Abstract: Establishing a transfer mode between devices for large bulk records over a TLS protocol by fragmenting an encrypted bulk record into a set of pre-defined block sizes for convenient transfer. The pre-defined block sizes are specifically sized to indicate a beginning and an end of the transfer of the associated blocks making up the large bulk record. A middle box is unaware of the association between the blocks and permits transfer according to the maximum transmission unit of the transport layer security (TLS) protocol. The fragmented bulk record is reconstructed and decrypted for use after the transfer.

Abstract: Transport Layer Security (TLS) connection establishment between a client and a server for a new session is enabled using an ephemeral (temporary) key pair. In response to a request, the server generates a temporary certificate by signing an ephemeral public key using the server's private key. A certificate chain comprising at least the temporary certificate that includes the ephemeral public key, together with a server certificate, is output to the client by the server, which acts as a subordinate Certificate Authority. The client validates the certificates, generates a session key and outputs the session key wrapped by the ephemeral public key. To complete the connection establishment, the server applies the ephemeral private key to recover the session key derived at the client for the new session. The client and server thereafter use the session key to encrypt and decrypt data over the link. The ephemeral key pair is not reused.

Abstract: An analyzer system inputs parameter values from trace files of a software application into an autoencoder. The analyzer system adjusts weights of the edges between nodes in the autoencoder until reconstruction errors in outputs are minimized. The analyzer system receives a selection of a parameter represented in an autoencoder. In response, the analyzer system identifies hidden layer nodes connected to an output node corresponding to the selected parameter and identifies other output nodes connected to the hidden layer nodes. The analyzer system retrieves weights assigned to edges between the hidden layer nodes and the other output nodes. The analyzer system calculates correlation values between the output node corresponding to the selected parameter and each of the other output nodes and outputs the correlation values. A user can use the correlation values to better direct the root cause analysis.

Abstract: In an approach to efficient concurrent TLS data streams, a parent connection is established by performing a normal TLS handshake. A concurrent mode of operation is negotiated, where one or more child connections are established without using the TLS handshake. The one or more child connections are associated to the parent connection. Child application traffic secrets are derived for each child connection of the one or more child connections from application traffic secrets of the parent.

Abstract: A method, a computer program product, and a system for binding post-quantum certificates to traditional certificates. The method includes selecting a traditional certificate in a certificate chain owned by an owner. The method also includes calculating a fingerprint of the traditional certificate. The method further includes generating a post-quantum certificate with identical information fields as the traditional certificate, and populating a serial number of the post-quantum certificate using the fingerprint. The post-quantum certificate acts as an extension of the first traditional certificate providing authentication and validation between a client and a server using post-quantum capable signing algorithms.

Abstract: A computer system determines stack usage. An intercept function is executed to store a stack marker in a stack, wherein the intercept function is invoked when a program enters or exits each function of a plurality of functions of the program. A plurality of stack markers are identified in the stack and a memory address is determined for each stack marker during execution of the program to obtain a plurality of memory addresses. The plurality of memory addresses are analyzed to identify a particular memory address associated with a greatest stack depth. A stack usage of the program is determined based on the greatest stack depth. Embodiments of the present invention further include a method and program product for determining stack usage in substantially the same manner described above.

Abstract: Establishing secure communications by sending a server certificate message, the certificate message including a first certificate associated with a first encryption algorithm and a second certificate associated with a second encryption algorithm, the first certificate and second certificate bound to each other, signing a first message associated with client-server communications using a first private key, the first private key associated with the first certificate, signing a second message associated with the client-server communications using a second private key, the second private key associated with the second certificate, the second message including the signed first message, and sending a server certificate verify message, the server certificate verify message comprising the signed first message and the signed second message.

Abstract: A method, a computer program product, and a system for embedding a message in a random value. The method includes generating a random value and applying a hash function to the random value to produce a hash value. Starting with the hash value, the method further includes reapplying the hash function in an iterative or recursive manner, with a new hash value produced by the hash function acting as an initial value that is applied to the hash function for a next iteration, until a bit sequence representing a message is produced in a message hash value. The method further includes utilizing the message hash value as a new random value that can be used by an encryption algorithm.

Abstract: In an approach for securing data, a processor publishes a traditional public key in a traditional certificate and a PQC public key in a PQC certificate. A processor encrypts data with a hybrid shared secret, the hybrid shared secret generated with a key derivation function by using a traditional shared secret based on the traditional public key and a PQC shared secret based on the PQC public key. A processor decrypts the data with the hybrid shared secret based on a traditional private key and a PQC private key. A processor signs the data with a traditional signature followed by a PQC signature.

Abstract: Establishing a transfer mode between devices for large bulk records over a TLS protocol by fragmenting an encrypted bulk record into a set of pre-defined block sizes for convenient transfer. The pre-defined block sizes are specifically sized to indicate a beginning and an end of the transfer of the associated blocks making up the large bulk record. A middle box is unaware of the association between the blocks and permits transfer according to the maximum transmission unit of the TLS protocol. The fragmented bulk record is reconstructed and decrypted for use after the transfer.

Abstract: In an approach to efficient concurrent TLS data streams, a parent connection is established by performing a normal TLS handshake. A concurrent mode of operation is negotiated, where one or more child connections are established without using the TLS handshake. The one or more child connections are associated to the parent connection. Child application traffic secrets are derived for each child connection of the one or more child connections from application traffic secrets of the parent.

Abstract: A computer system determines stack usage. An intercept function is executed to store a stack marker in a stack, wherein the intercept function is invoked when a program enters or exits each function of a plurality of functions of the program. A plurality of stack markers are identified in the stack and a memory address is determined for each stack marker during execution of the program to obtain a plurality of memory addresses. The plurality of memory addresses are analyzed to identify a particular memory address associated with a greatest stack depth. A stack usage of the program is determined based on the greatest stack depth. Embodiments of the present invention further include a method and program product for determining stack usage in substantially the same manner described above.

Abstract: Provided is a method, a computer program product, and a system for providing perfect forward secrecy in virtual machines. The method includes receiving a secure memory allocation function from an application, including a connection secret to be stored in memory. The method further includes allocating memory for the connection secret according to the memory size parameter and storing an entry relating to the connection secret in a secure database. The memory information includes a memory location and a memory size of the memory. The method also includes monitoring an operation state relating to the virtual machine. The method further includes receiving, from the application, a secure deallocation function relating to the connection secret and retrieving the memory information from the secure database. The method also includes deleting the connection from the memory and sanitizing the memory location logged by the memory information.

Abstract: A computer-implemented method, computer system, and computer program product for generation of a password with increased password strength. Embodiments of the present invention may include receiving one or more alphanumeric characters. Embodiments of the present invention may include receiving one or more images. Embodiments of the present invention may include hashing the received one or more images. Embodiments of the present invention may include hashing the one or more alphanumeric characters and the hashed one or more images to generate the password. Embodiments of the present invention may include replacing the one or more alphanumeric characters with the one or more images and sending the generated password to a server. Embodiments of the present invention may include sequencing the one or more images between the one or more alphanumeric characters. The one or more images may be personal photos of a user.

Abstract: A method, a computer program product, and a system for removing padding oracles in encryption techniques. The method includes padding a plaintext message using a padding scheme producing a padded plaintext message. The method also includes encrypting the padded plaintext message using a block cipher generating an encrypted data block of fixed-size as well as a hash value. The method further includes randomly generating an ephemeral key and an initialization vector. The method also includes prepending the hash value, the ephemeral key, and the initialization vector to the encrypted data block. The method includes performing an encryption technique to the encrypted data block prepended with the hash value, the ephemeral key, and the initialization vector.

Abstract: In an approach for securing data, a processor publishes a traditional public key in a traditional certificate and a PQC public key in a PQC certificate. A processor encrypts data with a hybrid shared secret, the hybrid shared secret generated with a key derivation function by using a traditional shared secret based on the traditional public key and a PQC shared secret based on the PQC public key. A processor decrypts the data with the hybrid shared secret based on a traditional private key and a PQC private key. A processor signs the data with a traditional signature followed by a PQC signature.

Abstract: A method and a system for integrating post quantum cryptographic algorithms into TLS. The method includes transmitting a client hello message to a server including a request for post quantum cryptographic (PQC) mode of operation and a PQC public client key, receiving a server hello message from the server in response to the client hello message including a PQC server key exchange generated from the PQC public client key. The method includes determining the server hello message includes an authorization to operate the PQC mode of operation. The method also includes transmitting a second client hello message to the server including a PQC encrypted client key share. The PQC encrypted client key share is encrypted using a client encryption key. The method includes receiving a second server hello message that includes a PQC encrypted server key share and decrypting the PQC encrypted server key share using a server encryption key.

Abstract: A method, a computer program product, and a system for binding post-quantum certificates to traditional certificates. The method includes selecting a traditional certificate in a certificate chain owned by an owner. The method also includes calculating a fingerprint of the traditional certificate. The method further includes generating a post-quantum certificate with identical information fields as the traditional certificate, and populating a serial number of the post-quantum certificate using the fingerprint. The post-quantum certificate acts as an extension of the first traditional certificate providing authentication and validation between a client and a server using post-quantum capable signing algorithms.

Abstract: Establishing secure communications by sending a server certificate message, the certificate message including a first certificate associated with a first encryption algorithm and a second certificate associated with a second encryption algorithm, the first certificate and second certificate bound to each other, signing a first message associated with client-server communications using a first private key, the first private key associated with the first certificate, signing a second message associated with the client-server communications using a second private key, the second private key associated with the second certificate, the second message including the signed first message, and sending a server certificate verify message, the server certificate verify message comprising the signed first message and the signed second message.

Abstract: Provided is a method, a computer program product, and a system for providing request messages with zero round trip time in a Transport Layer Security (TLS) session. The method includes establishing a TLS session between a server and a client by performing a TLS handshake between the server and the client. The method further includes generating a session ticket associated to the client. The method also includes transmitting the session ticket to the client and receiving an early request message from the client during the TLS session. The early request message includes a request message that is to be sent to the client upon resuming the TLS session with the client. The method further includes associating the early request message with the session ticket and processing the early request message. The data related to the early request message can be sent upon resumption of the TLS session.