Abstract: A content item service enables users to upload media for content items to be given to others. The content item service performs operations on uploaded media content, such as transcoding. A transformed instance of content is encrypted using a cryptographic key, and an identifier for the encrypted transformed instance of content is generated. The encrypted transformed instance of content and an encrypted version of the cryptographic key are stored in association with the identifier.

Abstract: A method is provided that permits user to submit a password to the private key that is to be used to decrypt files either at the time of user account setup or at the time of submitting the files. The password is stored securely in the system, permanently or temporarily, and is used later to decrypt the files right before the system is ready to process the files.

Abstract: A method for controlling an electronic device including at least one processor configured to encrypt an image and upload the encrypted image to an external server by using an artificial intelligence neural network model is provided. The method includes receiving a command to upload an image to the external server; acquiring, based on the command, a characteristic value corresponding to the image by inputting the image and a key of the electronic device into a neural network model trained to identify characteristic values based on an input image and an input key; and transmitting identification information of the image and the characteristic value to the external server.

Abstract: Technology permitting secure storage and transmission of data stream as well as tiered access to multiple data stream according to permission. Data streams may be encrypted using symmetric encryption performed with varying symmetric keys according to a key stream of symmetric keys. Native data may be discarded for safety. Whole or partial key streams may be encrypted using the public keys of authorized entities having permission to access respective data streams or portions thereof. Only the corresponding private keys can decrypt the encrypted key streams required to decrypt the encrypted data streams. Thus rigorous access control is provided. IT personnel accessing data stream files on a server or intruders maliciously obtaining files will not be able to derive the data stream. Sensitive data streams may be stored using cloud services despite inherent risks.

Abstract: An example method for restricting read access to content in the component circuitry and securing data in the supply item is disclosed. The method identifies the status of a read command, and depending upon whether the status disabled or enabled, either blocks the accessing of encrypted data stored in the supply chip, or allows the accessing of the encrypted data stored in the supply chip.

Abstract: The present invention generally relates to a context-aware security self-assessment method or module that determines the context in which the device is used and based on this, assesses the devices security settings. The context may refer to the system environment, the applications the device is used for, and/or the current life-cycle stage of the device, without being limited to said contexts. The method of the present invention preferably prioritizes and rates the security relevant findings and presents them in combination with mitigation options through a web interface, a configuration tool, or through notifications in the control system.

Abstract: A chip includes a processing device to perform cryptographic operations by secret data; a memory to store a first plurality of information portions that correspond to a first breakdown of the data and from which the secret data are reconstructible by combination of the first plurality of information portions; a random number generator to provide random values; and a conversion device to ascertain second breakdowns of the data into a second plurality of information portions, from which the secret data are reconstructible and to control the memory for an ascertained second breakdown to store the present second plurality of information portions. The conversion device is further configured to ascertain the second breakdowns based on the random values and/or to determine the interval of time between the ascertaining and storing of a second breakdown and the ascertaining and storing of the subsequent second breakdown based on the random values.

Abstract: Systems and methods for privacy in distributed ledger transactions are disclosed. In one embodiment, in an information processing apparatus comprising at least one computer processor for a first node in a computer network comprising a plurality of nodes, a method for generating a key directory in a network comprising a plurality of nodes may include: (1) advertising a public key for a first node to the other nodes; (2) receiving public key information from each of the plurality of nodes; and (3) generating a public key directory that associates each node in the computer network with its public key.

Abstract: A fully homomorphic white-box implementation of one or more cryptographic operations is presented. This method allows construction of white-box implementations from general-purpose code without necessitating specialized knowledge in cryptography, and with minimal impact to the processing and memory requirements for non-white-box implementations. This method and the techniques that use it are ideally suited for securing “math heavy” implementations, such as codecs, that currently do not benefit from white-box security because of memory or processing concerns. Further, the fully homomorphic white-box construction can produce a white-box implementation from general purpose program code, such as C or C++.

Abstract: Example embodiments of systems and methods for application verification are provided. An application may generate a cryptographic key, and encrypt the cryptographic key with a predefined public key. A server, in data communication with the application, may include a predefined private key. The application may transmit the cryptographic key to the server. The server may receive, from the application, the cryptographic key; decrypt the cryptographic key using the predefined private key; encrypt an authorization token using the decrypted key; and transmit, to the client application, the authorization token via an out-of-band channel. The application may receive, from the server, the authorization token via the out-of-band channel; and decrypt the authorization token to obtain access to one or more services associated with the server.

Abstract: A method implemented by a first content network element (NE) in an information centric network (ICN), the method comprising receiving, by a receiver, an interest packet through a first interface, wherein a header of the interest packet comprises a path filter, the path filter being associated with one or more segments on a path from a consumer to a producer, modifying, by a processor coupled to the receiver, the path filter based on information identifying one or more previous content NEs or one or more next content NEs on the path to produce a modified path filter, and transmitting, by a transmitter coupled to the receiver, the interest packet with the modified path filter to the next content NE.

Abstract: A hearing assistive system, comprises a personal communication device (10) and a head-worn device (20). The personal communication device (10) has a user interface (12) being adapted for user interaction, a processor (11) controlling the user interface (12) and being adapted to run an application program, a short-range radio (13), and an output transducer (15). The head-worn device (20) has an input transducer (24) adapted for converting sound into an electric signal applied to a processor (21) outputting a modified audio signal via an output transducer (25). The application program is adapted to generate and output a data packet (70) on an audio carrier via the output transducer (15). The head-worn device (20) has an audio signaling block (26) for detecting and decoding the data packet (70) received by the input transducer (24). The head-worn device (20) has a controller (27) for controlling the operation of a short-range radio (28).

Abstract: A multi-dimensional blockchain protocol designed to self-fork into multiple chains, scale infinitely, achieve zero cost transactions, sub-second finality and open new markets for sharders, blobbers, developers, and content publishers, while managing a low inflation rate.

Abstract: Provided are an electronic device and a method for processing data in the electronic device. The electronic device may receive server registration time-related information—that is, information related to a time when at least one beacon device becomes registered in a server, and decrypt at least one beacon signal received from the at least one beacon device based on the received server registration time-related information.

Abstract: A method for securing a digital document comprising first and second types of data, where a set of data of the second type is previously identified in an initial version of the document. For each data of the second type, an identifier is allocated to the data and an entry comprising the data is stored in a secure storage unit. The identifier comprises a display value and a link value. The data is reachable in the secure storage unit through the link value. The secure storage unit is configured to use access rules for authorizing or denying a request initiated by a user for accessing data of the second type contained in an entry of the secure storage unit. An updated version of the digital document is generated by replacing each data of the second type by its allocated identifier in the initial version of the digital document.

Abstract: Example methods, apparatus, systems and articles of manufacture (e.g., physical storage media) to implement contextual key management for data encryption are disclosed. Example apparatus disclosed herein to perform contextual encryption key management, which are also referred to herein as contextual key managers, include an example context discoverer to discover context information associated with a request to access first encrypted data. Such disclosed example apparatus also include an example contextual key mapper to identify a combination of context rules associated with a key that is to provide access to the first encrypted data, validate the context information associated with the request based on the combination of context rules associated with the key to determine whether the request to access the first encrypted data is valid, and obtain the key from a key management service when the request to access the first encrypted data is valid.

Abstract: A method for securing a recording of multimedia content in a storage medium of a first electronic device, the method including an encryption operation which consists of: for each item of multimedia content to be encrypted, generating a random key within the first electronic device; encrypting the multimedia content by the random key in order to obtain encrypted multimedia content; encrypting, by a user key, the random key so as to obtain a first encrypted random key; encrypting the first encrypted random key by a root key specific to the first electronic device in order to obtain a second encrypted random key; and storing the second encrypted random key and the encrypted multimedia content in the storage medium.

Abstract: This invention relates to a method for managing the status of a connected device by publishing assertions in an immutable distributed database composed of a plurality of compute nodes, a pair of keys comprising a public key and a private key being associated with the connected device. The method comprises the steps of: receiving from a first terminal associated to a first user an instruction message; verifying that the first user is allowed to modify the status of the connected device; sending an assertion request to the immutable distributed database for publishing an assertion comprising the status information.

Abstract: A method for conducting an operation including (a) lifting coefficients of a data structure from a representation modulo q to a representation modulo q?, wherein the data structure comprises values which are reduced modulo q, wherein q and are integers; (b) randomizing the coefficients in modulo q?, wherein for each coefficient a random value is multiplied with the value of q and the result of this multiplication is added to the coefficient; (c) conducting an operation on the lifted and randomized coefficients; and (d) reducing the lifted and randomized coefficients by conducting an operation modulo q.

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). NMCs may determine requests provided to a server based on a first portion of network traffic. NMCs may determine suspicious requests based on characteristics of the provided requests. NMCs may employ the characteristics of the suspicious requests to provide correlation information that is associated with the suspicious requests. NMCs may determine dependent actions associated with the server based on a second portion of the network traffic and the correlation information. And, in response to determining anomalous activity associated with the evaluation of the dependent actions, NMCs may provide reports associated with the anomalous activity.

Abstract: A computer implemented method of authenticating communication between a first node and a second node, using a function of combined information obtained from at least one of the nodes, the method comprising: sending a commitment message from the first node to the second node, the message containing content based on (at least) a first part of the combined information, which content commits the first node to a first value of the function, and wherein the first part of the combined information is communicated from the first node to the second node with a delay mechanism that only allows the first part of the information to be determined by the second node after a predetermined time; and in response to receiving notification at the first node that the second node has received the message, which receipt commits the second node to the first function value.

Abstract: A method for execution by an auditing unit includes sending a verification request to a storage unit that includes a slice name and a challenge value. A proof of knowledge is received from the storage unit in response, where the proof of knowledge is generated by the storage unit based on a prover output value generated by performing a combined integrity function on the challenge value and slice data associated with the slice name. A verifier output value is generated by the auditing unit as a function of the challenge value and a known slice integrity check value for the slice name. Output verification data is generated by comparing the prover output value to the verifier output value. A corrective action is initiated on the storage unit when the prover output value compares unfavorably to the verifier output value, or when the proof of knowledge is evaluated to be invalid.

Abstract: The automated changeover of a transfer encryption key from one transfer encryption key to another. This occurs in an environment in which a set of computing systems are to share one or more keys (such as a private and public key pair). The transfer encryption key is used to encrypt communications of the key(s) such that the encrypted key(s) may be transferred over a transfer system without the transfer system having access to the key(s). In order to perform automated changeover of the transfer encryption key, one of the set of computing systems encrypts the next transfer encryption key with the prior transfer encryption key. The transfer system provides this encrypted message to the remainder of the set of computing systems, which may then decrypt the encrypted message using the prior transfer encryption key, to find the next transfer encryption key.

Abstract: During a password entry, a matrix is traversed to select a position. The matrix includes several levels, each level in the several levels including at least one position where data can be entered, where a second level in the matrix forms a sub-level of a first level, and where the second level is reachable only from a particular position in the first level. In response to an input, a mode of the selected position is changed such that the position becomes unchangeable and unselectable during a remainder of the password entry. The selected position is encoded in an auth-step. In response to an indication of an end of the password entry, an auth-code is transmitted. The auth-code includes a set of auth-steps, and the set of auth-steps includes the auth-step.

Abstract: Methods, systems, and devices for user device authentication are described. In some systems, an application server may host a secure application utilizing user device verification. A proxy server may perform a certificate challenge with a user device to determine whether the user device is authorized to access the application, and may transmit a login request and authentication information to the application server based on the result of the challenge. The application server may determine whether the certificate challenge was successful, and may verify whether the proxy server is a valid proxy for the application. If these validations are successful, the application server may transmit an authorization message (e.g., an encrypted ticket) to the user device for a login procedure. The user device may send a login request with the authorization message directly to the application server (e.g., without further tunneling through the proxy) to initiate a login procedure.

Abstract: A method may include determining, by a first network device, a type of control channel to open across a transport in a software-defined network (SDN). The method may also include establishing the control channel with a control device via a control plane that is separate from a data plane. The method may further include advertising first security association parameters to the control device via the control channel. The method may include receiving, from the control device via the control channel, second security association parameters associated with a second network device. The method may also include establishing a data plane connection with the second network device using the second security association parameters.

Abstract: Disclosed are various examples for securing the streaming of a media file from a web service to a media player. A request for a portion of a media file can be received including an authentication key. A web service can validate the authentication key. If the authentication key validates, the web service can send the portion of media to a media player. The media player can render the media on a display of a client device. Requests can be iteratively sent for each portion of the media file.

Abstract: Some embodiments provide a method for recovering user data for a device. To initiate recovery, the method sends to a first server a first request including at least (i) a device identifier and (ii) a first set of cryptographic data for a second set of servers with which the first server communicates. If the first server verifies the device identifier with an attestation authority, the method receives from the second set of servers a second set of cryptographic data generated by the second set of servers. After receiving input of a device passcode for the device, the method sends to the first server a second request comprising at least a third set of cryptographic data for the second set of servers generated based on the device passcode. If the first server verifies the device passcode with the second set of servers, the method receives access to the user data.

Abstract: A method is provided for securely activating or deactivating functionality in a data processing system. The method includes determining to activate or deactivate a selected functional block of a plurality of functional blocks in the data processing system. An authentication key and a unique identifier are provided to a key derivation function of a function control circuit to produce a derived key value. The key derivation function is iteratively input with a sequence of function set identifiers, where each function set identifier is for identifying one or more of the functional blocks. Each function set identifier is paired with a previously derived key value from a previous iteration. A final iteration of the key derivation function provides a verification key for verifying the authenticity of the derived key value corresponding to the selected functional block to be activated or deactivated.

Abstract: Described herein are systems, methods, and computer-readable media for providing enhanced encryption in a data storage system. An example method can include receiving a data set, selecting a first portion of the data set as a unique encryption key, encrypting a second portion of the data set using the unique encryption key, and writing the encrypted second portion of the data set to a storage device.

Abstract: Techniques are described for migrating namespace content from a source system to a target system. Migrating the namespace content involves copying data associated with a namespace from the source system to the target system in a manner that allows guests on both the source system and the target system to access the data during the namespace migration. Further the techniques take advantage of any replica of the namespace content that may already exist in target system, so that only blocks that are not already in the target system are copied as part of the migration operation. Both the source system and the target system use Content Addressable Storage, and have fingerprint indexes that allow blocks to be located based on their fingerprints. Thus, the target system to which a namespace is migrated may determine whether a desired block from the namespace can be obtained locally based on whether its fingerprint index has an entry for the fingerprint of the block.

Abstract: Technologies for verifying the integrity of regions of physical memory allocated among multiple domains are described. In embodiments the technologies include or cause: the generation of a first integrity value in response to a write command from a first domain; the generation of a second integrity value in response to a read command; and verifying the integrity of read data targeted by the read command at least in part by comparing the first integrity value to the second integrity value.

Abstract: The present application discloses a virtual trusted platform module (vTPM)-based virtual machine security protection method and system. The method, executed by a physical host, includes: receiving a primary seed acquisition request sent by a virtual machine, where the primary seed acquisition request carries a UUID; sending the UUID to a KMC, so that the KMC generates a primary seed according to the UUID; and receiving the primary seed fed back by the KMC, and sending the primary seed to the virtual machine, so that the virtual machine creates a root key of a vTPM according to the primary seed, where the root key is used by the vTPM to create a key for the virtual machine to protect security of the virtual machine. As such, the same root key can be created by using the primary seed.

Abstract: Qwyit® Authentication and Encryption Service serves as a direct replacement of Transport Layer Security. Applications can place a small code segment within their communications protocol, resulting in authenticated and encrypted message traffic with the features of TLS while adding additional improvements as set forth herein. QAES provides a direct next generation replication and enhancement of the current, only global secure communications framework. QAES provides the same features, benefits, authentication (embedded) and data security (stream cipher) for communications traffic using the Qwyit® Directory Service key store. The combination of features and properties provide a simple, straightforward way for any application to incorporate secure communications. The unique, superior Qwyit® protocol delivers where TLS fails: embedded security without any need for additional bandwidth, processing power or cumbersome user requirements.

Abstract: The disclosure relates to a method and apparatus for displaying an application interface. The method includes detecting a starting operation over a specified application; in response to detecting the starting operation over the specified application, determining whether the specified application is a secret-related application; when the specified application is determined to be the secret-related application, acquiring an encrypted display manner of the specified application; and sending application interface data and the encrypted display manner of the specified application to a first terminal based on a network connection pre-established with the first terminal, wherein the application interface data is used by the first terminal to generate an application interface of the specified application, and the encrypted display manner is used by the first terminal to display the application interface with an encrypted effect.

Abstract: Systems and methods for securing sensitive data are presented. The system includes a database that stores multiple data storage schemes, each of which denotes at least one location for storing at least a portion of the sensitive data within a data block object. The system further includes a security controller module comprising a processor and software instructions. When executed by the processor, the processor (a) instantiates a data block object for storing the sensitive data and (b) selects a data storage scheme. Then the processor stores the sensitive data within the data block object according to the data storage scheme. The processor also can provide access to the data block object. After allowing an access, the processor automatically selects another data storage scheme, and morphs the data block object by storing the sensitive data within the data block object according to the newly selected data storage scheme.

Abstract: Provided are a method and a device for determining a carrier for bearing a paging message and sending a paging message. The method for determining a carrier for bearing a paging message can comprise: acquiring, from a paging message sent by a mobility management entity (MME) or information locally stored by a base station, a paging characteristic of a terminal, where the paging characteristic indicates whether the terminal has the capability of supporting a non-anchor carrier for bearing the paging message; and determining a carrier for bearing the paging message corresponding to the terminal according to the paging characteristic.

Abstract: A cryptographic key management service receives a request, associated with a principal, to use a cryptographic key to perform a cryptographic operation. In response to the request, the service determines whether a rate limit specific to the principal is associated with the cryptographic key. If the rate limit is associated with the cryptographic key, the service generates a response to the request that conforms to the rate limit. The service provides the response in response to the request.

Abstract: Embodiments of the present disclosure provide a data transmission method, apparatus, and device. The method includes: performing, by a terminal, encryption and integrity protection on a data packet by using a public key of a network device and a private key of the terminal, where the data packet includes user data; and sending, by the terminal, the data packet to the network device, to send the user data to a server by using the network device. Encryption and integrity protection are performed on the data packet respectively by using the public key of the network device and the private key of the terminal, and when no radio resource control RRC connection is established, the data packet is sent to the network device.

Abstract: A mask is selected amongst a plurality of masks. A first masked random number is generated by converting a first random number using the selected mask, and a first key is generated from the first masked random number and a first biometric code generated from biometric information. In addition, mask information indicating the selected mask is stored. A second masked random number is generated by converting a second random number using the selected mask or a different mask having a predetermined relationship with the selected mask, and a second key is generated from the second masked random number and a second biometric code. A ciphertext is generated using one of the first key and the second key and an error-correction encoding method.

Abstract: Data may be encrypted using a derived block encryption key for each of at least one append blocks of data. A data operation associated with manipulating particular data associated with a user may be received. The particular data may comprise at least one append block of data. In response to the received data operation, for each append block of data of the at least one append block of data, parameters associated with deriving a block encryption key for a given append block of data of the at least one append block of data may be accessed. The parameters may comprise at least a data encryption key associated with the user and a nonce. A block encryption key may be derived for the given append block of data utilizing the parameters. The given append block of data may be encrypted utilizing the block encryption key.

Abstract: A vehicle smart key system may include a smart key, and a smart key control device mounted on a vehicle that recognizes a position of the smart key through wireless communication with the smart key, activates vehicle functions in a stepwise manner based on the position of the smart key, and determines whether to assign a vehicle access right to the smart key.

Abstract: Encrypted content from a content provider is received at a central location of a multichannel video programming distributor (MVPD). The content provider is distinct from the MVPD. The content is decrypted and processed in a virtual set-top application associated with a set-top of a customer of the MVPD. The set-top of the customer is located in a customer premises remote from the central location. The processed content is provided over a secure data link to a conditional-access encoder at the central location. The conditional-access encoder encrypts the processed content, which is then transmitted to the set-top of the customer.

Abstract: A method for downloading a profile on an embedded universal integrated circuit card (eUICC) of a terminal is provided. The method includes transmitting a profile request containing eUICC authentication information to a profile providing server through a security channel, upon receiving, from the profile providing server, profile-related information generated in response to the profile request, displaying non-encrypted profile information contained in the profile-related information on a screen, identifying whether a user input indicating whether to proceed to download the profile is detected, and downloading the profile, corresponding to the identified user input.

Abstract: A processor-based method for secret sharing in a computing system is provided. The method includes encrypting shares of a new secret, using a previous secret and distributing unencrypted shares of the new secret and the encrypted shares of the new secret, to members of the computing system. The method includes decrypting at least a subset of the encrypted shares of the new secret, using the previous secret and regenerating the new secret from at least a subset of a combination of the unencrypted shares of the new secret and the decrypted shares of the new secret.

Abstract: The subject matter described herein is generally directed towards generating security parameter index (“SPI”) values at a plurality of endpoints (EP) in a network using time-based one-time passwords (TOTPs). In this manner, the SPI values are generated in a decentralized manner. The SPI values are used for distributed network encryption among the EPs.

Abstract: A node system implements a method for node relay communication. A description of a flow entry including an address in a flow and a private key is received. The flow entry and the private key are stored in a database indexed to a flow ID. A packet comprising an authentication code and packet data including packet sequence information and a Flow ID is received. A look up in the database of a flow entry corresponding to the Flow ID of the packet is performed. The packet is either ignored or forwarded to the address in the flow, depending on the result of the look-up.

Abstract: A method for execution by an auditing unit includes sending a verification request to a storage unit that includes a slice name and a challenge value. A proof of knowledge is received from the storage unit in response, where the proof of knowledge is generated by the storage unit based on a prover output value generated by performing a combined integrity function on the challenge value and slice data associated with the slice name. A verifier output value is generated by the auditing unit as a function of the challenge value and a known slice integrity check value for the slice name. Output verification data is generated by comparing the prover output value to the verifier output value. A corrective action is initiated on the storage unit when the prover output value compares unfavorably to the verifier output value, or when the proof of knowledge is evaluated to be invalid.

Abstract: Concepts and technologies are disclosed herein for providing an electronic document processing system, an electronic document generation mechanism, an encrypted digital certificate generator, a tool for coordinating the processing of electronic documents, a packaging mechanism for finalizing and authenticating electronic documents, a tracking log for recording relevant electronic document information, and a transferring protocol for transferring the ownership of electronic documents. The present disclosure also is directed to an electronic authentication system including an electronic document authentication watermark seal or signature line for confirming a document's signing within the view.

Abstract: This application discloses a mobile device and method for managing installation of an application package (APK) in the mobile device. The device receives an installation request for installing the APK. The device retrieves a permission certificate for the APK according to the installation request. The permission certificate includes a cryptographic signature. The device determines validity of the permission certificate by verifying the cryptographic signature included in the permission certificate using a permission certification public key provided by a manufacturer of the device. The permission certification public key is stored in the device. The installation of the APK in the device is allowed when the permission certificate is determined to be valid. Using the method, the APK requires the device to grant specific high-risk permissions to the application upon installation.