Abstract: A computerized method supporting SSL-based or TLS-based communications with multiple cryptographically protected transmissions is described. Responsive to a first transmission including a first content encrypted with a public key of an intended recipient and a first digital signature for use in detect tampering to the first content, a second transmission is received. The second transmission includes a combined result including the first content and a second content, which is encrypted with a public key of the sender. Recovery of the first content verifies to the sender that the second transmission originated from the intended recipient. Thereafter, a third transmission is sent. The third transmission has data including at least the second content, being the remaining data after extraction of the first content from the combined result, which is encrypted with the public key of the intended recipient and a third digital signature for use in verifying non-tampering of the data.

Abstract: A method for processing data in a blockchain. It aims at securely storing data issued from devices and going through a service platform by ensuring integrity and authenticity of the data. To this end, a list of device identifiers may by associated with respective decryption means in a blockchain platform. Upon reception of a message comprising encrypted data and comprising a device identifier, the blockchain platform decrypts the first encrypted data using the decryption means that are associated with the device identifier. The decrypted data is then hashed and stored in the blockchain.

Abstract: Disclosed is a system for delegating access of sensitive information by a user device to a requestor device through a central server. A receiving module receives a first token Identification (ID) generated by the user device in an offline mode and a request, comprising a second token ID, from the requestor device. A validation module validates the request by comparing the first token ID and the second token ID. An identification module identifies a subset of the sensitive information based on a profile of the requestor, when the first token ID is matched with the second token ID. A watermarking module watermarks the subset of the sensitive information with a set of variables to generate watermarked sensitive information. Upon generating the watermarked sensitive information, the access delegation module delegates the access of the watermarked sensitive information to the requestor device.

Abstract: There is provided a new IWF SMC procedure for establishing security association between an MTC UE (10) and an MTC-IWF (20). The MTC-IWF (20) sends to the UE (10) at least an algorithm identifier which instructs the UE (10) to select one of algorithms for deriving a root key (K_iwf). The UE (10) derives the root key (K_iwf) in accordance with the selected algorithm, and derives at least a subkey for checking the integrity of messages transferred between the UE (10) and the MTC-IWF (20) by using the derived root key (K_iwf). The UE (10) protects uplink messages transmitted to the MTC-IWF (20) with the derived subkey. The MTC-IWF (20) protects downlink messages transmitted to the UE (10) with the same subkey derived at a core network.

Abstract: An operation apparatus and method for processing a homomorphic encrypted message are disclosed. The method includes producing an approximate polynomial corresponding to an operation function to be applied to a homomorphic encrypted message and approximately operating the homomorphic encrypted message using the approximate polynomial. Thus, an encrypted message may be efficiently processed.

Abstract: Technologies for key management of internet-of-things (IoT) devices include an IoT device, an authority center server, and a group management server. The IoT device is configured to authenticate with an authority center server via an offline communication channel, receive a group member private key as a function of the authentication with the authority center server, and authenticate with a group management server via a secure online communication channel using the group member private key. The IoT device is further configured to receive a group shared key as a function of the authentication with the group management server, encrypt secret data with the group shared key, and transmit the encrypted secret data to the group management server. Other embodiments are described herein.

Abstract: The method provided in the embodiments of this application includes: obtaining, by a server, a first key (Ksm) shared with a gateway; receiving, by the server, an encrypted first random factor (Rand-M-Encry), a first data digest (Data-Hash), and encrypted first data (Data-Encry) that are sent by a terminal; decrypting, by the server, the Rand-M-Encry by using the Ksm, to obtain a second random factor (Rand-M?); performing, by the server, an operation on the Rand-M? and Kpsa-xi by using a second preset algorithm, to generate a third key (K?sx); decrypting, by the server, the Data-Encry by using the K?sx, to obtain second data (Data?); performing, by the server, an operation on the K?sx and the Data? based on a first preset algorithm to obtain a second data digest (Data-Hash?); and if the Data-Hash? is the same as the Data-Hash, determining, by the server, that authentication of the terminal succeeds.

Abstract: A technique includes accessing data that represents a plurality of values that are associated with a plurality of ranges. The technique includes determining a pseudonym value for a given value, where the given value is associated with a given range and determining the pseudonym includes encrypting the given value to provide the pseudonym value; controlling the encryption to cause the pseudonym value to be within the given range; and tweaking the encryption based on an attribute that is associated with the given value.

Abstract: A method of provisioning key information and a device using the method are provided. The method of provisioning key information according to one embodiment of the present disclosure includes generating key information for encryption and decryption from seed information using a key information generation algorithm and deleting code that corresponds to the key information generation algorithm from the device based on the generation of the key information.

Abstract: Representative embodiments of secure authentication to a resource in accordance with a predefined, electronically stored quorum-based authentication policy include causing electronic interaction among multiple devices that constitute a quorum in accordance with the policy, computationally determining whether the interaction satisfies the policy, and if so, electronically according access to the resource to one or more individuals associated with the interacting device(s).

Abstract: A computer-implemented method according to one embodiment includes identifying a first request from a user to access a container, determining whether the user has a first authorization to access the container, allowing the user to access the container, in response to determining that the user has the first authorization to access the container, identifying a second request from the user to access content within the container, where the content is encrypted, retrieving a key label associated with the container, determining whether the user has a second authorization to access the key label, retrieving a data encryption key, utilizing the key label, in response to determining that the user has the second authorization to access the key label, and allowing the user to access the content that is encrypted by performing one or more decryption actions, utilizing the data encryption key.

Abstract: System, method, and computer program product for authenticating a message among a groups of computing devices communicating over an unsecured channel, based on an out-of-band (OOB) authenticated channel which may be used to send a short message to all receivers.

Abstract: Techniques are disclosed relating to preemption indicators in the context of multiplexing different services on wireless physical layer frames. In some embodiments, a preemption indication is transmitted to indicate resources used by a preempting transmission. The preemption indication may be used when preemption is enabled, e.g., as indicated by an RRC message. The preemption indication may be common to multiple UEs. The resources used by the preempting transmission may overlap with other transmissions. In various embodiments, the disclosed techniques may facilitate signal preemption, e.g., by a low-latency, high-reliability data service.

Abstract: There are provided a method and system for assessing latency of ciphering end point of secure communication channel. The method comprises: generating a test traffic comprising a series of original data packets, wherein, for each original data packet, size of a given packet is uniquely indicative of the packet's place in a sequence of data packets in the series and enables unique correspondence with a size of the given packet upon its encryption; successively transmitting the original packets to the ciphering end point, whilst associating with respective departure time stamps; receiving encrypted packets from the ciphering end point and associating them with respective arrival time stamps; using a size of a given encrypted packet with a timestamp TSa to identify a size of a matching original packet, its place in the sequence of original packets and, thereby, its departure timestamp TSd, thus giving rise to a plurality of timestamp pairs (TSd; TSa).

Abstract: Methods, and systems for secure storage and retrieval of information, such as private keys, useable to control access to a blockchain, include: receiving a request to take an action with respect to a vault of multiple different vaults in a cryptoasset custodial system, and each of the multiple different vaults has an associated policy map that defines vault control rules; authenticating, by a hardware security module, a policy map for the vault on which the action is requested based on a cryptographic key controlled by the hardware security module; checking the action against the policy map for the vault when the policy map for the vault is authenticated based on the cryptographic key controlled by the hardware security module; and effecting the action when the action is confirmed to be in accordance with the policy map for the vault.

Abstract: A decryption integrated circuit (IC) includes an interface configured to receive an encrypted block of data and a decryption datapath. The decryption datapath has a plurality of computational stages arranged in a pipeline configured to decrypt the encrypted block of data to form a decrypted block of data. A non-linear computational stage included in the pipeline of the decryption datapath includes multiple asymmetric logical paths and multiple bypassable latches. A first signal traverses a first logical path and a second signal traverses a second logical path having a greater number of logical units than the first logical path. Each bypassable latch is positioned in a respective logical path of the multiple asymmetric logical paths. The decryption IC further includes a controller configured to assign an individual random bit sequence to each bypassable latch to randomly activate or randomly disable each bypassable latch of the multiple bypassable latches.

Abstract: A cryptographic module has an input/output port to receive a first temporary key. A processor receives the first temporary key from the input/output port. A secure authentication key memory is connected to the processor. A temporary key generator is connected to the processor to produce a second temporary key for routing to the input/output port. A cryptographic salt generator is connected to the processor to produce cryptographic salt. A cryptographic key generator is connected to the processor to process key parts derived from the first temporary key, the second temporary key and the cryptographic salt to produce cryptographic keys.

Abstract: A multi-modal encrypted messaging platform to provide HIPAA compliant messaging and interfaces to provide access to electronic data records. The proposed invention discloses example embodiments that comprise a server-system, a client device in communication with the server-system, and an auxiliary device coupled to the client device.

Abstract: Certain embodiments described herein are generally directed to allocating security parameter index (“SPI”) values to a plurality of endpoints in a network. The SPI values may be derived using an SPI derivation formula and a plurality of parameters. In some embodiments, the SPI values may be derived by an endpoint and in other embodiments by a server. Using the SPI derivation formula and the plurality of parameters enables endpoints and servers to instantaneously derive SPI values without the need for servers to store them.

Abstract: One embodiment provides a method, including: obtaining information related to a plurality of communication interactions between a first user and at least one other user, wherein each of the communication interactions is associated with a communication source and wherein the obtained information identifies a response by the first user to a received communication; constructing a plurality of relationship graphs for the user, wherein each relationship graph corresponds to one communication source and wherein each of the relationship graphs indicates (i) relationships between the first user and at least one other user and (ii) a condition of each of the relationships with respect to other relationships within the relationship graph; and constructing an aggregate relationship graph, wherein the constructing an aggregate relationship graph comprises computing an importance score for each relationship between the user and another user.

Abstract: A data communication system for a local network. The system includes a network node and a plurality of network devices associated therewith. The network node provides a network node service to clients or bots executing on the plurality of network devices. Individual clients or bots are communicably and only programmatically coupled around the network node service in a programmatic star configuration to create the local network. The network node service validates and authenticates local services provided by the clients or bots within the local network. Data is communicated between clients or bots within the local network in real time or near real time, by relaying the data through the network node service. Information content of the data is encrypted prior to communicating the data, by employing a key store associated with a user of the source client or bot.

Abstract: A system is provided for distribution of device key sets over a network in a protected software environment (PSE). In the system, a client device includes a connection interface for receiving a crypto hardware (CH) token belonging to a user, untrusted software, a quoting enclave, and a PSE for generating a provisioning request for a device key set. An attestation proxy server (APS) receives the provisioning message using a first network connection, and transmits the provisioning message to an online provisioning server (OPS) using a second network connection. The OPS constructs a provisioning response and an encrypted device key set, and delivers the provisioning response to the untrusted software using the first and second network connections. The PSE decrypts the encrypted device key set to obtain the device key set, re-encrypts the device key set with a local chip-specific key, and stores the re-encrypted device key set.

Abstract: Methods and apparatus for verifying a boot process of a computing system are disclosed. An example computer-implemented method includes reading, by a computing system during a boot process, a header section of a read-write portion of firmware of the computing system. The example method further includes generating, using a first cryptographic hash algorithm, a message digest corresponding with the header. The example method also includes decrypting, using a first public-key, an encrypted signature corresponding with the header. The example method still further includes comparing the message digest corresponding with the header and the decrypted signature corresponding with the header. In the event the message digest corresponding with the header and the decrypted signature corresponding with the header match, the example method includes continuing the boot process.

Abstract: Systems, devices, and methods for hybrid secret sharing are disclosed. In accordance with embodiments, a computing device may encrypt the secret message using a first encryption key to generate an encrypted secret message. The computing device may also split a second encryption key into a plurality of key shares in accordance with a threshold number. The threshold number is less than or equal to the number of the plurality of key shares. Then, the computing device may transmit a plurality of messages. Each message of the plurality of messages comprises the encrypted secret message and one of the plurality of key shares.

Abstract: In implementations of application-based font previewing, a font preview system of a computing device receives a font file corresponding to a font of a font repository via a network. The font preview system encrypts font tables of the font file and the font preview system writes the encrypted font tables to a font disk cache of the computing device. The font preview system writes metadata describing the font tables to a font memory cache of the computing device. In response to receiving a request to preview the font from an application of the computing device, the font preview system uses the metadata to identify and decrypt a particular font table of the encrypted font tables, and the application renders glyphs of the font in a user interface using the decrypted particular font table.

Abstract: Aggregated transaction data from a transaction data provider may be encrypted and exchanged with a content item selection system using commutative encryption algorithms. The transaction data provider and content item selection system may utilize a set of common identifiers that are each encrypted using a respective commutative encryption algorithm of the transaction data provider or content item selection system. The other of the transaction data provider or content item selection system encrypts the single-encrypted common identifier using a respective commutative encryption algorithm to generate double encrypted common identifiers. The double encrypted common identifiers may be used to match a set of common identifiers with transaction data. The transaction data may be encrypted and/or may include random offset values.

Abstract: A credentials store definition identifying a remote credential store is received. The credential store definition includes access information to enable access to the remote credentials store. A credentials object is created in an internal database based on a credentials object definition. The credentials object identifies a security credential to retrieve from the remote credentials store to access an external resource. At runtime, a request to access the external resource is received, and based on receiving the request, the security credentials identified by the credentials object are retrieved from the remote credential store using the access information. The retrieved security credential is provided to a processing component to access the external resource.

Abstract: A processing system includes a first processing unit; a second processing unit; and a cryptographic coprocessor communicatively coupled to the first processing unit and the second processing unit. The cryptographic coprocessor includes a key storage memory for storing a cryptographic key; a first interface configured to receive source data to be processed directly from the first processing unit; a hardware cryptographic engine configured to process the source data as a function of the cryptographic key stored in the key storage memory; a second interface configured to receive a first cryptographic key directly from the second processing unit; and a hardware key management circuit configured to store the first cryptographic key in the key storage memory.

Abstract: Aspects of the disclosure relate to a system and method for securely authenticating a device via token(s) and/or verification computing device(s). A verification computing device may generate a pseudorandom number or sequence. Based on the pseudorandom number or sequence, the verification computing device may select a first plurality of parameters associated with a user of a device to be authenticated. The verification computing device may transmit, to the device, the pseudorandom number or sequence, and the device may select a second plurality of parameters. The device may generate a token based on the second plurality of parameters. The device may send the token to another device, and the other device may send the token to the verification computing device. The verification computing device may authenticate the device based on the token.

Abstract: A secure computation system is provided. The system includes a distribution information generation apparatus that generates data distribution values, sign distribution values and carry distribution values from at least two fixed-point numbers by distributing each of the at least two fixed-point numbers using an additive secret sharing scheme; and a secure computation apparatus group including at least two secure computation apparatuses. The secure computation apparatus group includes: a secure digit extender; and a secure multiplier.

Abstract: A smart surveillance system includes a communicator configured to communicate with a closed circuit television (CCTV) camera and a cloud server, a background image extractor configured to analyze CCTV image data received from the CCTV camera and to extract a background image, an object image analyzer configured to distinguish an object image from the background image through big data analysis of a CCTV image, a region of interest (ROI) extractor configured to extract an ROI corresponding to the object image, and a controller configured to provide the background image and the ROI to the cloud server, to receive the background image and the ROI from the cloud server, to combine the background image and the ROI, and to generate a complete CCTV image, if necessary.

Abstract: Various techniques for providing video feed redundancy are described herein. Instructions may be provided for switching input to an output video feed between two or more redundant input video feeds. In some examples, the redundant input video feeds may not be duplicates, may not be frame synchronized, may not be transmitted from the same location, may not be transmitted using the same network types or transmission protocols, and/or may not be initiated at the same time. In some examples, the instructions for video feed redundancy may be associated with respective authorization keys for the redundant input video feeds.

Abstract: Embodiments relate to a wireless communication device of a group of wireless communication devices configured to communicate with a base station, the wireless communication device comprising a transceiver configured to receive a token from the base station and a processor configured to generate a first data structure on the basis of a function of the token and of a key ki of the wireless communication device and a second data structure comprising an identity idi of the wireless communication device, wherein the transceiver is further configured to broadcast the first data structure and the second data structure to the group of wireless communication devices and the base station.

Abstract: A security module securely manages keys. The security module is usable to implement a cryptography service that includes a request processing component. The request processing component responds to requests by causing the security module to perform cryptographic operations that the request processing component cannot perform due to a lack of access to appropriate keys. The security module may be a member of a group of security modules that securely manage keys. Techniques for passing secret information from one security module to the other prevent unauthorized access to secret information.

Abstract: A method, an information handling system (IHS) and a validation system for validating an image using an embedded hash. The method includes retrieving, via a controller, a first image from a first memory device and extracting a first hash from a first location within the first image. The first hash was previously generated using an original set of data that includes a first data string, and the first image includes the first hash inserted into the first location to replace the first data string. The method includes retrieving a copy of the first data string. The method further includes generating a second image by inserting the first data string into the first location from which the first hash was extracted such that the second image contains the original set of data. The method further includes validating the first image using the first hash and the second image.

Abstract: A cryptographic object management system is provided that includes physically separated first and second object management sites. The first and second object management sites each respectively include HSMs, a HSM server connected to each of the HSMs, and a persistent layer connected to the HSM server. The HSM servers respectively manage operation of each of the HSMs. The HSM server of the first object management site includes an object manager module that manages and controls the cryptographic object management system. The persistent layers respectively store cryptographic objects for use by the HSMs. Each of the HSMs respectively performs crypto-processing on one or more of the cryptographic objects.

Abstract: A computer implemented method of exchanging first valuable data at a first node for second valuable data from a second node, the method comprising the steps of: applying a first encryption to a first plurality of messages, at the first node, with a function having a commutative property, so as to create a blinded first plurality of messages; sending the blinded first plurality of messages from the first node to the second node, wherein the first valuable data is concealed in one message of the blinded first plurality of messages; receiving a blinded second plurality of messages at the first node, wherein the second valuable data is concealed in one message of the blinded second plurality of messages and the blinded second plurality of messages have been encrypted with a second encryption; in response to receiving the blinded second plurality of messages at the first node, applying a third encryption to the blinded second plurality of messages with a function having a commutative property so as to create do

Abstract: Approaches described herein allow an appliance to receive a message from a client device when the client device is attempting to connect to a service other than the appliance. For instance, a client device might connect to a service on a private network, however if the client device is not on the private network, it may encounter an appliance such as a gateway. The appliance is configured to return a message to a client device indicating that it is an appliance, and the client device returns a certificate to the appliance that allows the client to indicate a first purpose of a connection and a second purpose of the connection. In approaches described herein, the second purpose is used by the appliance to perform an action related to providing the service with a certificate that allows for the first purpose, which can include information to create a secure connection between the service and the client device.

Abstract: A hardware secure module includes a processing unit and a cryptographic coprocessor. The cryptographic coprocessor includes a key storage memory; a hardware key management circuit configured to store a first cryptographic key in the key storage memory; a first interface configured to receive source data to be processed; a second interface configured to receive the first cryptographic key from the processing unit for storing in the key storage memory; a hardware cryptographic engine configured to process the source data as a function of the first cryptographic key stored in the key storage memory; and a third interface configured to receive a second cryptographic key. The hardware secure module further includes a non-volatile memory configured to store the second cryptographic key; and a hardware configuration module configured to read the second cryptographic key from the non-volatile memory and send the second cryptographic key to the third interface.

Abstract: Creating a certificate for a software module. A method includes obtaining a public key for a software module. The method includes obtaining a public key for a software module implemented on a hardware device. The method further includes creating a certificate using the public key by signing the public key using a hardware protected key and hardware protected compute elements. The hardware protected key is protected by a protected portion of the hardware device, and not accessible outside of the protected portion of the hardware device.

Abstract: A device stores a first portion of a database, which is distributed across communication devices of a network, and to authenticate a first interaction with a second device: sends a first ID to the second device to authenticate itself with the second device; receives a second ID from the second device; retrieve, using the second ID, a public key associated with one of the first portion of the database or a second portion of the database stored in a third device, which has a third address that is numerically within a threshold value of a first address of the device; and verify, based on a permission stored in relation to the public key, that the second device is authorized to engage in the first interaction with the device.

Abstract: Embodiments provide a system and method for network tracking. Through various methods of packet encapsulation or IP option filling, one or more packets of information can be tagged with a unique security tag to prevent unauthorized access. A user agent can be validated by an authentication server through acceptance of one or more user credentials. The authentication server can generate a security token that can be transmitted to the user agent. The user agent can generate a keystream from the security token, and portions of that keystream can be attached to the packets as the security tag. The tagged packets can be forwarded to an authenticator, who can recreate the keystream from a copy of the security token provided by the authentication server. If the tags generated from the authenticator match the tags on the tagged packet, the authenticator can strip the tag from the tagged packet and forward the packet on to its next network address.

Abstract: A device may include a secure processor and a secure memory coupled to the secure processor. The secure memory may be inaccessible to other device systems. The secure processor may store some keys and/or entropy values in the secure memory and other keys and/or entropy values outside the secure memory. The keys and/or entropy values stored outside the secure memory may be encrypted using information stored inside the secure memory.

Abstract: Method and apparatus for managing data in a data storage device configured as a storage compute appliance. In some embodiments, the data storage device has a non-volatile memory (NVM) and a controller circuit. The NVM stores a plurality of data sets encrypted by at least one encryption key. The controller circuit performs a storage compute appliance process by locally decrypting the plurality of data sets in a local memory of the data storage device, generating summary results data from the decrypted data sets, and transferring the summary results data across the host interface to an authorized user without a corresponding transfer of any portion of the decrypted data sets across the host interface.

Abstract: The techniques discussed herein relate to providing a highly available and reliable secret distribution infrastructure. In an implementation, a key master service (KMS) system is disclosed. The KMS system includes one or more computer readable storage media having program instructions stored thereon which, when executed by one or more processing systems, direct the one or more processing systems to identify a hydration event and, responsive to the hydration event, determine if other KMS systems are running in a secret distribution infrastructure. The program instructions, when executed by one or more processing systems, further direct the KMS system to hydrate the KMS system with secret information obtained from the one or more of the other KMS systems when the other KMS systems are running in the secret distribution infrastructure.

Abstract: A method for re-keying an encrypted data file, the data file being stored chunkwise on a storage entity (SE), data file chunks being encrypted with a global secret, and the method being performed in a memory available to a computing device, includes partially updating a global secret for encryption data for a data chunk to be re-keyed such that an output of a non-interactive oblivious key exchange is used to identify the private key of the data chunk to be re-keyed with a new private key; and reencrypting the data chunk to be re-keyed with the updated global secret.

Abstract: The present disclosure is directed to systems and methods for providing protection against replay attacks on memory, by refreshing or updating encryption keys. The disclosed replay protected computing system may employ encryption refresh of memory so that unauthorized copies of data are usable for a limited amount of time (e.g., 500 milliseconds or less). The replay protected computing system initially encrypts protected data prior to storage in memory. After a predetermined time or after a number of memory accesses have occurred, the replay protected computing system decrypts the data with the existing key and re-encrypts data with a new key. Unauthorized copies of data (such as those made by an adversary system/program) are not refreshed with subsequent new keys. When an adversary program attempts to use the unauthorized copies of data, the unauthorized copies of data are decrypted with the incorrect keys, which renders the decrypted data unintelligible.

Abstract: Embodiments for implementing an inferred access authentication decision for an application by a processor. A minimum required credential strength of a current authentication process for an application is compared to a previous, successful authentication for the application. The minimum required credential strength of application is inferred to be sufficient to validate the current authentication process upon determining a minimum required credential value (AMRCV) is greater than a predetermined threshold of the previous successful authentication for the application.

Abstract: One or more networks each include a plurality of sensor nodes operable to communicate public data with each other. Each of the plurality of sensor nodes is operable to gather sensor node data and store the sensor node data locally on the sensor node. Duplicate portions of the sensor node data are distributed to the public data of others of the plurality of sensor nodes via the public data paths for backup storage. The system includes a host that is coupled to individually communicate private data with each of the plurality of sensor nodes. Each of the sensor nodes protects the private data from others of the sensor nodes using distributed key management to ensure distributed encryption.

Abstract: An apparatus and method for performing operation being secure against side channel attack are provided. The apparatus and method generate values equal to values obtained through an exponentiation operation or a scalar multiplication operation of a point using values extracted from previously generated parameter candidate value sets and an operation secure against side-channel attack, thereby improving security against side-channel attack without degrading performance.