Abstract: Systems, methods, and devices of the various embodiments may enable distributed prefix signing by including a signature in a transitive Border Gateway Protocol (BGP) attribute of a new prefix announcement, and sending the new prefix announcement to peer components. The peer components may query an address and routing parameter area (ARPA) record to obtain nameserver information for an entity associated with the received prefix announcement in response to determining that the received prefix announcement includes a transitive BGP attribute that includes the signature, retrieve a public key from a Domain Name System (DNS) text record, and determine whether the signature included in the transitive BGP attribute of the received prefix announcement is valid based on the public key retrieved from the DNS text record.

Abstract: A non-transitory computer-readable storage medium, a secure application framework, a system, and a computer implemented method for enabling secure processing of data are disclosed. The method comprises steps performed within a secure application framework running in a trusted execution environment. The data encrypted using a first random key are received, the first random key is received in a secure way, and the encrypted data is decrypted using the first random key. The data are then input to the processing application, the processing application is executed to process the input data, and output data are received from the processing application. A second random key is generated, the output data are encrypted using the second random key, the second random key is encrypted using a public key of a storage device, and the encrypted output data and the encrypted second random key are sent to the storage device.

Abstract: The performance of quantum key distribution by systems and methods that use wavelength division multiplexing and encode information using both wavelength and polarization of photons of two or more wavelengths. Multi-wavelength polarization state encoding schemes allow ternary-coded digits, quaternary-coded digits and higher-radix digits to be represented by single photons. Information expressed in a first radix can be encoded in a higher radix and combined with a string of key values to produce a datastream having all allowed digit values of that radix in a manner that allows eavesdropping to be detected without requiring the sender and receiver to exchange additional information after transmission of the information.

Abstract: Provided is an authentication device capable of generating a master key suited to a UE in a 5GS. The authentication device (10) includes a communication unit (11) configured to, in registration processing of user equipment (UE), acquire UE key derivation function (KDF) capabilities indicating a pseudo random function supported by the UE, a selection unit (12) configured to select a pseudo random function used for generation of a master key related to the UE by use of the UE KDF capabilities, and a key generation unit (13) configured to generate a master key related to the UE by use of the selected pseudo random function.

Abstract: Embodiments of a device and method are disclosed. In an embodiment, a method of communications involves from a wireless sensor deployed at a customer site, connecting to a wireless access point (AP) deployed at the customer site and based on a private key stored in the wireless sensor, performing mutual authentication between the wireless sensor and an authentication server connected to the wireless AP.

Abstract: A network device may establish a media access control security (MACsec) key agreement (MKA) session with another network device via a MACsec communication link; establish a fast heartbeat session via the MACsec communication link, between a first packet processing engine of the network device and a second packet processing engine of the other network device, where the fast heartbeat session is to permit the first packet processing engine and the second packet processing engine to exchange fast heartbeat messages via the fast heartbeat session and the MACsec communication link; place an MKA protocol of the MKA session in a pause state until the first packet processing engine detects a rekey event; determine that a key for the MKA session is to be regenerated based on detection of the rekey event; and perform an action based on the rekey event for the MKA session.

Abstract: Aspects of the disclosure relate to storing sensitive information. A computing platform may split a signature key into shares, which may be used to regenerate the signature key. The computing platform may encrypt these shares using corresponding SEKs, and may subsequently encrypt the SEKs using corresponding operator keys. The computing platform may distribute the operator keys to user devices via corresponding HSMs. The computing platform may store the encrypted shares, encrypted SEKs, and identifiers of the user devices. The computing platform may receive requests for the encrypted SEKs from the user devices, and may send the respective encrypted SEKs accordingly. The user devices may return, to the computing platform, corresponding decrypted SEKs. The computing platform may use the SEKs to decrypt the encrypted shares, which may then be used to reconstruct the signature key.

Abstract: Examples described herein relate to systems, apparatuses, methods, and non-transitory computer-readable medium for recovering a session object associated with a secure session established by a security protocol server, including receiving, by a recovery server, an encrypted session object from the security protocol server, wherein the encrypted session object is unique to the secure session, generating, by the recovery server, a recovery key based on a first initial key and a recovery key sequence number, wherein the recovery key sequence number corresponds to a number of times that secure sessions have been established since the first initial key is received by the security protocol server, and decrypting, by the recovery server, the encrypted session object using the recovery key to generate the session object associated with the secure session.

Abstract: A matching apparatus generates a random number and transmits second encrypted data obtained by performing an operation of first encrypted data of each of first values related to a first binary vector encrypted and the random number to a matching request apparatus; transmits third encrypted data obtained by performing an operation of the second encrypted data and elements of a matching target second binary vector; based on a second value related to the first binary vector encrypted with the encryption key, the encrypted data and the random number, generates and transmits encrypted data and transmits the generated data to a verification apparatus as a query; and determines whether a count number of mismatched elements between the second binary vector and the first binary vector is less than or equal to a predetermined number based on values obtained by decrypting the encrypted data in the query.

Abstract: A system for split keys for wallet recovery includes an interface configured to receive a request to recover a user private key, and a processor configured to provide a request to a credential issuing authority for a first encrypted recovery key share, wherein the request includes a first identification credential, receive the first encrypted recovery key share from the credential issuing authority, provide a request to a trusted organization for a second encrypted recovery key share, wherein the request includes a second identification credential, receive the second encrypted recovery key share from the trusted organization, combine the first encrypted recovery key share and the second encrypted recovery key share to determine a recovered encryption key, and determine the user private key using the recovered encryption key.

Abstract: A key generation method includes a user plane network function and a terminal device obtain key update information sent by each other. The user plane network function updates, by using the obtained key update information, a sub-key derived from a permanent key, to obtain a new protection key. The terminal device updates, by using the obtained key update information, a sub-key derived from the permanent key, to obtain a new protection key. The terminal device and the user plane network function perform, by using the new protection key, security protection on user plane data transmitted between the terminal device and the user plane network function.

Abstract: Methods and systems for implementing security operations in an input/output (I/O) device are disclosed. In an embodiment, an I/O (Input/Output) device involves an I/O port, a host bus configured to be connected to a host, a data processing pipeline within the I/O device coupled to the I/O port and to the host bus to process and forward data between the I/O port and the host bus, and a hardware security module (HSM) within the I/O device coupled to the host bus and to the data processing pipeline, the HSM comprising a crypto engine configured to encrypt and decrypt data of the data processing pipeline, and a secure key storage coupled to the crypto engine containing encryption keys for use in encrypting and decrypting packets, wherein the secure key storage contains keys that are encrypted by the HSM and that are accessible through the HSM.

Abstract: A remote attestation system for a computer network includes an attestation operations subsystem configured to manage attestation procedures for the remote attestation system, and an attestation server pool including a plurality of attestation servers. The plurality of attestation servers is configured to perform attestation of at least one host in a data center. The system further includes an attestation state database configured to store a state of attestation of the at least one host, an attestation policy database configured to store at least one operator policy of the computer network, and an end-user service portal configured to provide access to the remote attestation system by users of the computer network.

Abstract: Systems and methods for verifying proofs generated from shared data without revealing the shared data are provided. In one aspect, a method comprises receiving, from a first node, a first proof generated from a first private key associated with the first node and data shared between the first node and a second node; receiving, from the second node, a second proof generated from a second private key associated with the second node and the shared data; verifying, without revealing the shared data, the first proof and the second proof were both generated from the shared data with a first public key mathematically related to the first private key, and a second public key mathematically related to the second private key; and preforming an action based on the verification of the first proof and the second proof both being generated from the shared data.

Abstract: A self-modifying data container for improved data security and methods of use are disclosed. The self-modifying data container includes a data storage structure for storing financial transaction information. The self-modifying data container also includes a data manager stored as code within the container. The data manager can run on a system hosting the self-modifying data container. The data manager can access transaction information in the data storage structure and modify the data in response to modification triggers. The data manager can delete data in the data storage structure. The data manager can also encrypt data in the data storage structure. The self-modifying data container improves both data security and data privacy.

Abstract: A first terminal holds first encrypted data encrypted by using a first key by a first encryption scheme having deterministic and commutativity, a second terminal holds second encrypted data encrypted by using a second key by the first encryption scheme, the first terminal transmits the first encrypted data to the second terminal, the second terminal transmits the second encrypted data to the first terminal, the first terminal generates third encrypted data by encrypting the second encrypted data by using the first key by the first encryption scheme, the third encrypted data is transmitted to the second terminal, the second terminal decrypts the third encrypted data with the second key, and calculates a common part between the second encrypted data and the decrypted third encrypted data, and transmits the common part to the first terminal, and the first terminal decrypts the common part with the first key.

Abstract: A key generation device for a vehicle-internal communication system and a method for the vehicle-internal management of cryptographic keys comprises providing at least one secret for a vehicle-internal key generation device and generation of at least one new cryptographic key by the vehicle-internal key generation device on the basis of the at least one secret. The generation and providing of the at least one new cryptographic key takes place autonomously and is triggered by a key-exchange event, or a combination of key-exchange events. The key-exchange event may be one of a vehicle-internal change, an environmental change and a security key.

Abstract: Some embodiments provide a method for distributing a service rule that is to be enforced across a first set of sites and that is defined by reference to a group identifier that identifies a group of machines. The method distributes the service rule to each site in the first set of sites. The method identifies at least one site in the first set of sites that is not in a second set of sites that has already received a definition of the group. The method distributes the group definition to each identified site in the first set of sites that has not already received the definition of the group.

Abstract: The present application discloses a method, system, and computer system for managing data using keys. The method includes receiving a request to access data stored within a tenant database associated with a tenant, wherein the data is encrypted based at least in part on a tenant service encryption key (TSEK) corresponding to the tenant database, determining a wrapper key used in connection with encrypting the TSEK based at least in part on a TSEK metadata stored in association with the TSEK, determining a top-level key used in connection with encrypting the wrapper key based at least in part on wrapper key metadata stored in association with the encrypted version of the wrapper key, obtaining the data stored within the tenant database, comprising decrypting at least part of the data based at least in part on (i) the TSEK, (ii) the wrapper key, and (iii) the top-level key, and providing the data in response to the request. The TSEK metadata is stored in the tenant database.

Abstract: A device may not trust another device with which it is in communication. To establish trust, a first device may send a second device an indication of signed code that is stored in a protected memory of the first device. Based on determining that the first device is a trusted device, the second device may send the first device an encrypted content asset, a decryption key associated with the content asset, and/or an encryption key associated with the content asset.

Abstract: Systems and methods utilized to protect data. One method includes maintaining, by a first processing circuit in a production database of a production environment system, ciphertext data associated with a cryptographic function, wherein the production environment system corresponds to a first access level. The method further includes masking, by a second processing circuit in a middle environment system, the ciphertext data using a masking function to generate alternate ciphertext data, wherein the middle environment system is a proxy and communicably coupled with the production environment system over a secure network. The method further includes decrypting, by the second processing circuit in the middle environment system, the alternate ciphertext data utilizing a symmetric key to generate masked cleartext data, and storing, by the second processing circuit in a lower environment system, the masked cleartext data in a lower database, wherein the lower environment system correspond to a second access level.

Abstract: Embodiments of the present invention disclose a key exchange method and apparatus. A network device acquires a first key, and sends a message including the first key to a second user equipment, so that the second user equipment uses, when communicating with a first user equipment by using a D2D link, the first key to protect transmitted information.

Abstract: The foundation of Matrix Encryption is a discrete function called the Modified Combinatorial Batch Decimation Function (CBDF-Mod) and its asymmetric inverse (CBDI-Mod). Herein we disclose the nature of Matrix Encryption, an encryption technology built upon these two discrete functions, together with their shared, Secondary Variable Functions. Matrix Encryption implements a block encryption with arbitrary block size dependent upon the length of text to be encrypted, thereby allowing for keys of user desired length and for the surpassing of industry standards of security. A Master Key may be used to generate a Key Set containing keys of appropriate length for any data presented above a minimum length, up to a length corresponding to the length of a message for which the Master Key is appropriate. Matrix Encryption reads and writes numerically encrypted text to text files as designated by the user.

Abstract: Disclosed are systems, methods, and non-transitory computer-readable media for cryptography using different sized symbol sets. To protect against a brute force or other similar type of attack, multiple symbol sets having different sizes can be used for encrypting/decrypting data. For example, different portions of the data (e.g., data blocks representing multiple symbols, set of bits representing a single symbol) may be encrypted/decrypted using different symbol sets that include different numbers of unique symbols. Using different sized symbol sets adds additional complexity to the encryption process, thereby greatly increasing the difficulty in decrypting the encrypted data with a brute force attack.

Abstract: Presented herein are embodiments of mechanisms to add security in the communication of messages between devices, particularly in the context of VXLAN (Virtual eXtensible Local Area Network (LAN)) environments. When a VXLAN device sends a multicast message to discover other devices in the network, there is possibilities for rogue devices to respond and then receive data that is not intended for them. In one or more embodiments, information handling systems operating as a VTEP (VXLAN tunnel endpoint) may use enhanced encryption that is shared with other authorized VTEP—but not shared with rough VTEP devices—to verify other authorized VTEPs. In one or more embodiments, information used to verify a VTEP device is included in the message, such as included in the header, which a properly configured receiving VTEP will recognize and use to verify that that sending VTEP is not a rogue device.

Abstract: A method, apparatus and system for transmitting control information in a header of a physical protocol data unit (PPDU), such as an IEEE 802.11 compliant PPDU. Embodiments include indicating control features in an EDMG PPDU for Wireless LAN communications. The method and system may include overloading at least one bit of a Scrambler Initialization Field in the PPDU header (e.g. the PHY header) to convey control information, as well as to be used to initialize the scrambler shift register. The same header bits are thus used for both purposes. Examples of control information include a primary channel, channel width or MIMO configuration to be used in further communication.

Abstract: Methods and apparatus for use in a storage network operate by: storing, in a first storage unit of a first set of storage units of the storage network, a first encoded data slice corresponding to at least one data object; assigning one or more additional storage units to the storage network to form a second set of storage units, the second set of storage units including the one or more additional storage units; migrating the first encoded data slice from the first storage unit to at least one of the one or more additional storage units of the second set of storage units; and reallocating a mapping of the first encoded data slice from the first storage unit to the at least one of the one or more additional storage units of the second set of storage units.

Abstract: A system for a vehicle includes a computer, a first electronic control module, and a wired vehicle communications network coupling the computer and the first electronic control module. The computer is programmed to transmit authentication keys to the first electronic control module and a plurality of second electronic control modules via the wired vehicle communications network, encrypt a table of the authentication keys using a first key, store the encrypted table, transmit the encrypted table to the first electronic control module via the wired vehicle communications network, and transmit the encrypted table and the first key to a remote server spaced from the wired vehicle communications network.

Abstract: In some aspects, the disclosure is directed to methods and systems for synchronized multi-client content delivery, and a content selection system based on individual and aggregated scores for the content items, to generate bundles or sets of content items having approximately corresponding scores. Server timers and local timers on client devices may be synchronized via notifications, and timer durations dynamically adjusted when client requests and responses are sent prior to client-side timer expiration, but received after server-side timer expiration, indicating communication latency has caused desynchronization. Timers may be adjusted on a global basis or per-client device basis. Through scoring and bundling, sets of content items that may be relevant to approximately an equal share of the recipient client devices may be selected and transmitted.

Abstract: A method for managing information handling systems includes obtaining, by a stackable system role (SSR) manager of an information handling system, an SSR instruction, performing an encoding on the SSR instruction using a public key to obtain an encoded instruction value, providing an encoded SSR instruction to a local hardware resource manager of the information handling system, wherein the encoded SSR instruction comprises the SSR instruction and the encoded instruction value, obtaining, from the hardware resource manager, a response, wherein the response specifies whether the encoded SSR instruction is valid, and based on the response, initiating an execution of the SSR instruction.

Abstract: A fully homomorphic white-box implementation of one or more cryptographic operations is presented. This method allows construction of white-box implementations from general-purpose code without necessitating specialized knowledge in cryptography, and with minimal impact to the processing and memory requirements for non-white-box implementations. This method and the techniques that use it are ideally suited for securing “math heavy” implementations, such as codecs, that currently do not benefit from white-box security because of memory or processing concerns. Further, the fully homomorphic white-box construction can produce a white-box implementation from general purpose program code, such as or C++.

Abstract: An encoder includes a computer readable storage medium storing program instructions, and a processor executing the program instructions, the processor configured to generate a key, estimate a network capacity, and encode each bit of the key using a random matrix of a selected rank and the estimated network capacity for secure transmission of the key through a network.

Abstract: Embodiments of the present invention include a computer program product, a computer-implemented method, and a system, where program code executing on one or more processors (on a client) obtains, from a host within a secure environment, data stored on the host. To obtain the data, the processor(s) establishes a communications connection to a computing resource in the secure environment and authenticates to the computing resource to obtain a key. The processor(s) intercepts the data, encrypts the data, with the key, and stores the encrypted data on a buffer accessible to the client.

Abstract: A communication device includes: a counter, a pseudo-random number generator, a symbol generator, a modulator, and a controller. The counter counts symbols transmitted to a correspondent device. The pseudo-random number generator generates a pseudo-random number corresponding to a count value of the counter. The symbol generator generates a transmission symbol from a transmission signal and the pseudo-random number. The modulator generates a modulated signal from the transmission symbol. When a disruption of a communication with the correspondent device is detected, the controller selects, from among a plurality of restoring times determined in advance, a restoring time for resuming the communication, and gives the counter a count value assigned in advance to the selected restoring time. The counter resumes a counting operation from the count value given from the controller when the communication device resumes a communication with the correspondent device.

Abstract: A method for recording input text that is input in an input field of a webpage, the method comprising: providing the webpage to a client device, by processing circuitry, the webpage comprising: (a) the input field, and (b) instructions executable by web-accessing software for recording the input text; and wherein execution of the instructions results in: identification of masking information in the input text, if any, the masking information being information in the input text to be masked; and if the masking information is identified, masking of the masking information prior to the recording of the input text, so that the masking information is masked when recorded.

Abstract: Method and system disclosed herein facilitate retrieval of a blockchain key. The method comprises receiving a key store comprising a first encryption method, a second encryption method, and identification information of one or more network nodes storing a plurality of encrypted storage keys; displaying an authentication request and receiving and input form the user in response to the authentication request; upon the input received matching a record within a database, instructing the one or more network nodes to transmit the encrypted key segments; decrypting each encrypted key segment based on the first encryption method; and generating a blockchain key by appending the strings of the key segments based on the second encryption method.

Abstract: A system uses information submitted in connection with a request to determine if and how to process the request. The information may be electronically signed by a requestor using a key such that the system processing the request can verify that the requestor has the key and that the information is authentic. The information may include information that identifies a holder of a key needed for processing the request, where the holder of the key can be the system or another, possibly third party, system.

Abstract: A computer-implemented method according to one embodiment includes receiving at an encryption daemon a key request from a storage device; implementing, by the encryption daemon, a secure communications channel between the encryption daemon and an encryption key server; sending the key request from the encryption daemon to the encryption key server, utilizing the secure communications channel; receiving, from the encryption key server at the encryption daemon, an encrypted response, utilizing the secure communications channel; decrypting, by the encryption daemon, the encrypted response to obtain the requested key, and sending the requested key from the encryption daemon to the storage device.

Abstract: Computer-readable media, methods, and systems are disclosed for managing group-level database encryption keys under group-level encryption in a database management system. Upon startup of the database management system, persisted database entries are sequentially processed to produce an in-memory data structure comprising a set of encryption group identifier metadata tuples having an encryption group identifier and a valid-from save point cycle version. The set of encryption group identifier metadata tuples is mapped to a set of key identifier tuples including a local secure store identifier and a group-level encryption key identifier. A set of group-level encryption keys is received from a key management system, according to which a group-level encryption key is mapped to each encryption group identifier metadata tuple.

Abstract: A streaming one time Pad cipher using a One Time Pad (OTP) provides secure data storage and retrieval. The data that is encrypted using the one time pad is stored in a repository that is separate from the generation and/or storage for the one time pad.

Abstract: A method performed by one or more network node(s) of a wireless telecommunications network to dynamically manage encryption keys for multiple narrowband Internet of Things (NB-IoT) devices of the network. The network node(s) can maintain a database that stores a device profile for each of the NB-IoT devices and obtain multiple encryption keys for the multiple NB-IoT devices. The encryption keys are associated with different encryption strengths ranging from high to ultra-low encryption strengths. The network node(s) can allocate the encryption keys to the NB-IoT devices, detect a change in the condition of the network, capability or communications service of NB-IoT devices, and refresh the encryption keys accordingly to ensure that the network nodes properly balance encryption while providing efficient network performance.

Abstract: A public key of a sensor node key pair is transmitted from a sensor node 22 to a server 20 via sensor network communication, and furthermore is transmitted from the server 20 to a mobile terminal 25 via mobile line communication. In addition, a public key of a mobile terminal key pair is transmitted from the mobile terminal 25 to the sensor node 22 through local communication. Thus, the configuration allows the sensor node 22 and the mobile terminal 25 to generate a common key by combining their own private key and the public key of the counterpart in order to encrypt the local communication by using this common key.

Abstract: A distributed key management system (KMS) includes a central KMS server and multiple intermediate KMS servers. The central KMS server replicates managed keys to the intermediate KMS servers. An intermediate KMS server receives a KMS service request from a KMS client, where any of the intermediate KMS servers are capable of servicing the request. The intermediate KMS server performs the action requested if it has access to the necessary managed key and returns the response to the KMS client. If it does not have access to the necessary managed key, the intermediate KMS server transmits a request for the managed key to the central KMS server. The intermediate KMS server receives the managed key, performs the action requested, and returns the response to the KMS client.

Abstract: An indication that a secure connection has been established with a key management service is received. The secure connection is associated with an automatically generated session encryption key utilized for encryption of data communication through the secure connection. In response to the indication that the secure connection has been established with the key management service, a determination is made to perform a rotation of a local encryption key utilized in encrypting locally stored data. The rotation of the local encryption key is performed based at least in part on the automatically generated session encryption key.

Abstract: In one implementation, a method for providing end-to-end communication security for a controller area network (CANbus) in an automotive vehicle across which a plurality of electronic control units (ECU) communicate is described. Such an automotive vehicle can include, for example, a car or truck with multiple different ECUs that are each configured to control various aspects of the vehicle's operation, such as an infotainment system, a navigation system, various engine control systems, and/or others.

Abstract: According to one embodiment, an electronic apparatus includes a transmitter. The transmitter transmits data to be transmitted to a third wireless communication apparatus and a first wireless signal to instruct transmission of the data to the third wireless communication apparatus, to the first and second wireless communication apparatuses. The transmitter transmits, if any second wireless signal transmitted from the first or second wireless communication apparatuses is not detected within a first period after transmission of the first wireless signal, a third wireless signal to instruct transmission of the data to the third wireless communication apparatus to the first and second wireless communication apparatuses in order to instruct retransmission of the data.

Abstract: In a system comprising an customer providing a service to a plurality of client devices, a method and system for providing an customer-specific digital certificate to a client device of the plurality of client devices is disclosed. The method comprises receiving, in an intermediate certificate authority, a pre-generated digital certificate and an encrypted client device private key encrypted according to a private key encryption key PrKEK, receiving, from the client device, a request for the customer-specific digital certificate, the request comprising at least one of client device identifying information and information identifying the customer, the request signed according to a pre-provisioned client device digital certificate, and transmitting the customer-specific digital certificate and the encrypted client device private key to the client device.

Abstract: A cryptographic acceleration card generates, using an attribute unique to a blockchain integrated station that comprises the cryptographic acceleration card, an identity private key for the blockchain integrated station. The cryptographic acceleration card generates a private key ciphertext by encrypting the identity private key. The cryptographic acceleration card stores the private key ciphertext.

Abstract: Provided is a method for securing a digital document. An initial version of the digital document contains a set of data. The method comprises: generating a link value by applying a preset function to a subset of the set of data, allocating the link value to a target data belonging to the set of data and storing an entry comprising the target data in a secure storage unit, the target data being reachable in the secure storage unit through the link value, the secure storage unit being configured to use access rules for authorizing or denying a request initiated by a user and aiming at accessing the target data comprised in said entry, and generating an updated version of the digital document by removing the target data from the initial version of the digital document.

Abstract: A cryptographic key of a first instance of a group of one or more cloud nodes providing a service is managed. A request to share the cryptographic key with a second instance of a different group of one or more cloud nodes is received. A determination is made whether the second instance is allowed to access the cryptographic key. In response to a determination that the second instance is allowed to access the cryptographic key, the cryptographic key is encrypted with a target key of the second instance and the encrypted cryptographic key is signed using a cryptographic signature of the first instance. The signed encrypted cryptographic key is provided to the second instance.