Abstract: Disclosed embodiments relate to systems and methods for securely handling secrets by securing development and operations pipelines. Techniques include identifying a network access request for a process within the development and operations pipeline; accessing a result of at least one investigation of the process and the network access request, wherein the at least one investigation includes one of monitoring the process behavior, performing a process attestation, or performing an inspection of the network access request; determining whether to authorize the network access request; and conditional on whether the network access request is authorized, dynamically injecting a secret into the network access request, wherein the secret is not made available to the process itself.

Abstract: A method and apparatus for integrity protecting data that include and perform: receiving as input data any new digital information from one or more sources; forming a protection block representing the input data received during a first period of time, if any; forming a digital descriptor using at least the protection block; and producing a delay-coding verification code based on the digital descriptor and a previous verification code.

Abstract: Various example embodiments for supporting placement of virtual resources in a resource virtualization system are presented. The resource virtualization system may include a set of hosts configured to host virtual resources based on underlying physical resources and a set of schedulers configured to receive and handle requests for virtual resources. The handling of requests for virtual resources by the schedulers may include selecting ones of the hosts to handle the requests for virtual resources and initiating instantiation of the virtual resources on the ones of the hosts selected to handle the requests for virtual resources. The selection of the ones of the hosts to handle the requests for virtual resources may be performed by the schedulers using groups of hosts that include subsets of the hosts of the resource virtualization system.

Abstract: In one embodiment, a first signature template is received, the first signature template being one of a signature template of a first message or a null template, the first signature template comprising at least the following fields: an aggregation depth field, a message identifier, one of the first message or a result of applying a one way hash function to the first message, a bit vector, an aggregated square random integer mod N, a signature of the first message. A second signature template is created based on the first signature template, the second signature template created as follows: increment the aggregation depth of the first signature template, determine a unique message identifier for a second message, determine a second bit vector, determine an second aggregated square random integer mod N, and calculate a new signature for the second message. Related methods, apparatus, and systems are also disclosed.

Abstract: In one embodiment, a method for securing data on a semi-trusted server is implemented on a computing device and includes: receiving at least a current session key from a user device for use during a current session, where the current session key is suitable for encrypting data and for decrypting data encrypted with the current session key, decrypting communications received from the user device during the session with said session key, encrypting with the session key at least one of communications to be sent to said user device and personal data generated during the session, storing the encrypted personal data, and discarding the current session key upon completion of the session, thereby limiting possible access to the stored encrypted personal data other than during the session. Related apparatus and methods are also described.

Abstract: In one embodiment, a first signature template is received, the first signature template being one of a signature template of a first message or a null template, the first signature template comprising at least the following fields: an aggregation depth field, a message identifier, one of the first message or a result of applying a one way hash function to the first message, a bit vector, an aggregated square random integer mod N, a signature of the first message. A second signature template is created based on the first signature template, the second signature template created as follows: increment the aggregation depth of the first signature template, determine a unique message identifier for a second message, determine a second bit vector, determine an second aggregated square random integer mod N, and calculate a new signature for the second message. Related methods, apparatus, and systems are also disclosed.

Abstract: In one embodiment, a method for providing media content implemented on a broadcast headend includes defining at least one metablock of media content according to a number of media content data blocks, where the media content data blocks are ordered in accordance with associated serial numbers, reordering the media content data blocks in the at least one metablock of media content to generate reordered data blocks, obfuscating the associated serial numbers in the reordered data blocks, providing details of the reordering to a receiving device, and transmitting the reordered data blocks to a receiving device.

Abstract: A method, system and apparatus for deriving a secondary secret from a root secret are described, the method, system and apparatus including reserving a memory buffer included in an integrated circuit, the memory buffer being large enough to contain all of the bits which will include the secondary secret, receiving a plurality of bits from a root secret, the root secret being stored in a secure memory of the integrated circuit, inputting the plurality of bits from the root secret and at least one control bit into a permutation network, and thereby producing a multiplicity of output bits, the at least one control bit including one of one bit of a value g, and one bit an output of a function which receives g as an input, receiving the multiplicity of output bits from the permutation network, inputting the multiplicity of output bits from the permutation network into a plurality of logic gates, thereby combining the multiplicity of output bits, wherein a fixed number of bits is output from the logic gates, inputt

Abstract: In one embodiment, a method for providing media content implemented on a broadcast headend includes defining at least one metablock of media content according to a number of media content data blocks, where the media content data blocks are ordered in accordance with associated serial numbers, reordering the media content data blocks in the at least one metablock of media content to generate reordered data blocks, obfuscating the associated serial numbers in the reordered data blocks, providing details of the reordering to a receiving device, and transmitting the reordered data blocks to a receiving device.

Abstract: A computer-implemented letter-based method of encoding a length-significant portion of natural language text to generate a letter-based fingerprint of the text portion, the method including detecting letter-based locations of occurrences of pre-determined single-letter and/or multi-letter pattern(s) within the length-significant portion, the detecting being carried out such that at least some occurrences are detected in a word-boundary independent manner that does not depend on locations of word-word boundaries, for a pattern occurrence letter-position signal which describes letter positions of the occurrences of the patterns within the text portion, computing frequency-dependent absolute or relative magnitudes of signal strength for a plurality of frequencies, the computed magnitudes representing letter-based frequencies of the pattern occurrences within the natural language text portion, and storing the computed signal strength magnitudes at the plurality of frequencies, the generated fingerprint comprising

Abstract: A method, system and apparatus for deriving a secondary secret from a root secret are described, the method, system and apparatus including reserving a memory buffer included in an integrated circuit, the memory buffer being large enough to contain all of the bits which will include the secondary secret, receiving a plurality of bits from a root secret, the root secret being stored in a secure memory of the integrated circuit, inputting the plurality of bits from the root secret and at least one control bit into a permutation network, and thereby producing a multiplicity of output bits, the at least one control bit including one of one bit of a value g, and one bit an output of a function which receives g as an input, receiving the multiplicity of output bits from the permutation network, inputting the multiplicity of output bits from the permutation network into a plurality of logic gates, thereby combining the multiplicity of output bits, wherein a fixed number of bits is output from the logic gates, inputt

Abstract: A method for communication, including distributing over a communication network multiple channels of digital content, which are encrypted using different, channel-specific control words, and transmitting over the communication network, different, channel-specific entitlement control messages from which the control words are derivable such that each of the different channel-specific control words is derivable from any of the different channel-specific entitlement control messages by authorized receivers of the channels on the communication network. Related methods and apparatus are also included.

Abstract: A method and system of preventing control word sharing, the method and system including receiving a temporal key, denoted TKi, at a removable security element, receiving an entitlement control message (ECM), the ECM including a control word derivable by the removable security element, deriving the control word from the ECM at the removable security element, combining at least the control word and a value associated with an ID of the removable security element, thereby producing combined control word and removable security element ID data, encrypting the combined control word and removable security element ID data according to an encryption function, wherein the encrypting includes using TKi as an encryption key, and at a time after a removable security element interface has received TKi, but prior to a start of a crypto period with which the control word is associated, sending the encrypted combined control word and removable security element ID data to the removable security element interface.

Abstract: In one embodiment, a method for securing data on a semi-trusted server is implemented on a computing device and includes: receiving at least a current session key from a user device for use during a current session, where the current session key is suitable for encrypting data and for decrypting data encrypted with the current session key, decrypting communications received from the user device during the session with said session key, encrypting with the session key at least one of communications to be sent to said user device and personal data generated during the session, storing the encrypted personal data, and discarding the current session key upon completion of the session, thereby limiting possible access to the stored encrypted personal data other than during the session. Related apparatus and methods are also described.

Abstract: A multimedia content distribution method including a) storing an item of a multimedia content, b) firstly transcoding the content for playback on a first multimedia device, c) generating a content ID of the firstly transcoded content, d) storing the content ID of the firstly transcoded content in association with the stored content, e) accessing the stored content using the content ID of the firstly transcoded content, and f) secondly transcoding the stored content for playback on a second multimedia device.

Abstract: A method and system for securing a read write storage (RWS) device, the method comprising, providing the RWS device, the RWS device comprising a controller comprising a processor and a bit bucket storing data, and employing the controller to corrupt at least a portion of the data.

Abstract: A method and system of preventing control word sharing, the method and system including receiving a temporal key, denoted TKi, at a removable security element, receiving an entitlement control message (ECM), the ECM including a control word derivable by the removable security element, deriving the control word from the ECM at the removable security element, combining at least the control word and a value associated with an ID of the removable security element, thereby producing combined control word and removable security element ID data, encrypting the combined control word and removable security element ID data according to an encryption function, wherein the encrypting includes using TKi as an encryption key, and at a time after a removable security element interface has received TKi, but prior to a start of a crypto period with which the control word is associated, sending the encrypted combined control word and removable security element ID data to the removable security element interface.

Abstract: A method for granting a grace period entitlement, the method comprising receiving a grace period entitlement message, establishing whether a grace period flag indicates that a grace period may be granted, granting a grace period to an expired entitlement based, at least in part, on the grace period entitlement message, only if the grace period flag is “off”, and setting the grace period flag to indicate that the grace period has been granted. Related methods and apparatus are also described.

Abstract: A computer-implemented letter-based method of encoding a length-significant portion of natural language text to generate a letter-based fingerprint of the text portion, the method including detecting letter-based locations of occurrences of pre-determined single-letter and/or multi-letter pattern(s) within the length-significant portion, the detecting being carried out such that at least some occurrences are detected in a word-boundary independent manner that does not depend on locations of word-word boundaries, for a pattern occurrence letter-position signal which describes letter positions of the occurrences of the patterns within the text portion, computing frequency-dependent absolute or relative magnitudes of signal strength for a plurality of frequencies, the computed magnitudes representing letter-based frequencies of the pattern occurrences within the natural language text portion, and storing the computed signal strength magnitudes at the plurality of frequencies, the generated fingerprint comprising

Abstract: A method for communication, including distributing over a communication network multiple channels of digital content, which are encrypted using different, channel- specific control words, and transmitting over the communication network, different, channel-specific entitlement control messages from which the control words are derivable such that each of the different channel-specific control words is derivable from any of the different channel-specific entitlement control messages by authorized receivers of the channels on the communication network. Related methods and apparatus are also included.