Abstract: A method for cryptographic key provisioning includes, via a main authentication server (MAS), generating a first secret key and registering a client by performing a first portion of a first instance of a distributed threshold oblivious pseudo-random function. The first instance of the function results in the client obtaining a root secret key and the MAS obtaining a corresponding root public key. The method includes authenticating the client to the MAS by performing a first portion of a second instance of the distributed threshold oblivious pseudo-random function. The second instance of the function results in the client obtaining the root secret key. Information stored by the client, the first secret key, and a second secret key generated by a support authentication server are inputs to at least one of the first and second instances of the distributed threshold oblivious pseudo-random function.

Abstract: A method for providing a trusted service to a trusted execution environment running on a remote host machine includes receiving a message from the trusted execution environment and incrementing a counter of the trusted service. A response message is sent to the trusted execution environment using a value of the incremented counter.

Abstract: A method for secure proxying using trusted execution environment (TEE) technology includes performing, using a TEE running on a proxy, an attestation with a TEE running on a client. The TEE running on the proxy receives from the TEE running on the client a request to fetch data from a remote server. The TEE running on the proxy fetches the data specified in the request from the remote server. The TEE running on the proxy forwards to the TEE running on the client the data fetched from the remote server.

Abstract: A method for executing a trusted execution environment (TEE) based application in a cloud includes receiving, by a proxy, a request from a client, requesting, by the proxy from an attestation service, attestation, and sending, by the proxy to the client, a result of the attestation.

Abstract: A method for executing a trusted execution environment (TEE) based application in a cloud computing system. The method includes executing a proxied attestation procedure with a client to enable the client to attest that an enclave management layer (EML) application provided by the cloud computing system runs on a TEE-enabled platform. The method also includes receiving, by the cloud computing system from the client, application code corresponding to the TEE-based application and receiving, by the EML application from the client, application parameters corresponding to the TEE-based application. In addition, the method includes writing, by the EML, application to a secure storage layer, the application parameters corresponding to the TEE-based application and creating, by the cloud computing system, an enclave configured to execute the TEE-based application.

Abstract: A method for anonymous authentication and key establishment based on passwords (APAKE), includes instantiating, by the server, an OPRF scheme and a symmetric encryption scheme; engaging in, by the client and the server, an OPRFEvaluate protocol so that the client learns a decryption key associated with its password while the server learns nothing; securely transferring, by the server, a nonce and a symmetric encryption key to the client if the client holds a valid password; sending, by the client, its nonce encrypted under the symmetric encryption key; using, by the server, the symmetric encryption key to decipher ciphertext received by virtue of the sending, by the client, its nonce encrypted under the symmetric encryption key and to recover the client's nonce; and computing, by the server and the client, a compute key based on the client's nonce and the server's nonce.

Abstract: A method for detecting a cache-based side-channel attack includes utilizing a timer thread that continuously increments a variable in code of an application. The code has been instrumented such that the instrumented code uses the variable incremented by the timer thread to infer an amount of time taken for running a part of the code. A number of cache misses during execution of the part of the code is determined based on the amount of time. It is determined whether the application is experiencing the cache-based side-channel attack using a classifier which uses as input the number of cache misses.

Abstract: A method for cryptographic key provisioning includes, via a main authentication server (MAS), generating a first secret key and registering a client by performing a first portion of a first instance of a distributed threshold oblivious pseudo-random function. The first instance of the function results in the client obtaining a root secret key and the MAS obtaining a corresponding root public key. The method includes authenticating the client to the MAS by performing a first portion of a second instance of the distributed threshold oblivious pseudo-random function. The second instance of the function results in the client obtaining the root secret key. Information stored by the client, the first secret key, and a second secret key generated by a support authentication server are inputs to at least one of the first and second instances of the distributed threshold oblivious pseudo-random function.

Abstract: A method for secure user authentication using a blockchain includes computing a cryptographic puzzle and a solution to the cryptographic puzzle. The solution is sent to a user to be authenticated and the cryptographic puzzle is sent to the blockchain. Thereby, the user is authenticatable by a relaying party having read access to the blockchain to fetch the cryptographic puzzle from the blockchain and determine whether the solution as presented to the relaying party by the user is a valid solution to the cryptographic puzzle.

Abstract: A method for determining an identity of a URL visited by a user from a vantage point in a network in which network traffic is encrypted includes determining a host to model, generating a list of URLs hosted by the host to model, repeatedly retrieving web resources referenced by the list of URLs hosted by the host to model and generating a network traffic signature upon each retrieval, generating a data feature for each of the generated network traffic signatures, and training, using the generated data features, a classifier corresponding to the host to model, wherein the classifier is configured to determine an identity of the visited URL from a signature of network traffic produced by the retrieval of a resource referenced by the visited URL.

Abstract: A method for storing a data file (DF) on a storage entity (SE) includes receiving, by a proxy (PE) and from a computing entity (CE), a plurality of hash values corresponding to a plurality of blocks of the DF. The PE may check whether the plurality of blocks of the DF are stored in the SE based on the plurality of hash values. Based on determining that at least a subset of the plurality of blocks of the DF are not being stored in the SE, the PE may compute a secret associated with an encryption key. The PE may transmit, to the CE, the secret. The PE may receive, from the CE, information including storage locations of the subset of the plurality of blocks within the SE and one or more hash values, of the plurality of hash values, associated with the subset of the plurality of blocks.

Abstract: A method for storing a data file, ‘DF’ on a storage entity, ‘SE’ includes a computing entity, ‘CE’, chunking the DF into a number of blocks using a one-way-function and a chunking key. The CE may compute a hash value for each of the blocks. One or more proxies, ‘PE’, may check whether the blocks are already stored, resulting in a first number of already stored blocks and a second number of blocks not being stored. The CE may encrypt the blocks not being stored using an encryption key, transmit the encrypted blocks to the SE for storing, and inform the PE about the hash value of each of the transmitted blocks and corresponding storage location information of the transmitted blocks.

Abstract: In a system having a plurality of servers, a method is executed to perform an encryption scheme. The method includes a server of the plurality of servers receiving a request token to compute a function on a data point, the data point being encrypted as a ciphertext and the request token being based on the ciphertext and the function. The server grants the request to compute the function on the datapoint by sending a function evaluation key, and participates in a distributed decryption protocol for determining a result of computing the function on the data point by sending a master secret key.

Abstract: A communication apparatus comprising: a plurality of communication processes, each performing communication process on a flow associated thereto; a plurality of network interfaces, each of the network interfaces adapted to be connected to a network; a dispatcher that receives a packet from the network interface and dispatches the packet to an associated communication process, based on a dispatch rule that defines association of a flow to a communication process to which the flow is dispatched; and a control unit that performs control to roll back each of the communication processes using saved image thereof.

Abstract: A computer-implemented method includes receiving an original message from a trusted execution environment. The original message includes an original digital signature authored by the trusted execution environment. The method includes computing a proof of knowledge for the original digital signature and modifying the original message by replacing the original digital signature with the proof of knowledge.

Abstract: A communication apparatus comprising a plurality of communication processes, each of the communication processes configured to be executed in an environment allocated thereto and isolated from each of one or more environments arranged for remaining one or more processes, each of the communication processes performing communication processing on a flow associated thereto, a network interface connected to a network; a dispatcher that dispatches a packet to the communication process based on a dispatch rule that defines association of a flow with a communication process.

Abstract: A method secures a system that includes an application owner, a master application, and a plurality secure platforms. The master application receives from the application owner an application and an input. The application computes a function to calculate an output from the input. The master application deploys replicas of the application on a number of the secure platforms. The master application establishes a secure channel with each of the replicas, and sends at least a portion of the input to the replicas. The master application receives a result calculated by each of the replicas. The result is determined according to the function and the at least the portion of input. The master application determines the output based on the result received from each of the replicas; and sends to the application owner, the output.

Abstract: A method for executing a trusted execution environment (TEE) based application in a cloud includes receiving, by a proxy, a request from a client, requesting, by the proxy from an attestation service, attestation, and sending, by the proxy to the client, a result of the attestation.

Abstract: A method for executing a trusted execution environment (TEE) based application in a cloud computing system. The method includes executing a proxied attestation procedure with a client to enable the client to attest that an enclave management layer (EML) application provided by the cloud computing system runs on a TEE-enabled platform. The method also includes receiving, by the cloud computing system from the client, application code corresponding to the TEE-based application and receiving, by the EML application from the client, application parameters corresponding to the TEE-based application. In addition, the method includes writing, by the EML, application to a secure storage layer, the application parameters corresponding to the TEE-based application and creating, by the cloud computing system, an enclave configured to execute the TEE-based application.

Abstract: A method for checking legitimacy of a customer review includes receiving, via a service provider device, a verification key and receiving, via a customer device, a customer review, a redacted message, and a redacted signature. The method further includes at least one of: (a) publishing the verification key and the redacted signature on a review website with the customer review such that the legitimacy of the redacted signature is checkable by a user device; or (b) checking, using the verification key, whether the redacted signature is legitimate and, based on the redacted signature being legitimate, marking the customer review as being legitimate.