Abstract: Aspects of present disclosure relate to random number generator, a method and a computer program product of improving entropy quality of the random number generator. The method may include: receiving, at an input/output interface module of the random number generator, a request to generate a random number having a predetermined number of random bits, and starting a random bit generating loop to generate each of the random bits of the random number to be generated. In certain embodiments, random bit generating loop may include: incorporating a CPU Time as a randomness factor in generating random number to improve entropy quality, including non-deterministic memory-subsystem latencies in entropy extraction, such as those introduced by unpredictable cache movements, generating a Candidate Bit by using a Clock Time, and generating a random bit for random number by using a von Neumann unbiasing analysis module, until every random bits of the random number is generated.

Abstract: A method for verifying digital signatures in the presence of root key rollover includes issuing a cross-certificate to a rekeyed root certificate, validating the cross-certificate and the rekeyed root certificate with respect to an original trusted root certificate, and validating a digital media signature using the cross-certificate and the rekeyed root certificate. The method may also include adding the rekeyed root certificate to an end user's trusted root certificate store. The digital media signature validated via the method may correspond to a program signature. Validating the cross-certificate and the rekeyed root certificate may include verifying certificates within a program's certificate chain. A computer program product and a computer system corresponding to the method are also disclosed.

Abstract: A computer-implemented method for encrypting binary data may include encoding raw binary data in Base64 format to generate Base64 binary data. The Base64 binary data may be encrypted, by a computer processor, using format-preserving encryption to generate Base64 ciphertext. The Base64 ciphertext may be validatable by a Base64 validator.

Abstract: Aspects of present disclosure relate to random number generator, a method and a computer program product of improving entropy quality of the random number generator. The method may include: receiving, at an input/output interface module of the random number generator, a request to generate a random number having a predetermined number of random bits, and starting a random bit generating loop to generate each of the random bits of the random number to be generated. In certain embodiments, random bit generating loop may include: incorporating a CPU Time as a randomness factor in generating random number to improve entropy quality, including non-deterministic memory-subsystem latencies in entropy extraction, such as those introduced by unpredictable cache movements, generating a Candidate Bit by using a Clock Time, and generating a random bit for random number by using a von Neumann unbiasing analysis module, until every random bits of the random number is generated.

Abstract: Aspects of present disclosure relate to random number generator, a method and a computer program product of improving entropy quality of the random number generator. The method may include: receiving, at an input/output interface module of the random number generator, a request to generate a random number having a predetermined number of random bits, and starting a random bit generating loop to generate each of the random bits of the random number to be generated. In certain embodiments, random bit generating loop may include: incorporating a CPU Time as a randomness factor in generating random number to improve entropy quality, including non-deterministic memory-subsystem latencies in entropy extraction, such as those introduced by unpredictable cache movements, generating a Candidate Bit by using a Clock Time, and generating a random bit for random number by using a von Neumann unbiasing analysis module, until every random bits of the random number is generated.

Abstract: Aspects of present disclosure relate to random number generator, a method and a computer program product of improving entropy quality of the random number generator. The method may include: receiving, at an input/output interface module of the random number generator, a request to generate a random number having a predetermined number of random bits, and starting a random bit generating loop to generate each of the random bits of the random number to be generated. In certain embodiments, random bit generating loop may include: incorporating a CPU_Time as a randomness factor in generating random number to improve entropy quality, including non-deterministic memory-subsystem latencies in entropy extraction, such as those introduced by unpredictable cache movements, generating a Candidate_Bit by using a Clock_Time, and generating a random bit for random number by using a von Neumann unbiasing analysis module, until every random bits of the random number is generated.

Abstract: In one embodiment, a computer-implemented method includes extracting first key derivation data from a first row of data to be stored in a database, where the database includes two or more rows of data. A first encryption subkey is generated, by a computer processor, by combining the first key derivation data with a static key. One or more sensitive fields in each row of the two or more rows of the database are encrypted using a unique corresponding encryption subkey for the row, and the first encryption subkey is unique to the first row among the two or more rows of the database. The one or more sensitive fields in the first row of data are encrypted with format-preserving encryption using the first encryption subkey. The first row of data, including the encrypted one or more sensitive fields, are stored in the database.

Abstract: In one embodiment, a computer-implemented method includes extracting first key derivation data from a first row of data to be stored in a database, where the database includes two or more rows of data. A first encryption subkey is generated, by a computer processor, by combining the first key derivation data with a static key. One or more sensitive fields in each row of the two or more rows of the database are encrypted using a unique corresponding encryption subkey for the row, and the first encryption subkey is unique to the first row among the two or more rows of the database. The one or more sensitive fields in the first row of data are encrypted with format-preserving encryption using the first encryption subkey. The first row of data, including the encrypted one or more sensitive fields, are stored in the database.

Abstract: A computer-implemented method for encrypting binary data may include encoding raw binary data in Base64 format to generate Base64 binary data. The Base64 binary data may be encrypted, by a computer processor, using format-preserving encryption to generate Base64 ciphertext. The Base64 ciphertext may be validatable by a Base64 validator.

Abstract: A method for verifying digital signatures in the presence of root key rollover includes issuing a cross-certificate to a rekeyed root certificate, validating the cross-certificate and the rekeyed root certificate with respect to an original trusted root certificate, and validating a digital media signature using the cross-certificate and the rekeyed root certificate. The method may also include adding the rekeyed root certificate to an end user's trusted root certificate store. The digital media signature validated via the method may correspond to a program signature. Validating the cross-certificate and the rekeyed root certificate may include verifying certificates within a program's certificate chain. A computer program product and a computer system corresponding to the method are also disclosed.

Abstract: In one embodiment, a computer-implemented method includes extracting first key derivation data from a first row of data to be stored in a database, where the database includes two or more rows of data. A first encryption subkey is generated, by a computer processor, by combining the first key derivation data with a static key. One or more sensitive fields in each row of the two or more rows of the database are encrypted using a unique corresponding encryption subkey for the row, and the first encryption subkey is unique to the first row among the two or more rows of the database. The one or more sensitive fields in the first row of data are encrypted with format-preserving encryption using the first encryption subkey. The first row of data, including the encrypted one or more sensitive fields, are stored in the database.

Abstract: In one embodiment, a computer-implemented method includes extracting first key derivation data from a first row of data to be stored in a database, where the database includes two or more rows of data. A first encryption subkey is generated, by a computer processor, by combining the first key derivation data with a static key. One or more sensitive fields in each row of the two or more rows of the database are encrypted using a unique corresponding encryption subkey for the row, and the first encryption subkey is unique to the first row among the two or more rows of the database. The one or more sensitive fields in the first row of data are encrypted with format-preserving encryption using the first encryption subkey. The first row of data, including the encrypted one or more sensitive fields, are stored in the database.

Abstract: A system for remapping subsets of host-centric application programming interfaces to commodity service providers includes a processor configured to receive a commodity service providers object, embed the commodity service providers object with a handle, transform the handle into a serialized object readable by a hardware security module, generate a virtualized handle from the transformed handle, select a target hardware security module based on characteristics of the serialized object and map the virtualized handle to the target hardware security module.

Abstract: Exemplary embodiments include a method for remapping subsets of host-centric application programming interfaces to commodity service providers, the method including receiving a commodity service providers object, embedding the commodity service providers object with a handle, transforming the handle into a serialized object readable by a hardware security module, generating a virtualized handle from the transformed handle, selecting a target hardware security module based on characteristics of the serialized object and mapping the virtualized handle to the target hardware security module.

Abstract: According to some exemplary embodiments, a computer-implemented timestamp method includes maintaining, at a cryptographic service provider (CSP), one or more timestamp policies specifying when digital timestamps should be issued. A timestamp request is received at the CSP from a timestamp authority that manages timestamping and is accompanied by a corresponding timestamp data structure. With a computer processor, a difference is determined between a first time specified in the timestamp data structure and a second time indicated by an internal clock of the CSP. The timestamp request is rejected if the first timestamp data structure fails to comply with a predetermined timestamp policy, where the predetermined timestamp policy requires that the difference between the first time and the second time be below a predetermined threshold.

Abstract: A method, apparatus and program storage device for program verification in an information handling system in which an application program runs on an operating system having a signature verification function for verifying a digital signature of the application program. Upon loading of the application program, the signature verification function of the operating system verifies the digital signature of the application program and, if the digital signature is verified, initiates execution of the application program. Upon initiation of execution of the application program, a verification testing function associated with the application program tests the signature verification function of the operating system by presenting to it a sequence of test digital signatures in a specified pattern of true and false signatures. If its test of the signature verification function of the operating system is successful, the application program initiates normal execution.

Abstract: According to some exemplary embodiments, a computer-implemented timestamp method includes maintaining, at a cryptographic service provider (CSP), one or more timestamp policies specifying when digital timestamps should be issued. A timestamp request is received at the CSP from a timestamp authority that manages timestamping and is accompanied by a corresponding timestamp data structure. With a computer processor, a difference is determined between a first time specified in the timestamp data structure and a second time indicated by an internal clock of the CSP. The timestamp request is rejected if the first timestamp data structure fails to comply with a predetermined timestamp policy, where the predetermined timestamp policy requires that the difference between the first time and the second time be below a predetermined threshold.

Abstract: Key creation includes sending a first public key part from a first system to a second system, receiving a second public key part sent by the second system to the first system and establishing a first secret material in the first system using the first and second public key parts, wherein the first secret material is identical to a second secret material established on the second system using the first and second key parts. Key creation also includes binding key control information to the first secret material in the first system, wherein the key control information includes information relating to key type and key management and deriving a first key material from the combination of the key control information and the first secret material, wherein the first key material is identical to a second key material derived by the second system.

Abstract: Key creation includes sending a first public key part from a first system to a second system, receiving a second public key part sent by the second system to the first system and establishing a first secret material in the first system using the first and second public key parts, wherein the first secret material is identical to a second secret material established on the second system using the first and second key parts. Key creation also includes binding key control information to the first secret material in the first system, wherein the key control information includes information relating to key type and key management and deriving a first key material from the combination of the key control information and the first secret material, wherein the first key material is identical to a second key material derived by the second system.

Abstract: A system for remapping subsets of host-centric application programming interfaces to commodity service providers includes a processor configured to receive a commodity service providers object, embed the commodity service providers object with a handle, transform the handle into a serialized object readable by a hardware security module, generate a virtualized handle from the transformed handle, select a target hardware security module based on characteristics of the serialized object and map the virtualized handle to the target hardware security module.