Abstract: A method includes determining, by a persistent memory lockstep unit of a hardware security module, that a first processor is attempting to change a state of the hardware security module. The method also includes determining, by the persistent memory lockstep unit, whether a second processor has attempted the same change. The method also includes preventing the change until both the first processor and the second processor have attempted the same change. The method also includes permitting the change to the state of the hardware security module based on a determination that both the first processor and the second processor have both attempted the same change.

Abstract: A method includes determining, by a persistent memory lockstep unit of a hardware security module, that a first processor is attempting to change a state of the hardware security module. The method also includes determining, by the persistent memory lockstep unit, whether a second processor has attempted the same change. The method also includes preventing the change until both the first processor and the second processor have attempted the same change. The method also includes permitting the change to the state of the hardware security module based on a determination that both the first processor and the second processor have both attempted the same change.

Abstract: A computer-implemented method, a computer system, and a computer program product are provided for enforcing multi-level security (MLS) on a message transmitted over a network that may be insecure. The method includes the processor obtaining a request from a source to send a message to a target, where the request includes the message and a context indicating a requested security level for the message. The processor encrypts the message based on ascertaining the message received in the request is a plaintext. The processor authenticates the encrypted message based on ascertaining the encrypted message is a ciphertext, where the target is enabled to trace the authenticated ciphertext back to the source. The processor transmits the authenticated encrypted message to the target across the network.

Abstract: Systems and methods are provided for preserving data in a data deduplication system. A hash tree-based deduplication system balancing memory utilization and duplication-related storage access overhead is disclosed. The system preferably relies on distributed file system infrastructure and the system modifies this infrastructure. The data structures may be adapted to accommodate file-block distribution properties at runtime, such as runtime-specializing the hash tree to detect replicated chunks.

Abstract: A security device (6) is provided for facilitating management of secret data items such as cryptographic keys which are used by a remote server (2) to authenticate operations of the server (2). The device (6) has a user interface (13), control logic (16) and a computer interface (11) for connecting the device (6) to a local user computer (5) for communication with the remote server (2) via a data communications network (3). The control logic is adapted to establish via the user computer (5) a mutually-authenticated connection for encrypted end-to-end communications between the device (6) and server (2). In a backup operation, the secret data items are received from the server (2) via this connection. The control logic interacts with the user via the user interface (13) to obtain user authorization to backup secret data items and, in response, stores the secret data items in memory (10).

Abstract: Embodiments are directed to an IC device comprising a set of N elements, and an interconnect system for enabling communication between the set of elements. Each element of the set of elements is configured according to a first communication plan to receive attestation data of each other element of the set of elements. Upon receiving the attestation data the element may determine whether each of the received attestation data from the other elements match an attestation pattern as defined in the first communication plan. In case the received attestation data match the first communication plan, the element may determine whether the received attestation data is attested by N?1 elements of the set of elements. In case the attestation data is attested by N?1 elements of the set of elements, the element may indicate the presence of the set of elements before the time interval has lapsed.

Abstract: A machine instruction is provided that includes an opcode field to provide an opcode, the opcode to identify a perform pseudorandom number operation, and a register field to be used to identify a register, the register to specify a location in memory of a first operand to be used. The machine instruction is executed, and execution includes for each block of memory of one or more blocks of memory of the first operand, generating a hash value using a 512 bit secure hash technique and at least one seed value of a parameter block of the machine instruction; and storing at least a portion of the generated hash value in a corresponding block of memory of the first operand, the generated hash value being at least a portion of a pseudorandom number.

Abstract: Aspects of present disclosure relate to random number generator, a method and a computer program product of improving entropy quality of the random number generator. The method may include: receiving, at an input/output interface module of the random number generator, a request to generate a random number having a predetermined number of random bits, and starting a random bit generating loop to generate each of the random bits of the random number to be generated. In certain embodiments, random bit generating loop may include: incorporating a CPU Time as a randomness factor in generating random number to improve entropy quality, including non-deterministic memory-subsystem latencies in entropy extraction, such as those introduced by unpredictable cache movements, generating a Candidate Bit by using a Clock Time, and generating a random bit for random number by using a von Neumann unbiasing analysis module, until every random bits of the random number is generated.

Abstract: A machine instruction is provided that includes an opcode field to provide an opcode, the opcode to identify a perform pseudorandom number operation, and a register field to be used to identify a register, the register to specify a location in memory of a first operand to be used. The machine instruction is executed, and execution includes for each block of memory of one or more blocks of memory of the first operand, generating a hash value using a 512 bit secure hash technique and at least one seed value of a parameter block of the machine instruction; and storing at least a portion of the generated hash value in a corresponding block of memory of the first operand, the generated hash value being at least a portion of a pseudorandom number.

Abstract: A computer-implemented method, a computer system, and a computer program product are provided for enforcing multi-level security (MLS) on a message transmitted over a network that may be insecure. The method includes the processor obtaining a request from a source to send a message to a target, where the request includes the message and a context indicating a requested security level for the message. The processor encrypts the message based on ascertaining the message received in the request is a plaintext. The processor authenticates the encrypted message based on ascertaining the encrypted message is a ciphertext, where the target is enabled to trace the authenticated ciphertext back to the source. The processor transmits the authenticated encrypted message to the target across the network.

Abstract: A security device (6) is provided for facilitating management of secret data items such as cryptographic keys which are used by a remote server (2) to authenticate operations of the server (2). The device (6) has a user interface (13), control logic (16) and a computer interface (11) for connecting the device (6) to a local user computer (5) for communication with the remote server (2) via a data communications network (3). The control logic is adapted to establish via the user computer (5) a mutually-authenticated connection for encrypted end-to-end communications between the device (6) and server (2). In a backup operation, the secret data items are received from the server (2) via this connection. The control logic interacts with the user via the user interface (13) to obtain user authorization to backup secret data items and, in response, stores the secret data items in memory (10).

Abstract: A computer-implemented method, a computer system, and a computer program product are provided for enforcing multi-level security (MLS) on a message transmitted over a network that may be insecure. The method includes the processor obtaining a request from a source to send a message to a target, where the request includes the message and a context indicating a requested security level for the message. The processor encrypts the message based on ascertaining the message received in the request is a plaintext. The processor authenticates the encrypted message based on ascertaining the encrypted message is a ciphertext, where the target is enabled to trace the authenticated ciphertext back to the source. The processor transmits the authenticated encrypted message to the target across the network.

Abstract: A computer-implemented method, a computer system, and a computer program product are provided for enforcing multi-level security (MLS) on a message transmitted over a network that may be insecure. The method includes the processor obtaining a request from a source to send a message to a target, where the request includes the message and a context indicating a requested security level for the message. The processor encrypts the message based on ascertaining the message received in the request is a plaintext. The processor authenticates the encrypted message based on ascertaining the encrypted message is a ciphertext, where the target is enabled to trace the authenticated ciphertext back to the source. The processor transmits the authenticated encrypted message to the target across the network.

Abstract: Managing transfer of device ownership is provided. A digitally signed state change request for a device that includes at least one of a new device owner, a new designated successor device owner, and a new device ownership reversibility control bit is accepted. A stored state for the device that includes at least one of a current device owner, a previous device owner, a designated successor device owner, and a current device ownership reversibility control bit is read. The previous device owner is replaced with the current device owner, the current device owner is replaced with the new device owner, the designated successor device owner is replaced with the new designated successor device owner, and the new device ownership reversibility control bit is set in response to the new device ownership reversibility control bit being included in the digitally signed state change request.

Abstract: An instruction configured to perform a plurality of functions is executed. Based on a function code associated with the instruction having a selected value, one or more inputs of the instruction are checked to determine which one or more functions of the plurality of functions are to be performed. Based on a first input of the one or more inputs having a first value, a function of providing raw entropy is performed, in which the providing of raw entropy includes storing a number of raw random numbers. Further, based on a second input of the one or more inputs having a second value, a function of providing conditioned entropy is provided, in which the providing of conditioned entropy includes storing a number of conditioned random numbers.

Abstract: A machine instruction is provided that has associated therewith an opcode to identify a perform pseudorandom number operation, and an operand to be used by the machine instruction. The machine instruction is executed, and execution includes obtaining a modifier indicator. Based on the modifier indicator having a first value, performing a deterministic pseudorandom number seed operation, which includes obtaining seed material based on information stored in the second operand. A selected hash technique and the seed material are used to provide one or more seed values, and the one or more seed values are stored in a parameter block.

Abstract: Embodiments include method, systems and computer program products for secure logging of host security module. In some embodiments, an event may be received. The event may include data to be written to a secure log file. A hash may be generated using data of the event. The hash may be stored in a first field of an event record associated with the event. The event record may be stored in the secure log file. The hash may be stored in a second field of a next event record in the secure log file.

Abstract: Aspects of present disclosure relate to random number generator, a method and a computer program product of improving entropy quality of the random number generator. The method may include: receiving, at an input/output interface module of the random number generator, a request to generate a random number having a predetermined number of random bits, and starting a random bit generating loop to generate each of the random bits of the random number to be generated. In certain embodiments, random bit generating loop may include: incorporating a CPU Time as a randomness factor in generating random number to improve entropy quality, including non-deterministic memory-subsystem latencies in entropy extraction, such as those introduced by unpredictable cache movements, generating a Candidate Bit by using a Clock Time, and generating a random bit for random number by using a von Neumann unbiasing analysis module, until every random bits of the random number is generated.

Abstract: Aspects of present disclosure relate to random number generator, a method and a computer program product of improving entropy quality of the random number generator. The method may include: receiving, at an input/output interface module of the random number generator, a request to generate a random number having a predetermined number of random bits, and starting a random bit generating loop to generate each of the random bits of the random number to be generated. In certain embodiments, random bit generating loop may include: incorporating a CPU Time as a randomness factor in generating random number to improve entropy quality, including non-deterministic memory-subsystem latencies in entropy extraction, such as those introduced by unpredictable cache movements, generating a Candidate Bit by using a Clock Time, and generating a random bit for random number by using a von Neumann unbiasing analysis module, until every random bits of the random number is generated.

Abstract: Aspects of present disclosure relate to random number generator, a method and a computer program product of improving entropy quality of the random number generator. The method may include: receiving, at an input/output interface module of the random number generator, a request to generate a random number having a predetermined number of random bits, and starting a random bit generating loop to generate each of the random bits of the random number to be generated. In certain embodiments, random bit generating loop may include: incorporating a CPU_Time as a randomness factor in generating random number to improve entropy quality, including non-deterministic memory-subsystem latencies in entropy extraction, such as those introduced by unpredictable cache movements, generating a Candidate_Bit by using a Clock_Time, and generating a random bit for random number by using a von Neumann unbiasing analysis module, until every random bits of the random number is generated.