Abstract: Techniques for sending encrypted data includes establishing a plurality of different links between a first node and a different second node. The different links are different physical layer links or different virtual private network (VPN) links or some combination. The method also includes encrypting plaintext using a first value for an encryption parameter to produce ciphertext. Further, the method includes sending a first plurality of messages that indicate the ciphertext using at least one link of the plurality of different links. Still further, the method includes sending a different second plurality of messages that indicate the first value for the encryption parameter using at least one different link of the plurality of different links without introducing a random bit error.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system that uses key thresholding to cryptographically control data access. An example method may include: accessing a plurality of cryptographic key shares, wherein two or more of the plurality of cryptographic key shares enable access to content; selecting, by a processing device, a set of cryptographic attributes in view of a characteristic of a computing device; encrypting the plurality of cryptographic key shares to produce a plurality of wrapped key shares, wherein at least one of the plurality of cryptographic key shares is encrypted in view of the set of cryptographic attributes; and providing a wrapped key share of the plurality of wrapped key shares and at least one of the cryptographic attributes to the computing device, wherein the at least one cryptographic attribute facilitates deriving an access key from the plurality of wrapped key shares.

Abstract: An oblivious distributed file system is provided using an oblivious random access machine (ORAM), including an ORAM balanced tree structure, where each node in the tree is configured to store data blocks, the structure including at least two shares. The system also includes at least two ORAM servers, each of the servers configured to communicate with a client ORAM device, and programmed to facilitate storage of a different subset of the shares of the tree structure using a distributed file system and to implement an access procedure of a tree-based ORAM using the tree structure, including a retrieval phase and an eviction phase. In the retrieval phase, the servers utilize an authenticated Private Information Retrieval (PIR) protocol to retrieve data blocks as requested from the client ORAM device. In the eviction phase, the servers utilize a linear secret sharing scheme.

Abstract: An approach is provided for a homomorphic cryptosystem for use in resource-constrained environments (e.g., vehicle-based use cases) or when computer resources are to be conserved. The approach involves, for example, generating a nonce at a first device (e.g., vehicle engine control unit (ECU)). The approach also involves performing a homomorphic operation on the nonce and a ciphertext to generate a resulting cipher. The ciphertext is provided by a second device (e.g., a data server). The approach further involves attaching the resulting cipher to a request payload (e.g., to request secure data from the data server). The approach further involves transmitting the request payload including the nonce to the second device (e.g., the server).

Abstract: This disclosure generally relates to methods, systems, and devices for enhanced physical (PHY) layer security. A device may determine a physical layer (PHY) frame to be sent to a station device. The device may identify an encryption seed sequence to be used for encrypting a first portion of the PHY frame. The device may include an indication of the encryption seed sequence in a first field of one or more fields of the PHY frame. The device may encode the first portion of the PHY frame using the encryption seed sequence. The device may cause to send the PHY frame to the station device.

Abstract: Devices, systems, and methods of contextual mapping of web-page elements and other User Interface elements, for the purpose of differentiating between fraudulent transactions and legitimate transactions, or for the purpose of distinguishing between a fraudulent user and a legitimate user. User Interface elements of a website or webpage or application or other computerized service, are contextually analyzed. A first User Interface element is assigned a low fraud-relatedness score-value, since user engagement with the first User Interface element does not create a security risk or a monetary exposure. A second, different, User Interface element is assigned a high fraud-relatedness score-value, since user engagement with the second User Interface element creates a security risk or a monetary exposure.

Abstract: Methods, apparatuses, and storage media storing instructions for scanning electronically-stored files are provided. A file stored in a computer-readable storage medium is scanned. Based on the scanning, a common analysis is performed on the file for two or more software functions. Based on the scanning, a software function-specific analysis is performed on the file for a respective software function. Two or more decisions on the file is made for the two or more software functions based on the common analysis and the software function-specific analysis.

Abstract: Various embodiments are provided for performing weighted partial matching under homomorphic encryption in a computing environment. Selected data may be encoded and encrypted into an encrypted query for comparison using private set intersection (PSI) under homomorphic encryption (HE). An encrypted score may be determined according to data blocks of the selected data and a set of weights for each of the data blocks of the selected data to identify matches between the data and the encrypted query. The encrypted score may be decrypted and decoded to identify matches between the encrypted query with the selected data.

Abstract: The present invention relates to a method of generating a secure RSA key by a server comprising the steps of: •generating (S1) a private RSA key d and a RSA modulus integer N; •splitting (S2) the secret key integer d in j key shares dJ of length n, with j in [1, J], J being an integer, and such that d=d1+d2+ . . . +dJ mod phi(N), with each key share dj being equal to (dj(0) . . . dj(i) . . . dj(n/b?1)) with each key share component dj(i) in {0 . . . 2{circumflex over (?)}b?1} and i in [0, n/b?1], b being an integer inferior to n and phi the Euler's totient function; •encrypting (S3) with a fully homomorphic encryption (FHE) algorithm each key share component dj(i) of the private RSA key d by using a Fully Homomorphic Encryption secret key ps of a set Ss comprising the index couple (i,j), to generate an encrypted key share component edj(i) of said secure RSA key, said set Ss being a set of integer couples, among a predetermined integer number u of disjoint sets {S1, S2 Ss, Ss+1, . . .

Abstract: A network usage control method comprises receiving (S2, S5) a handset identifier (e.g. an IMEI number) of a requesting terminal device (2) seeking to use a mobile network (4); retrieving verification information (S7) for verifying an identity of an authorised terminal device associated with the handset identifier; verifying (S9), based on the verification information, whether the requesting terminal device (2) is the authorised terminal device; and controlling (S10, S11) usage of the mobile network by the requesting terminal ON device in dependence on whether the requesting terminal device is verified as the authorised terminal device. Cryptographic keys can be used to bind the handset identifier to a particular handset and verify that a device presenting a given handset identifier is actually the authorised handset for that handset identifier. This prevents thieves being able to circumvent blacklisted handset identifier of a stolen handset by cloning a valid handset identifier from another device.

Abstract: A method for managing collected transportation vehicle data relating to a transportation vehicle in a database. The transportation vehicle data are stored in the database together with information relating to a permissible use of the transportation vehicle data. The database allows access to the transportation vehicle data only according to the information relating to the permissible use. The method includes receiving information relating to a desired use of the transportation vehicle data and updating the information relating to the permissible use of the transportation vehicle data according to the information relating to the desired use of the transportation vehicle data.

Abstract: Techniques for brokering authorization between a user-facing service and a backend service are disclosed. A proxy service, operating independently of the user-facing service and the backend service, exposes an application programming interface (API) configured to receive requests from the user-facing services to perform functions of the plurality of backend services. The proxy service stores user authorization data that authorizes a user of a particular user-facing service to use a function of a backend service. The proxy service receives, via the API, a request to perform the function for an account associated with the user. Responsive to receiving to the request, the proxy service uses the user authorization data to access the backend service to perform the function for the account associated with the user.

Abstract: Examples associated with credentialed encryption are described. One example method includes receiving an encryption request from a local process via a secure channel. The encryption request includes a credential associated with the local process. Whether the local process is authorized to access an encryption function is verified using the credential. The encryption function specified in the encryption request is performed using a security key unique to a system performing the method. A result of the encryption function is provided to the local process.

Abstract: The present invention relates to methods, systems and apparatus for providing efficient packet flow fillrate adjustments and providing protection against distributed denial of service attacks. One exemplary embodiment in accordance with the invention is a method of operating a communication system including the steps of receiving, at a session border controller, a first SIP invite request message; making a decision, at the session border controller, as to whether the first SIP invite request originated from an Integrated Access Device or an IP-PBX device; generating, at the SBC, a packet flow fillrate based on said decision as to whether the SIP invite request originated at an Integrated Access Device or an Internet Protocol-Private Branch Exchange (IP-PBX) device.

Abstract: Transport Layer Security (TLS) connection establishment between a client and a server for a new session is enabled using an ephemeral (temporary) key pair. In response to a request, the server generates a temporary certificate by signing an ephemeral public key using the server's private key. A certificate chain comprising at least the temporary certificate that includes the ephemeral public key, together with a server certificate, is output to the client by the server, which acts as a subordinate Certificate Authority. The client validates the certificates, generates a session key and outputs the session key wrapped by the ephemeral public key. To complete the connection establishment, the server applies the ephemeral private key to recover the session key derived at the client for the new session. The client and server thereafter use the session key to encrypt and decrypt data over the link. The ephemeral key pair is not reused.

Abstract: A computer-implemented method for detecting vulnerabilities in microarchitectures. A non-limiting example of the computer-implemented method includes creating a simulation for execution on a model of a microarchitecture, the simulation including a set of instructions and a placeholder for holding a piece of secret data. The computer-implemented method executes the simulation a first time on the model of the microarchitecture with a first piece of secret data stored in the placeholder and stores a first output of the first executed simulation. The computer-implemented method executes the simulation a second time on the model of the microarchitecture with a second piece of secret data stored in the placeholder and stores a second output of the second executed simulation. The computer-implemented method compares the first output with the second output and provides an indication of a microarchitecture vulnerability when there is a difference between the first output and the second output.

Abstract: A portable device having a key is interfaced to a host computing device. The host computing device detects the key on the portable device and authenticates a user for using the key. A boot is forced of the host computing device and during the boot a customized image of an Operating System (OS) for the host computing device is loaded into volatile memory of the host computing device and customized security settings are applied to the OS based on a value of the key.

Abstract: Secure cryptography operations on a white-box cryptography device. Receiving a first message. Receiving a cryptographic key encrypted using a homomorphic encryption scheme. Performing a cryptographic operation, e.g., decryption or digital signature, using the encrypted cryptographic key. Performing a homorphically encrypted tracer calculation that traces the performance of the cryptography operations on the white-box cryptography device thereby allowing verification that all steps of the cryptography operation has been performed without external manipulation. Performing a key-exchange operation. Decrypting the key-exchange output using an alternate cryptographic key stored on the cryptographic device.

Abstract: An information handling system improves detection of steganography data embedded in a portable network graphics file by parsing the portable network graphics file to determine a location of a portable network graphics signature in the portable network graphics file, and determining whether there is data embedded in the portable network graphics file before the portable network graphics signature. The embedded data may then be removed from the portable network graphics file.

Abstract: Methods and apparatus for monitoring and controlling access to coexisting first and second networks, such as within a venue. In one embodiment, the first network is a managed network that includes wireless access points (APs) in data communication with a backend controller, which communicates with a client process on a user device. The client process uses indigenous radio technology of the user device to scan for coexisting networks, and report results to the controller. In one variant, the controller dynamically adjusts transmit characteristics of the AP(s) to manage interference between the coexisting networks. In another variant, the controller causes the energy detect threshold of the user device to be lowered so that it may detect WLAN signals when a coexisting RAT (for example, LTE-U or LTE-LAA) occupies the same channel and/or frequency. In another variant, the client process autonomously adjusts user device operation based on the scan.