Abstract: Technologies for information security include a computing device with one or more sensors. The computing device may authenticate a user and, after successful authentication, analyze sensor data to determine whether it is likely that the user authenticated under duress. If so, the computing device performs a security operation such as generating an alert or presenting false but plausible data to the user. Additionally or alternatively, the computing device, within a trusted execution environment, may monitor sensor data and apply a machine-learning classifier to the sensor data to identify an elevated risk of malicious attack. For example, the classifier may identify potential user identification fraud. The computing device may trigger a security response if elevated risk of attack is detected. For example, the trusted execution environment may trigger increased authentication requirements or increased anti-theft monitoring for the computing device. Other embodiments are described and claimed.

Abstract: Systems and techniques for resilient network construction using enhanced privacy identification are described herein. A group certificate may be generated for a first device group. The first device group may include a plurality of devices having a shared attribute. A request may be received from a device of the plurality of devices for a data exchange session with a data partner device. The data partner device may be included in a second device group. The data exchange session may be enabled based on a set of permissions related to the group certificate.

Abstract: In one embodiment, a system comprises: a processor including at least one core to execute instructions; a plurality of sensors, including a first sensor to determine location information regarding a location of the system; and a security engine to apply a security policy to the system. In this embodiment, the security engine includes a policy logic to determine one of a plurality of security policies to apply based at least in part on the location information, where the location information indicates a location different than locations associated with the plurality of security policies. Other embodiments are described and claimed.

Abstract: Technologies for determining a confidence of user authentication include authenticating a user of a computing device based on a set of authentication factors and a fusion function that fuses the set of authentication factors to generate an authentication result. A false accept rate and a false reject rate of the authentication result is determined, and an authentication confidence for the authentication result is determined. The authentication of the user is performed passively, without interruption or interruption of the user. If the authentication confidence is below a threshold value, an active authentication procedure may be performed.

Abstract: Various embodiments are generally directed to the provision and use of geometric location based security systems that use multiple beacons for determining a location. A beacon transmitted from an ultrasound broadcast as well as one or more different wireless broadcasts can be used to geo-locate a device and provide access controls based on the geo-location.

Abstract: In embodiments, apparatuses, methods and storage media (transitory and non-transitory) are described that are associated with user profile selection using contextual authentication. In various embodiments, a first user of a computing device may be authenticated and have an access control state corresponding to a first user profile established, the computing device may select a second user profile based at least in part a changed user characteristic, and the computing device may present a resource based at least in part on the second user profile. In various embodiments, the computing device may include a sensor and a user profile may be selected based at least in part on an output of the sensor and a previously stored template generated by a machine learning classifier.

Abstract: In one embodiment, a system comprises: a processor including at least one core to execute instructions; a plurality of sensors, including a first sensor to determine location information regarding a location of the system; and a security engine to apply a security policy to the system. In this embodiment, the security engine includes a policy logic to determine one of a plurality of security policies to apply based at least in part on the location information, where the location information indicates a location different than locations associated with the plurality of security policies. Other embodiments are described and claimed.

Abstract: This disclosure is directed to privacy enforcement via localized personalization. An example device may comprise at least a user interface to present content. A message may be received into a trusted execution environment (TEE) situated within the device or remotely, the message including at least metadata and content. The TEE may determine relevance of the content to a user based on the metadata and user data. Based on the relevance, the TEE may cause the content to be presented to the user via the user interface. In one embodiment, the TEE may be able to personalize the content based on the user data prior to presentation. If the content includes an offer, the TEE may also be able to present counteroffers to the user based on user interaction with the content. The TEE may also be able to cause feedback data to be transmitted to at least the content provider.

Abstract: In one embodiment, a method includes establishing a first session between a first computing device and a second computing device, when the first computing device does not have connectivity to a credential manager; proxying a request to the credential manager from the second computing device on behalf of the first computing device and receive in the second computing device a first keyless ticket encrypted to the first device and a second keyless ticket encrypted to the second device; providing the second keyless ticket from the second computing device to the first computing device; and enabling communication between the first and second computing devices according to the first and second keyless tickets. Other embodiments are described and claimed.

Abstract: In one embodiment, a method includes receiving a first request from a first device to access a first resource of the system and determining whether to grant access to the first resource based on a first access control list stored in the system, the first access control list associated with the first device, the first device having a first relevance value, and based on the determination, granting the access to the first resource; and receiving a second request from a second device to access a second resource of the system and forwarding the second request to an access manager service coupled to the system to determine whether to grant access to the second resource based on a second access control list stored in the access manager service associated with the second device, the second device having a second relevance value, receive an access grant from the access manager service and based thereon, granting the access to the second resource.

Abstract: In an example, there is disclosed a computing apparatus, having: a network interface; and one or more logic elements providing a name management engine, operable to: receive a self-assigned name registration request for a name N1 from an endpoint device via the network interface; compare N1 to a database of registered names; determine that the name has not been registered; and sign a certificate for N1. The engine is further operable to determine that the name has been registered, and send a notification that the name is not available. There is also disclosed a computer-readable medium having executable instructions for providing a name management engine, and a method of providing a name management engine.

Abstract: In one embodiment, a method includes receiving, in an on-boarding system for a first network, a request to transfer ownership of a first device having a trusted execution environment to a new owner; receiving, in the on-boarding system, notification information from a spectrum analyzer regarding wireless signal information within the first network; determining if a potential attacker is within a radio range of the first network based on the wireless signal information; responsive to determining that the potential attacker is within the radio range, manipulating a signal strength of the on-boarding system and the first device, to limit an emission range of the on-boarding system and the first device; and performing a native communication protocol between the on-boarding system and the first device to communicate ownership information to execute the ownership transfer to the new owner, and to cause the first device to store the ownership information in a storage of the first device.

Abstract: In one embodiment, a method includes receiving a first request from a first device to access a first resource of the system and determining whether to grant access to the first resource based on a first access control list stored in the system, the first access control list associated with the first device, the first device having a first relevance value, and based on the determination, granting the access to the first resource; and receiving a second request from a second device to access a second resource of the system and forwarding the second request to an access manager service coupled to the system to determine whether to grant access to the second resource based on a second access control list stored in the access manager service associated with the second device, the second device having a second relevance value, receive an access grant from the access manager service and based thereon, granting the access to the second resource.

Abstract: In one embodiment, a system includes a processor having a first logic to execute in a trusted execution environment, and a storage to store a plurality of access control policies, each of the plurality of access control policies associated with a composite device state of the system and including an access policy for a resource to be protected by the first logic, where the first logic is to apply one or more of the plurality of access control policies to a request for access to the resource, responsive to a matching of the associated composite device state of the one or more access control policies with a current composite device state of the system. Other embodiments are described and claimed.

Abstract: In one embodiment, a system comprises: a content provider interface logic to receive a content license from a content provider, the content license to indicate that the system may distribute digital content associated with the content license to one or more devices; an attestation logic to attest a state of a first device; and a key management logic to generate a content key for the first device responsive to a request by the first device for the digital content and attestation of the first device state, and provide the content key to the first device. Other embodiments are described and claimed.

Abstract: In one embodiment, a system includes: a credential management server to provide credentials to a plurality of computing devices and a plurality of resource servers; a rights management server to grant capability rights to the plurality of computing devices; and an access management server to assign access control policies for a plurality of resources to be protected by the plurality of resource servers. A first resource server may receive a first access request for access to a first resource from a first computing device and send the first access request to the access management server for determination of whether to grant a permission for the access to the first resource. Other embodiments are described and claimed.

Abstract: In one embodiment, a method includes: request enrollment of the device with an identity provider, the enrollment including at least one role for the device for a publish-subscribe protocol of a distributed network; receiving a device identity credential from the identity provider and store the device identity credential in the device; receiving a ticket credential for a first topic associated with a first publisher, the ticket credential including the at least one role for the device; receiving a group key from a key manager for a group associated with the publish-subscribe protocol; and receiving content for the first topic in the device, the content protected by the group key.

Abstract: In one embodiment, a method includes: presenting, in a user interface of an authoring tool, a plurality of levels of abstraction for a network having a plurality of devices; receiving information from a user regarding a subset of the plurality of devices to be provisioned with one or more security keys and an access control policy; automatically provisioning a key schedule for the subset of the plurality of devices in the network based on the user input and a topological context of the network; and automatically provisioning the access control policy for the subset of the plurality of devices in the network based on the user input and the topological context of the network.

Abstract: In one embodiment, an apparatus comprises a first logic to receive security attribute information from a plurality of devices, generate a connectivity graph of the plurality of devices based at least in part on the security attribute information and identify an interoperability issue between a first device and a second device based on the connectivity graph. The apparatus may further include a second logic to generate a recommendation to resolve the interoperability issue and a third logic to provide provisioning information to at least one of the first device and the second device based on the recommendation. Other embodiments are described and claimed.

Abstract: Technologies for authenticating a user of a computing device based on an authentication context state includes generating context state outputs indicative of various context states of a mobile computing device based on sensor data generated by sensors of the mobile computing device. An authentication manager of the computing device implements an authentication state machine to authenticate a user of the computing device. The authentication state machine includes a number of authentication states, and each authentication state includes one or more transitions to another authentication state. Each of the transitions is dependent upon a context state output. The computing device may also include a device security manager, which implements a security state machine that includes a number of security states. Transition between security states is dependent upon the present authentication state of the user. The device security manager may implement a different security function in each security state.