Abstract: Systems and methods for encrypted content management are provided and include generating a user private key, a user public key, and a symmetric encryption key. A group private key, a group public key, and a group symmetric encryption key are generated and the group private key is encrypted with the group symmetric encryption key. A first shared-secret key is generated based on the user public key and the group private key using a diffie-hellman exchange algorithm. The group symmetric encryption key is encrypted using the first shared-secret key to generate an escrow key. Plaintext data is encrypted using a content symmetric key. A second shared-secret key is generated based on an ephemeral private key and the group public key using a diffie-hellman exchange algorithm. The content symmetric key is encrypted using the second shared-secret key.

Abstract: A distributed database encrypts a table using a table encryption key protected by a client master encryption key. The encrypted table is replicated among a plurality of nodes of the distributed database. The table encryption key is replicated among the plurality of nodes, and is stored on each node in a respective secure memory. In the event of node failure, a copy of the stored key held by another member of the replication group is used to restore a node to operation. The replication group may continue operation in the event of a revocation of authorization to access the client master encryption key.

Abstract: Techniques are disclosed relating to a non-blocking token authentication cache. In various embodiments, a server computer system receives a request for service from a client device, with the request including an authentication token issued by an authentication service. The server computer system accesses a cache of previously received validation responses from the authentication service to determine whether one of the validation responses indicates that the authentication token has already been validated by the authentication service. In response to determining that the cache includes a validation response indicating that the authentication token has already been validated by the authentication service, the server computer system first provides a response to the request for service to the client device, and then contacts the authentication service to determine whether the authentication token is still valid.

Abstract: Secure analytics using homomorphic and injective format-preserving encryption are disclosed herein. An example method includes encoding an analytic parameter set using a homomorphic encryption scheme as a set of homomorphic analytic vectors; transmitting the set of homomorphic analytic vectors to a server system; and receiving a homomorphic encrypted result from the server system, the server system having utilized the homomorphic encryption scheme and a first injective, format-preserving encryption scheme to evaluate the set of homomorphic analytic vectors over a datasource.

Abstract: Systems and methods are provided for monitoring information-security coverage to identify a vulnerability or risk in the information-security coverage. An information-security system can include computing systems, databases, a security server, etc. that can communicate data via a network. The server can be used to obtain data indicating a process for managing or monitoring information-security in the system and data indicating activity on the network, computing systems, server, or databases. The server then determines a metric based on the obtained data and the metric can indicate a risk or vulnerability in information-security coverage in the system. The server can then aggregate the data and transmit the aggregated data to a computing device. The computing device can generate an interface for outputting data for monitoring information-security coverage or identifying a vulnerability or risk in information-security coverage, which can improve the security of the information-security system.

Abstract: There is provided a verification apparatus including: an acquisition unit configured to acquire each of control data that causes artificial intelligence to function in an apparatus and learning data of the control data; and a verification unit configured to verify the acquired control data on the basis of the control data obtained as a result of performing learning with use of the acquired learning data, and on the basis of the acquired control data.

Abstract: A display device connected to a signal source outputting a video signal using an encryption protocol and that transmits the encryption key to the signal source includes: a transmission unit that transmits an own encryption key uniquely set for the display device and an encryption key transmitted from another display device connected to the display device as a lower device to the signal source and another display device connected as an upper device; and a stop instruction unit that instructs another display device corresponding to a predetermined encryption key included in an encryption key group based on the order of the own encryption keys included in the encryption key group to stop transmitting the encryption key received when the own encryption key is included in the encryption key group including a plurality of encryption keys transmitted from another display device connected as the lower device.

Abstract: Various systems and methods for implementing observe-notify callback context automation in a connected device framework are described herein. In an example, the techniques for context automation may include: expansion of RESTful permissions to include an OBSERVE command (e.g., as part of a CRUDON (Create, Retrieve, Update, Delete, Observe, Notify) command definition); configuration of a callback resource to implement the OBSERVE command; access control policies to implement the OBSERVE command; and OBSERVE registration events to be monitored within an access management service.

Abstract: A system and method are disclosed for providing a quantum proof key exchange. The method includes generating at a first computing device a random bit ai, encrypting ai using quantum-proof homomorphic encryption ? to yield ?A(ai), transmitting ?A(ai) to a second computing device, generating at the second computing device a random bit bi, encrypting bi using the quantum-proof homomorphic encryption ? to yield ?B(bi), transmitting ?B(bi) to the first computing device and generating a common key between the first computing device and the second computing device based on ?A(ai) and ?B(bi).

Abstract: Disclosed embodiments are a computing system and a computer-implemented method related to minimizing the number of rules/policies needed to be stored to enforce those rules/policies. The minimizing comprising generating adjacency data structures mapping as adjacent pairs of network nodes, which are allowed to communicate with one another according to the plurality rules, and applying them for pruning the rule dataset. This allows an original set of rules/policies to be reduced into a smaller set, which conserves computational resources.

Abstract: For an encryption management module of a host that executes one or more data compute nodes (DCNs), some embodiments of the invention provide a method of providing key management and encryption services. The method initially receives an encryption key ticket at an encryption management module to be used to retrieve an encryption key identified by the ticket from a key manager. When the encryption key has been retrieved, the method uses the encryption key to encrypt a message sent by a data compute node executing on the host requiring encryption according to an encryption rule. The encryption key ticket, in some embodiments, is generated for an encryption management module to implement the principle of least privilege. The ticket acts as a security token in retrieving encryption keys from a key manager. Ticket distribution and encryption rule distribution are independent of each other in some embodiments.

Abstract: The present disclosure describes systems and methods for detection and mitigation of malicious encryption. A security agent on an infected computing device may monitor data writes to disk, memory, or network transmission buffers for strings that may represent encryption keys or moduli. The security agent may apply one or more techniques to decode and parse the string to either identify or extract the keys, or rule out the string as containing an encryption key or modulus. If a key is identified, or its presence cannot be excluded, then the security agent may generate an alert and take mitigation actions.

Abstract: Techniques for determining whether a public encryption key is vulnerable as the result of deficiencies in pseudorandom number generation algorithms are provided. In some embodiments, a system may compile a database of cryptographic information received from a plurality of sources, including databases, and network traffic monitoring tools. RSA public keys extracted from the cryptographic information may be stored in an organized database in association with corresponding metadata. The system may construct a product tree from all unique collected RSA keys, and may then construct a remainder tree from the product tree, wherein each output remainder may be determined to be a greatest common divisor of one of the RSA keys against all other unique RSA keys in the database. The system may then use the greatest common divisors to factor one or more of the RSA keys and to determine that the factored keys are vulnerable to being compromised.

Abstract: At least one computer processor configured with a single prime field accelerator having software-based instructions operably configured to compute both isogeny-based cryptography equations and elliptic curve cryptography equations using a plurality of shared computations resident on a shared memory storage and that include finite field arithmetic and elliptic curve group arithmetic sequentially computed with an architecture controller.

Abstract: Systems and methods are provided for implementing a machine learning approach to modeling entity behavior. Fixed information and periodically updated information may be utilized to predict the behavior of an entity. By incorporating periodically updated information, the system is able to maintain an up-to-date prediction of each entity's behavior, while also accounting for entity action with respect to ongoing obligations. The system may generate behavior scores for the set of entities. In some embodiments, the behavior scores that are generated may indicate the transactional risk associated with each entity. Using the behavior scores generated, a user may be able to assess the credit riskiness of individual entities and instruct one or more individuals assigned to the entities to take one or more actions based on the credit riskiness of the individual entities.

Abstract: A method including receiving, at a processor, a first assigned public key from a first device included in a mesh network and an external assigned public key from an external device not included in the mesh network; determining, by the processor, that the external device is to be included in the mesh network based at least in part on determining an association between the first device and the external device; and transmitting, by the processor based at least in part on determining that the external device is to be included in the mesh network, the first assigned public key to the external device and the external assigned public key to the first device to enable the first device and the external device to set up a meshnet connection. Various other aspects are contemplated.

Abstract: A service processor is provided that includes a processor, a memory coupled to the processor and having instructions for executing an operating system kernel having an integrity management subsystem, secure boot firmware, and a tamper-resistant secure trusted dedicated microprocessor. The secure boot firmware performs a secure boot operation to boot the operating system kernel of the service processor. The secure boot firmware records first measurements of code executed by the secure boot firmware when performing the boot operation, in one or more registers of the tamper-resistant secure trusted dedicated microprocessor. The operating system kernel enables the integrity management subsystem. The integrity management subsystem records second measurements of software executed by the operating system kernel, in the one or more registers of the tamper-resistant secure trusted dedicated microprocessor.

Abstract: According to an example embodiment of the invention, there is provided a system for providing access to access restricted content to a user, the system including a communication arrangement operable to receive a content request message, the content request message including a content identifier, a processor configured to cause a first determination to be performed to yield a positive or a negative result, a validation module configured to, in response to the first determination yielding a positive result, obtain a first digital rights management key, the processor being further configured to cause a second determination to be performed to yield a positive or a negative result, and responsive to the first and second determinations yielding a positive result, the validation module is configured to cause access to the access restricted content to be provided to the user.

Abstract: The present disclosure relates to traffic monitoring through one or more access control servers configured configured for (i) routing server resource request messages to resource server(s), (ii) extracting information identifying a target server resource from data packets corresponding to one or more received server resource request messages, and (iii) selectively transmitting the received server resource request message to a resource server. The security server(s) is configured to receive a server resource request message data extracted from a server resource request message and initiate a first security response, wherein the initiated first security response is dependent on analysis of the server resource request message data.

Abstract: A data storage system configured to deduplicate and store sets of data is presented. The system comprises a computer readable storage device configured to store a plurality of sets of data for a plurality of hosts, wherein each sets of data of the plurality of sets of data corresponding to each host of the plurality of hosts is encrypted with one or more different encryption keys, and wherein at least one of the plurality of sets of data contains deduplicated data. The system also comprises a key translator configured to create at least one translation key based, at least in part, on the one or more different encryption keys and the deduplicated data, and wherein the at least one translation key is configured to translate from a first encryption key to a second encryption key of the one or more different encryption keys.