a server to retrieve authentication data to access the data network, transferring from the server to the extension the authentication data and an instruction to the extension to generate a further request, transmitting the further request to the data network from the browser, the request comprising the authentication data from the server without manual input of the authentication data, presenting an overlay on the browser, the overlay being configured to indicate a login status associated with the data network, and monitoring a cookie and data transferred between the data network and the browser at an application layer or data layer after access to the data network has been provided to the browser in response to the request.

Abstract: Embodiments of the present disclosure provide a secure communication method, a client and a non-public server. The secure communication method includes: generating a set of destination addresses of a non-public server based on an IPv6 prefix of the non-public server, and a signature string and a user ID of a client, wherein the signature string is obtained by signing an IPv6 address and the user ID of the client based on a private key of the client; initiating a set of connection request to the non-public server based on a set of communication connections containing the set of destination addresses, for the non-public server to determine a public key corresponding to a user ID based on the user ID in the set of destination addresses, verifying the set of communication connections based on the public key, and establishing communication when the verification of the set of communication connections passes.

Abstract: A system is configured to authorize client access to an application programming interface (API) of a host device. A proxy is configured to handle network traffic between a host and a client. Clients engage the host through the proxy to access an API of the host. An authorized client-side application permitted use of the API includes an API request to the proxy. The proxy determines whether an internet protocol (IP) address of the client and the token match an existing IP-token pair. If no match exists, the proxy determines whether the token matches an existing token. The proxy authorizes the client access to the API when the IP and token match an existing pair or if the token does not match an existing token and the token is verified by the proxy.

Abstract: A method is disclosed for dynamic control, at file level, of an integrity of a set of files stored in a persistent memory of a computer. The method includes mounting an overlay file system of the Overlayfs type, with a “lower” directory containing the files which is marked as read-only, and with an “upper” directory containing any file resulting from a modification of the files of the “lower” directory by virtue of a copy-on-write mechanism. A denylist of files from the “lower” directory to be excluded from the integrity control is created and maintained. An integrity violation of a file is detected if a copy of said file is identified in the “upper” directory. The method also includes containerization, which natively implements file mounting by overlays of the Overlayfs type.

Abstract: A computer-based method for real-time communication authorization includes receiving, from a first communication device, a communication request, verifying, with a verification engine, a pre-approval status of the communication request, storing the communication request in an approval queue if the communication authorization the pre-approval status is set to false, issuing an alert to the authorization device, and receiving one or more authorization parameters from an authorization device.

Abstract: Techniques are described herein for performing authentication, and also “eager” or “lazy” fetch of data, for restricted webpages based on the restricted webpages being associated with an authentication tier in an AASD registry. Inclusion of a restricted webpage in the AASD registry enables AASD-based authentication for the webpage. According to embodiments, information for a restricted webpage included in the AASD registry includes one or more of the following for the webpage: an identifier, an authentication level, allowed fields, eager fetch fields, one or more sources for one or more fields, etc. When information for a webpage is included in the AASD registry, that information is used to perform eager fetch for one or more fields of the webpage that are not associated with authentication requirements indicated in the AASD registry information, or whose authentication requirements are already fulfilled by the requesting client.

Abstract: Methods, systems, and computer programs are presented for protecting restricted actions on encryption keys that control the management of data stored by a service provider. In some implementations, a of the service provider receives a request to generate a data encryption policy (DEP) for data stored by the of the service provider for a customer, the request including a reference to a customer key and an availability key. The customer key and the availability key are root keys for encrypting a data encryption key. The data encryption key is used to encrypt the data stored by the service provider for the customer. Further, destructive changes to the availability key require receiving an approval from an account of the service provider. The of the service provider validates the DEP. The of the service provider stores the DEP based on the validation.

Abstract: It is recognized herein that current messaging protocols for internet of things (IoT) architectures are often weak from a security perspective, and are often poorly suited for resource-constrained devices. An example IoT system described herein combines device authentication and application-layer key establishment using facilities of IoT messaging protocols. The IoT system may include a Trust Broker, which acts as a registration point for devices, and an edge gateway, which manages communication between a given device and the trust broker (and IoT servers). The edge gateway may acquire a trusted role, such that it may be a secure intermediary for device-server messaging, and such that it can facilitate authentication of devices to services.

Abstract: A management service can be used to manage enterprise applications. Management agents can be installed in each enterprise application, e.g., in each virtual machine of each enterprise application. The management agent can check each process created by its host virtual machine against a local whitelist. If the local whitelist indicates the process is safe, the process can be executed. Otherwise, an alert including a process description is sent to the management service. An alert analyzer of t he management service can check information of the management service itself as well as third-party information to determine whether or not the process is safe. In the event the alert analyzer determines a process that was the subject of an alert is, in fact, safe, an indication that the process is safe is added to the local whitelist.

Abstract: A network-compatible device with a security function for destroying user data includes the a signal input configured to receive a control signal and a configuration signal; a memory configured to store first user data; and a controller configured, upon receipt of the control signal, to carry out a safety function which destroys the first user data in the memory. The network-capable device is inoperable when the first user data is destroyed, and the controller is further configured, upon receipt of the configuration signal, which includes second user data, to store the second user data in the memory to enable the network-compatible device to operate based on the second user data.

Abstract: A method for providing and maintaining secure storage of target data includes, during a first time period in which a server provides a first mapping between user-specific cloaking sequence elements and hidden sequence elements, cloaking the target data using a first set of user-specific cloaking sequences and the first mapping, and storing the cloaked data in a persistent memory. The method further includes, during a later, second time period in which the server provides a different, second mapping between the user-specific cloaking sequence elements and the hidden sequence elements, re-cloaking the cloaked data using the first set of user-specific cloaking sequences and the second mapping, and storing the re-cloaked data in the persistent memory.

Abstract: An audio device includes a sound emission section which outputs a sound, and a sound reception section to which a sound is inputted. The audio device outputs an acoustic wave into the earhole of the user and authenticates the user based on echo waves created by the earhole. The audio device, when an electronic device is connected thereto, outputs to the electronic device unique authentication information acquired according to an instruction received from the electronic device.

Abstract: Provided herein are systems and methods for authenticating controlled area network (CAN) transmissions using physical layer characteristics. In one or more examples, a device that is configured to authenticate CAN transmissions can be connected to an existing CAN. The device can be configured to undergo a training phase in which average transition waveforms of one or more electronic control units (ECUs) are created. When the device is in operation, each CAN transmission received by the device can be compared against the average transition waveforms to determine the ECU that is most likely to have sent the transmission. In one or more examples, the identified most likely ECU can be compared against the ECU identified by an arbitration ID of the transmission. If there is a mismatch then in one or more examples the device can alert to the possibility of a suspicious ECU transmission.

Abstract: Methods and systems for sharing a network link of a file in network storage for collaboration among multiple computing devices using end-to-end encryption may involve generating a link key associated with the file stored remotely in the network storage, being accessible by a first device, and to be accessible by a second device, encrypting a session key associated with the file to generate an encrypted session key using the link key, the file being encrypted with the session key and, generating a salt associated with the file, generating a verifier associated with the file using the link key, sending a message to a server computer with an identifier associated with the file, the salt, the verifier, and the encrypted session key, creating a first link to the file with a name associated with the first device, the identifier, and the link key, and transmitting the first link to second device.

Abstract: Techniques are disclosed for tracing memory components in asset management systems. A computing device may receive an indication that a new device has been connected to a network. The computing device receives a first set of memory specifications from the new device and a second set of memory specifications from a SoV database. The computing device then generates a memory-asset data structure that stores a third set of memory specifications, each memory specification of the third set of memory specifications being a memory specification that is in both the first set of memory specifications and the second set of memory specifications. The computing device assigns, memory specifications of the third set of memory specifications, a data privacy level that is based on a sensitivity of data stored in the component of the new device. The computing device may then transmit the memory-asset data structure.

Abstract: Embodiments include a system, method, and computer program product that enable secure access to cameras in smart buildings. Some embodiments control outbound video from an environment such as a local network through an intelligent on-event video pushing mechanism. The local intelligent on-event video pushing mechanism hides the IP address of a source video camera, transcodes the video to a reduced size for wide area distribution, and pushes video to a recipient upon an event triggered received within the local environment (e.g., the local network.) Embodiments enable a remote video client on the far-side of the local network firewall to view the video streams of cameras on the near-side of the local network firewall when an event or trigger occurs.

Abstract: Systems, devices and methodologies for generating a vehicle identification hash value and verifying the integrity of the vehicle. The vehicle identification hash value is generated based on hashes provided by each vehicle component. The generated overall vehicle identification hash value may be dynamic and reflects changes that occur to the vehicle at the component level.

Abstract: A communication control apparatus includes a collection control unit, an analysis unit, and a coordination unit. The collection control unit collects communication performed with a device connected to a subordinate network, and controls communication performed by the device based on a first control condition; The analysis unit analyzes the communication collected by the collection control unit to extract device identification information indicating characteristics of the communication performed by the device. The analysis unit specifies a device name of the device and the first control condition corresponding to a normal communication range extracted from the device identification information, based on the device identification information.

Abstract: Techniques are provided for authentication using pairwise secrets constructed from partial secrets. One method comprises obtaining, by a first entity of a communication between the first entity and a second entity, partial secrets associated with the first and second entities; generating a constructed secret for the communication by applying a cryptographic function to the partial secrets associated with the first and second entities; and authenticating the communication using the constructed secret. A control entity may assign a substantially unique partial secret to each of multiple first and second entities and distribute at least a subset of the assigned partial secrets to at least some of the first and second entities. A communication between given first and second entities can be authenticated using a pairwise constructed secret for the given communication generated by applying the cryptographic function to the partial secrets associated with the first and second entities.