Abstract: A shared memory system for providing unidirectional communication across a security threshold defined by producer and consumer of a message at different security levels. A unidirectional shared memory element is accessible for read and write access by the message producer (sender), and the consumer (receiver) has only read access. Transmission logic ensures atomic receipt of the message if it is received, as the receiver cannot issue an acknowledgement to the sender as in conventional electronic interfaces. An arrangement of indices and counters allows asynchronous operation by the sender and receiver, as messages may queue up in the shared memory if the producer exceeds the consumer. In the event of a failure, anomaly, or resource overrun, it is known that messages that were received were received in entirety; in other words, atomicity is preserved.

Abstract: Systems and techniques are provided for trust agents. Trust agents may be enabled. A state determination may be received from each of the enabled trust agents. The state determination may indicate either a trusted state or an untrusted state. The received state determinations may be combined to determine a security state. A security measure may be enabled or disabled based on the determined security state.

Abstract: A computer implemented method for managing a connection between a device and a server resource, the method comprising: establishing the connection between the device and a first server of the server resource; registering a connection identifier relating to the connection between the device and the first server in a first database entry of a database arrangement; pre-computing, at the first server, an encrypted alert for the device, the alert being provided with a pre-defined future communication sequence number; and transmitting the alert from the first server to the database arrangement for storage in association with the first database entry of the database arrangement.

Abstract: Authorizing access to a web domain involves a server device receiving, from a browser of a computing device, a request to access a web domain. The server device sends a web page to the browser of the computing device. The web page includes a redirect script that redirects the browser to a particular companion domain of the web domain, wherein the particular companion domain comprises a domain name system (DNS) zone file comprising an ALIAS record for the particular companion domain. The server device sends to the browser an authentication challenge for access to the web domain. The server device receives a Kerberos service ticket from the browser of the computing device. The server device provides the browser with access to the web page.

Abstract: Disclosed are various examples for gateway onboarding for IoT device management. In one embodiment, management service data is received. The management service data includes an enterprise identifier, and a management service address that specifies a network endpoint of the management service. A gateway is registered in association with the management service data based on receiving a registration request comprising: a gateway identifier, and the enterprise identifier. An activation request with the gateway identifier is received from the gateway, and the management service data is provided to the gateway.

Abstract: Improvements to publish-subscribe protocols are provided, including a method for communicating data in a network comprising publisher devices, a broker and subscriber devices, comprising one of the publisher devices: i-a. receiving a public key from the broker; i-b. determining, based on one or more attributes of data to be published to the broker, whether a sensitivity level of the data is low; and ii. following completion of both of steps i-a and i-b, publishing the data to the broker, wherein: when step i-b results in a determination that the sensitivity level of the data is low, step ii comprises transmitting the data to the broker unencrypted; and when step i-b results in a determination that the sensitivity level of the data is not low, step ii comprises encrypting the data then transmitting resulting encrypted data to the broker, wherein the step of encrypting the data uses the public key.

Abstract: Embodiments relate to systems for the distribution of payload in a secure manner. A server may receive a query from a device that includes a subscriber identifier. The server may determine, from confidential information stored, an association between the subscriber identifier and a public key of the device. The server may retrieve the public key of the device. The server may generate a data payload as a response to the query. The server may encrypt the data payload by a symmetric key that is generated randomly. The server may encrypt the symmetric key by the public key of the device. The server may transmit the data payload and the symmetric key that are encrypted to the device for the device to use a private key corresponding to the public key to decrypt the symmetric key and use the symmetric key to decrypt the data payload.

Abstract: Methods, and apparatuses are provided for access limitations to a network in a session using a formatted web token. The method includes: formatting a web token by a schema to create a formatted web token for user access to the network; receiving a log-in request for the user access to the network server via an app hosted by a computing device remotely located to the network server; in response to receipt of a user access request, creating the session by the network server with network limitations for user access to data and resources of the network; passing the formatted web token to a client for enabling user access to the data and resources of the network; decoding payload data of the formatted web token at the client to authenticate the user access; and enabling the client with access limitations based on decoded payload data.

Abstract: A method including determining an assigned key pair associated with a device, the assigned key pair including an assigned public key and an associated assigned private key; determining an access key pair associated with content to be encrypted, the access key pair including an access public key and an associated access private key; encrypting the access private key using a combination encryption key determined based at least in part on the access private key and the assigned public key; encrypting a randomly generated key by utilizing the access public key; and encrypting the content utilizing the randomly generated key. Various other aspects are contemplated.

Abstract: A system for distributed key storage, comprising a requesting device communicatively connected to a plurality of distributed storage nodes, the requesting device designed and configured to receive at least a confidential datum, select at least a distributed storage node of a plurality of distributed storage nodes, whereby selecting further comprises receiving a storage node authorization token from the at least a distributed storage node, querying an instance of a distributed authentication listing containing authentication information using at least a datum of the storage node authorization token, retrieving an authentication determination from the instance of the authentication listing, and selecting the at least a distributed storage node as a function of the authentication determination, generate at least a retrieval authentication datum, and transmit the at least a confidential datum and the at least a retrieval verification datum to the at least a distributed storage node.

Abstract: Systems and methods for generating shell-wrapped self-executing programs for conducting cryptographically secure blockchain actions on public, non-permissioned blockchain networks that are cryptographically secure. For example, the shell-wrapped self-executing program may comprise a shell program and the self-executing program. The shell program may contain and output one or more validation characteristics about the self-executing program and coupled data input systems (e.g., oracles) in response to a query about accessing the self-executing program. As such, any entity (e.g., a legacy computing system and/or another self-executing program) that requests to access the self-executing program may first receive information about the validation (if any) of the self-executing program.

Abstract: This disclosure relates to personal information management. Various embodiments disclosed herein relate to a personal information management device, a personal information management system, a personal information management method, and a computer-readable non-transitory medium that records the personal information. In an example, a personal information management method based on a blockchain or by using a smart contract based on a blockchain is provided. In another example, a portable electronic device and a system operating to manage personal information are provided. In another example, a computer-readable non-volatile recording medium having a computer code recorded therein, required for the personal information management, is provided.

Abstract: An authorization apparatus includes a memory configured to store attribute information associating an identification information of data and information indicating an attribute of the data, the data being stored in a data server, a processor configured to generate an access token in association with an extraction condition to be used for extracting the data to be obtained by a terminal, and a communicator configured to receive a target access token from the data server, wherein when receiving the target access token, the processor is configured to extract identification information of data pieces satisfying the extraction condition associated with the target access token, and generate a list of identification information of the data to be disclosed to the terminal using a target access token, and the communicator transmits the list to the data server.

Abstract: Execution of software containers is secured using security profiles. A security profile is generated for a container image, wherein the container image includes resources utilized to execute a corresponding application container, wherein the generated security profile includes at least a spawned processes profile, wherein the spawned processes profile includes, for each spawned process executed at runtime by the application container, a signature of an executable file of the spawned process. The operation of a runtime execution of the application container is monitored. A violation of the spawned processes profile is detected based on the monitored operation.

Abstract: Apparatuses and methods associated with authenticated production are disclosed herein. In embodiments, a digital fingerprint processor may be configured to: identify an activation of at least one of the one or more machines to attempt to produce or manufacture at least one of physical product or physical manufacture; responsive to completion of one or more operations associated with the activation by the one or more machines, acquire digital image data of a portion of a physical object on or inside the one or more machines; analyze the digital image data to form a digital fingerprint of the physical object, wherein the digital fingerprint is responsive to structure of the physical object; and store the digital fingerprint in a database record of the database system. Other embodiments may be disclosed or claimed.

Abstract: A system can determine a set of users to access an asset of a computing device. User data for a user in the set of users is obtained. The user data can specify organizational information for the user. The system can determine a value usable to regulate access to the asset. The value can be based on the organizational information for the user, and the value can be further based on other user data attributed to another user in the set of users. Based on the determined value, the system can regulate access to the asset.

Abstract: A cryptographic acceleration card included in a blockchain integrated station sends negotiation information to a provider of a new disk image, where the negotiation information is used by the provider to determine a deployment key, and where the new disk image is used to update an old disk image included in the blockchain integrated station. The cryptographic acceleration card receives a new hash value encrypted by the provider using the deployment key, where the new hash value corresponds to the new disk image. The cryptographic acceleration card replaces an old hash value corresponding to the old disk image with the new hash value, where the new hash value is compared with a current hash value of a disk image included in the blockchain integrated station to determine whether the disk image matches the new disk image.

Abstract: A lock for securing access to a physical resource is provided. The lock includes a wireless interface configured for communication with a plurality of lock access devices in vicinity of the lock. The wireless interface is further configured to receive digital certificates from the plurality of lock access devices. The lock further includes a memory configured to store a public key, and a processor configured to authenticate a digital certificate received from a lock access device using the public key. The processor may further be configured to extract a wait time parameter, scheduled access period parameter, or re-use parameter from the digital certificate. In addition, the processor is configured to unlock the lock after a delay period based on the wait time parameter, during a scheduled access period based on the scheduled access period parameter, or based on the number of times indicated by the re-use parameter.

Abstract: A communication security apparatus includes a communicator that receives a packet from a first device and transmits the received packet to a second device, a memory that retains address authentication information containing pairs of a physical address and a logical address of one or more devices, and a controller. After a learning period of receiving and transmitting packets, the controller determines whether a pair of a physical address and a logical address of the first device and the second device match any one of the pairs of the physical address and the logical address of the one or more devices in the packet, and discards the packet when the pair of the physical address and the logical address of the first device and the second device do not match any one of the pairs of the physical address and the logical address of the one or more devices.

Abstract: In an example aspect, a method includes receiving, using a hardware processing device, a first classification of a network address associated with a login attempt as an account validator actor. The method also includes based on the first classification, updating, using the hardware processing device, a system deny list to include the network address for a first length of time. The method also includes after expiration of the first length of time removing the network address from the system deny list, receiving a second of classification of the network address as an account validator actor, and updating the system deny list to include the network address for a second length of time.