Abstract: A cryptographic module has an input/output port to receive a first temporary key. A processor receives the first temporary key from the input/output port. A secure authentication key memory is connected to the processor. A temporary key generator is connected to the processor to produce a second temporary key for routing to the input/output port. A cryptographic salt generator is connected to the processor to produce cryptographic salt. A cryptographic key generator is connected to the processor to process key parts derived from the first temporary key, the second temporary key and the cryptographic salt to produce cryptographic keys.

Abstract: A decryption integrated circuit (IC) includes an interface configured to receive an encrypted block of data and a decryption datapath. The decryption datapath has a plurality of computational stages arranged in a pipeline configured to decrypt the encrypted block of data to form a decrypted block of data. A non-linear computational stage included in the pipeline of the decryption datapath includes multiple asymmetric logical paths and multiple bypassable latches. A first signal traverses a first logical path and a second signal traverses a second logical path having a greater number of logical units than the first logical path. Each bypassable latch is positioned in a respective logical path of the multiple asymmetric logical paths. The decryption IC further includes a controller configured to assign an individual random bit sequence to each bypassable latch to randomly activate or randomly disable each bypassable latch of the multiple bypassable latches.

Abstract: A multi-modal encrypted messaging platform to provide HIPAA compliant messaging and interfaces to provide access to electronic data records. The proposed invention discloses example embodiments that comprise a server-system, a client device in communication with the server-system, and an auxiliary device coupled to the client device.

Abstract: Certain embodiments described herein are generally directed to allocating security parameter index (“SPI”) values to a plurality of endpoints in a network. The SPI values may be derived using an SPI derivation formula and a plurality of parameters. In some embodiments, the SPI values may be derived by an endpoint and in other embodiments by a server. Using the SPI derivation formula and the plurality of parameters enables endpoints and servers to instantaneously derive SPI values without the need for servers to store them.

Abstract: A data communication system for a local network. The system includes a network node and a plurality of network devices associated therewith. The network node provides a network node service to clients or bots executing on the plurality of network devices. Individual clients or bots are communicably and only programmatically coupled around the network node service in a programmatic star configuration to create the local network. The network node service validates and authenticates local services provided by the clients or bots within the local network. Data is communicated between clients or bots within the local network in real time or near real time, by relaying the data through the network node service. Information content of the data is encrypted prior to communicating the data, by employing a key store associated with a user of the source client or bot.

Abstract: One embodiment provides a method, including: obtaining information related to a plurality of communication interactions between a first user and at least one other user, wherein each of the communication interactions is associated with a communication source and wherein the obtained information identifies a response by the first user to a received communication; constructing a plurality of relationship graphs for the user, wherein each relationship graph corresponds to one communication source and wherein each of the relationship graphs indicates (i) relationships between the first user and at least one other user and (ii) a condition of each of the relationships with respect to other relationships within the relationship graph; and constructing an aggregate relationship graph, wherein the constructing an aggregate relationship graph comprises computing an importance score for each relationship between the user and another user.

Abstract: Systems, devices, and methods for hybrid secret sharing are disclosed. In accordance with embodiments, a computing device may encrypt the secret message using a first encryption key to generate an encrypted secret message. The computing device may also split a second encryption key into a plurality of key shares in accordance with a threshold number. The threshold number is less than or equal to the number of the plurality of key shares. Then, the computing device may transmit a plurality of messages. Each message of the plurality of messages comprises the encrypted secret message and one of the plurality of key shares.

Abstract: In implementations of application-based font previewing, a font preview system of a computing device receives a font file corresponding to a font of a font repository via a network. The font preview system encrypts font tables of the font file and the font preview system writes the encrypted font tables to a font disk cache of the computing device. The font preview system writes metadata describing the font tables to a font memory cache of the computing device. In response to receiving a request to preview the font from an application of the computing device, the font preview system uses the metadata to identify and decrypt a particular font table of the encrypted font tables, and the application renders glyphs of the font in a user interface using the decrypted particular font table.

Abstract: Methods and apparatus for verifying a boot process of a computing system are disclosed. An example computer-implemented method includes reading, by a computing system during a boot process, a header section of a read-write portion of firmware of the computing system. The example method further includes generating, using a first cryptographic hash algorithm, a message digest corresponding with the header. The example method also includes decrypting, using a first public-key, an encrypted signature corresponding with the header. The example method still further includes comparing the message digest corresponding with the header and the decrypted signature corresponding with the header. In the event the message digest corresponding with the header and the decrypted signature corresponding with the header match, the example method includes continuing the boot process.

Abstract: A system is provided for distribution of device key sets over a network in a protected software environment (PSE). In the system, a client device includes a connection interface for receiving a crypto hardware (CH) token belonging to a user, untrusted software, a quoting enclave, and a PSE for generating a provisioning request for a device key set. An attestation proxy server (APS) receives the provisioning message using a first network connection, and transmits the provisioning message to an online provisioning server (OPS) using a second network connection. The OPS constructs a provisioning response and an encrypted device key set, and delivers the provisioning response to the untrusted software using the first and second network connections. The PSE decrypts the encrypted device key set to obtain the device key set, re-encrypts the device key set with a local chip-specific key, and stores the re-encrypted device key set.

Abstract: Aggregated transaction data from a transaction data provider may be encrypted and exchanged with a content item selection system using commutative encryption algorithms. The transaction data provider and content item selection system may utilize a set of common identifiers that are each encrypted using a respective commutative encryption algorithm of the transaction data provider or content item selection system. The other of the transaction data provider or content item selection system encrypts the single-encrypted common identifier using a respective commutative encryption algorithm to generate double encrypted common identifiers. The double encrypted common identifiers may be used to match a set of common identifiers with transaction data. The transaction data may be encrypted and/or may include random offset values.

Abstract: A processing system includes a first processing unit; a second processing unit; and a cryptographic coprocessor communicatively coupled to the first processing unit and the second processing unit. The cryptographic coprocessor includes a key storage memory for storing a cryptographic key; a first interface configured to receive source data to be processed directly from the first processing unit; a hardware cryptographic engine configured to process the source data as a function of the cryptographic key stored in the key storage memory; a second interface configured to receive a first cryptographic key directly from the second processing unit; and a hardware key management circuit configured to store the first cryptographic key in the key storage memory.

Abstract: A credentials store definition identifying a remote credential store is received. The credential store definition includes access information to enable access to the remote credentials store. A credentials object is created in an internal database based on a credentials object definition. The credentials object identifies a security credential to retrieve from the remote credentials store to access an external resource. At runtime, a request to access the external resource is received, and based on receiving the request, the security credentials identified by the credentials object are retrieved from the remote credential store using the access information. The retrieved security credential is provided to a processing component to access the external resource.

Abstract: Aspects of the disclosure relate to a system and method for securely authenticating a device via token(s) and/or verification computing device(s). A verification computing device may generate a pseudorandom number or sequence. Based on the pseudorandom number or sequence, the verification computing device may select a first plurality of parameters associated with a user of a device to be authenticated. The verification computing device may transmit, to the device, the pseudorandom number or sequence, and the device may select a second plurality of parameters. The device may generate a token based on the second plurality of parameters. The device may send the token to another device, and the other device may send the token to the verification computing device. The verification computing device may authenticate the device based on the token.

Abstract: A secure computation system is provided. The system includes a distribution information generation apparatus that generates data distribution values, sign distribution values and carry distribution values from at least two fixed-point numbers by distributing each of the at least two fixed-point numbers using an additive secret sharing scheme; and a secure computation apparatus group including at least two secure computation apparatuses. The secure computation apparatus group includes: a secure digit extender; and a secure multiplier.

Abstract: Various techniques for providing video feed redundancy are described herein. Instructions may be provided for switching input to an output video feed between two or more redundant input video feeds. In some examples, the redundant input video feeds may not be duplicates, may not be frame synchronized, may not be transmitted from the same location, may not be transmitted using the same network types or transmission protocols, and/or may not be initiated at the same time. In some examples, the instructions for video feed redundancy may be associated with respective authorization keys for the redundant input video feeds.

Abstract: Embodiments relate to a wireless communication device of a group of wireless communication devices configured to communicate with a base station, the wireless communication device comprising a transceiver configured to receive a token from the base station and a processor configured to generate a first data structure on the basis of a function of the token and of a key ki of the wireless communication device and a second data structure comprising an identity idi of the wireless communication device, wherein the transceiver is further configured to broadcast the first data structure and the second data structure to the group of wireless communication devices and the base station.

Abstract: A method, an information handling system (IHS) and a validation system for validating an image using an embedded hash. The method includes retrieving, via a controller, a first image from a first memory device and extracting a first hash from a first location within the first image. The first hash was previously generated using an original set of data that includes a first data string, and the first image includes the first hash inserted into the first location to replace the first data string. The method includes retrieving a copy of the first data string. The method further includes generating a second image by inserting the first data string into the first location from which the first hash was extracted such that the second image contains the original set of data. The method further includes validating the first image using the first hash and the second image.

Abstract: A security module securely manages keys. The security module is usable to implement a cryptography service that includes a request processing component. The request processing component responds to requests by causing the security module to perform cryptographic operations that the request processing component cannot perform due to a lack of access to appropriate keys. The security module may be a member of a group of security modules that securely manage keys. Techniques for passing secret information from one security module to the other prevent unauthorized access to secret information.

Abstract: A smart surveillance system includes a communicator configured to communicate with a closed circuit television (CCTV) camera and a cloud server, a background image extractor configured to analyze CCTV image data received from the CCTV camera and to extract a background image, an object image analyzer configured to distinguish an object image from the background image through big data analysis of a CCTV image, a region of interest (ROI) extractor configured to extract an ROI corresponding to the object image, and a controller configured to provide the background image and the ROI to the cloud server, to receive the background image and the ROI from the cloud server, to combine the background image and the ROI, and to generate a complete CCTV image, if necessary.

Abstract: Embodiments provide a system and method for network tracking. Through various methods of packet encapsulation or IP option filling, one or more packets of information can be tagged with a unique security tag to prevent unauthorized access. A user agent can be validated by an authentication server through acceptance of one or more user credentials. The authentication server can generate a security token that can be transmitted to the user agent. The user agent can generate a keystream from the security token, and portions of that keystream can be attached to the packets as the security tag. The tagged packets can be forwarded to an authenticator, who can recreate the keystream from a copy of the security token provided by the authentication server. If the tags generated from the authenticator match the tags on the tagged packet, the authenticator can strip the tag from the tagged packet and forward the packet on to its next network address.

Abstract: A hardware secure module includes a processing unit and a cryptographic coprocessor. The cryptographic coprocessor includes a key storage memory; a hardware key management circuit configured to store a first cryptographic key in the key storage memory; a first interface configured to receive source data to be processed; a second interface configured to receive the first cryptographic key from the processing unit for storing in the key storage memory; a hardware cryptographic engine configured to process the source data as a function of the first cryptographic key stored in the key storage memory; and a third interface configured to receive a second cryptographic key. The hardware secure module further includes a non-volatile memory configured to store the second cryptographic key; and a hardware configuration module configured to read the second cryptographic key from the non-volatile memory and send the second cryptographic key to the third interface.

Abstract: A cryptographic object management system is provided that includes physically separated first and second object management sites. The first and second object management sites each respectively include HSMs, a HSM server connected to each of the HSMs, and a persistent layer connected to the HSM server. The HSM servers respectively manage operation of each of the HSMs. The HSM server of the first object management site includes an object manager module that manages and controls the cryptographic object management system. The persistent layers respectively store cryptographic objects for use by the HSMs. Each of the HSMs respectively performs crypto-processing on one or more of the cryptographic objects.

Abstract: A device stores a first portion of a database, which is distributed across communication devices of a network, and to authenticate a first interaction with a second device: sends a first ID to the second device to authenticate itself with the second device; receives a second ID from the second device; retrieve, using the second ID, a public key associated with one of the first portion of the database or a second portion of the database stored in a third device, which has a third address that is numerically within a threshold value of a first address of the device; and verify, based on a permission stored in relation to the public key, that the second device is authorized to engage in the first interaction with the device.

Abstract: Approaches described herein allow an appliance to receive a message from a client device when the client device is attempting to connect to a service other than the appliance. For instance, a client device might connect to a service on a private network, however if the client device is not on the private network, it may encounter an appliance such as a gateway. The appliance is configured to return a message to a client device indicating that it is an appliance, and the client device returns a certificate to the appliance that allows the client to indicate a first purpose of a connection and a second purpose of the connection. In approaches described herein, the second purpose is used by the appliance to perform an action related to providing the service with a certificate that allows for the first purpose, which can include information to create a secure connection between the service and the client device.

Abstract: Creating a certificate for a software module. A method includes obtaining a public key for a software module. The method includes obtaining a public key for a software module implemented on a hardware device. The method further includes creating a certificate using the public key by signing the public key using a hardware protected key and hardware protected compute elements. The hardware protected key is protected by a protected portion of the hardware device, and not accessible outside of the protected portion of the hardware device.

Abstract: A computer implemented method of exchanging first valuable data at a first node for second valuable data from a second node, the method comprising the steps of: applying a first encryption to a first plurality of messages, at the first node, with a function having a commutative property, so as to create a blinded first plurality of messages; sending the blinded first plurality of messages from the first node to the second node, wherein the first valuable data is concealed in one message of the blinded first plurality of messages; receiving a blinded second plurality of messages at the first node, wherein the second valuable data is concealed in one message of the blinded second plurality of messages and the blinded second plurality of messages have been encrypted with a second encryption; in response to receiving the blinded second plurality of messages at the first node, applying a third encryption to the blinded second plurality of messages with a function having a commutative property so as to create do

Abstract: A device may include a secure processor and a secure memory coupled to the secure processor. The secure memory may be inaccessible to other device systems. The secure processor may store some keys and/or entropy values in the secure memory and other keys and/or entropy values outside the secure memory. The keys and/or entropy values stored outside the secure memory may be encrypted using information stored inside the secure memory.

Abstract: A method for re-keying an encrypted data file, the data file being stored chunkwise on a storage entity (SE), data file chunks being encrypted with a global secret, and the method being performed in a memory available to a computing device, includes partially updating a global secret for encryption data for a data chunk to be re-keyed such that an output of a non-interactive oblivious key exchange is used to identify the private key of the data chunk to be re-keyed with a new private key; and reencrypting the data chunk to be re-keyed with the updated global secret.

Abstract: Method and apparatus for managing data in a data storage device configured as a storage compute appliance. In some embodiments, the data storage device has a non-volatile memory (NVM) and a controller circuit. The NVM stores a plurality of data sets encrypted by at least one encryption key. The controller circuit performs a storage compute appliance process by locally decrypting the plurality of data sets in a local memory of the data storage device, generating summary results data from the decrypted data sets, and transferring the summary results data across the host interface to an authorized user without a corresponding transfer of any portion of the decrypted data sets across the host interface.

Abstract: The present disclosure is directed to systems and methods for providing protection against replay attacks on memory, by refreshing or updating encryption keys. The disclosed replay protected computing system may employ encryption refresh of memory so that unauthorized copies of data are usable for a limited amount of time (e.g., 500 milliseconds or less). The replay protected computing system initially encrypts protected data prior to storage in memory. After a predetermined time or after a number of memory accesses have occurred, the replay protected computing system decrypts the data with the existing key and re-encrypts data with a new key. Unauthorized copies of data (such as those made by an adversary system/program) are not refreshed with subsequent new keys. When an adversary program attempts to use the unauthorized copies of data, the unauthorized copies of data are decrypted with the incorrect keys, which renders the decrypted data unintelligible.

Abstract: The techniques discussed herein relate to providing a highly available and reliable secret distribution infrastructure. In an implementation, a key master service (KMS) system is disclosed. The KMS system includes one or more computer readable storage media having program instructions stored thereon which, when executed by one or more processing systems, direct the one or more processing systems to identify a hydration event and, responsive to the hydration event, determine if other KMS systems are running in a secret distribution infrastructure. The program instructions, when executed by one or more processing systems, further direct the KMS system to hydrate the KMS system with secret information obtained from the one or more of the other KMS systems when the other KMS systems are running in the secret distribution infrastructure.

Abstract: Embodiments for implementing an inferred access authentication decision for an application by a processor. A minimum required credential strength of a current authentication process for an application is compared to a previous, successful authentication for the application. The minimum required credential strength of application is inferred to be sufficient to validate the current authentication process upon determining a minimum required credential value (AMRCV) is greater than a predetermined threshold of the previous successful authentication for the application.

Abstract: One or more networks each include a plurality of sensor nodes operable to communicate public data with each other. Each of the plurality of sensor nodes is operable to gather sensor node data and store the sensor node data locally on the sensor node. Duplicate portions of the sensor node data are distributed to the public data of others of the plurality of sensor nodes via the public data paths for backup storage. The system includes a host that is coupled to individually communicate private data with each of the plurality of sensor nodes. Each of the sensor nodes protects the private data from others of the sensor nodes using distributed key management to ensure distributed encryption.

Abstract: An apparatus and method for performing operation being secure against side channel attack are provided. The apparatus and method generate values equal to values obtained through an exponentiation operation or a scalar multiplication operation of a point using values extracted from previously generated parameter candidate value sets and an operation secure against side-channel attack, thereby improving security against side-channel attack without degrading performance.

Abstract: A data management system stores data related to a plurality of users. The data management system initially stores the data in an encrypted format. The data management system automatically periodically re-encrypts the data in accordance with a re-encryption policy. The re-encryption policy includes re-encryption periodicity data defining a periodicity for automatically re-encrypting the data.

Abstract: The method allows a sender to safeguard its identification in messages sent to a recipient. Even when using promiscuous channels for transmitting the message, only the recipient is able to disclose the sender's identity. The method uses symmetrical cryptography of low computational requirements, without depending on a single shared key among the users so that the sender cannot disclose the identity of the others. The method gradually safeguards the sender's identification, by using successive symmetric cryptographic operations and keys of a binary tree structure built for this purpose in the recipient which applies the steps in a reverse way to that of the sender's protection, to disclose its identification. It is also possible to encrypt the message body.

Abstract: A content item service enables users to upload media for content items to be given to others. The content item service performs operations on uploaded media content, such as transcoding. A transformed instance of content is encrypted using a cryptographic key, and an identifier for the encrypted transformed instance of content is generated. The encrypted transformed instance of content and an encrypted version of the cryptographic key are stored in association with the identifier.

Abstract: The present invention generally relates to a context-aware security self-assessment method or module that determines the context in which the device is used and based on this, assesses the devices security settings. The context may refer to the system environment, the applications the device is used for, and/or the current life-cycle stage of the device, without being limited to said contexts. The method of the present invention preferably prioritizes and rates the security relevant findings and presents them in combination with mitigation options through a web interface, a configuration tool, or through notifications in the control system.

Abstract: A chip includes a processing device to perform cryptographic operations by secret data; a memory to store a first plurality of information portions that correspond to a first breakdown of the data and from which the secret data are reconstructible by combination of the first plurality of information portions; a random number generator to provide random values; and a conversion device to ascertain second breakdowns of the data into a second plurality of information portions, from which the secret data are reconstructible and to control the memory for an ascertained second breakdown to store the present second plurality of information portions. The conversion device is further configured to ascertain the second breakdowns based on the random values and/or to determine the interval of time between the ascertaining and storing of a second breakdown and the ascertaining and storing of the subsequent second breakdown based on the random values.

Abstract: Systems and methods for privacy in distributed ledger transactions are disclosed. In one embodiment, in an information processing apparatus comprising at least one computer processor for a first node in a computer network comprising a plurality of nodes, a method for generating a key directory in a network comprising a plurality of nodes may include: (1) advertising a public key for a first node to the other nodes; (2) receiving public key information from each of the plurality of nodes; and (3) generating a public key directory that associates each node in the computer network with its public key.

Abstract: A method for controlling an electronic device including at least one processor configured to encrypt an image and upload the encrypted image to an external server by using an artificial intelligence neural network model is provided. The method includes receiving a command to upload an image to the external server; acquiring, based on the command, a characteristic value corresponding to the image by inputting the image and a key of the electronic device into a neural network model trained to identify characteristic values based on an input image and an input key; and transmitting identification information of the image and the characteristic value to the external server.

Abstract: A method is provided that permits user to submit a password to the private key that is to be used to decrypt files either at the time of user account setup or at the time of submitting the files. The password is stored securely in the system, permanently or temporarily, and is used later to decrypt the files right before the system is ready to process the files.

Abstract: Technology permitting secure storage and transmission of data stream as well as tiered access to multiple data stream according to permission. Data streams may be encrypted using symmetric encryption performed with varying symmetric keys according to a key stream of symmetric keys. Native data may be discarded for safety. Whole or partial key streams may be encrypted using the public keys of authorized entities having permission to access respective data streams or portions thereof. Only the corresponding private keys can decrypt the encrypted key streams required to decrypt the encrypted data streams. Thus rigorous access control is provided. IT personnel accessing data stream files on a server or intruders maliciously obtaining files will not be able to derive the data stream. Sensitive data streams may be stored using cloud services despite inherent risks.

Abstract: An example method for restricting read access to content in the component circuitry and securing data in the supply item is disclosed. The method identifies the status of a read command, and depending upon whether the status disabled or enabled, either blocks the accessing of encrypted data stored in the supply chip, or allows the accessing of the encrypted data stored in the supply chip.

Abstract: A multi-dimensional blockchain protocol designed to self-fork into multiple chains, scale infinitely, achieve zero cost transactions, sub-second finality and open new markets for sharders, blobbers, developers, and content publishers, while managing a low inflation rate.

Abstract: A fully homomorphic white-box implementation of one or more cryptographic operations is presented. This method allows construction of white-box implementations from general-purpose code without necessitating specialized knowledge in cryptography, and with minimal impact to the processing and memory requirements for non-white-box implementations. This method and the techniques that use it are ideally suited for securing “math heavy” implementations, such as codecs, that currently do not benefit from white-box security because of memory or processing concerns. Further, the fully homomorphic white-box construction can produce a white-box implementation from general purpose program code, such as C or C++.

Abstract: Example embodiments of systems and methods for application verification are provided. An application may generate a cryptographic key, and encrypt the cryptographic key with a predefined public key. A server, in data communication with the application, may include a predefined private key. The application may transmit the cryptographic key to the server. The server may receive, from the application, the cryptographic key; decrypt the cryptographic key using the predefined private key; encrypt an authorization token using the decrypted key; and transmit, to the client application, the authorization token via an out-of-band channel. The application may receive, from the server, the authorization token via the out-of-band channel; and decrypt the authorization token to obtain access to one or more services associated with the server.

Abstract: A hearing assistive system, comprises a personal communication device (10) and a head-worn device (20). The personal communication device (10) has a user interface (12) being adapted for user interaction, a processor (11) controlling the user interface (12) and being adapted to run an application program, a short-range radio (13), and an output transducer (15). The head-worn device (20) has an input transducer (24) adapted for converting sound into an electric signal applied to a processor (21) outputting a modified audio signal via an output transducer (25). The application program is adapted to generate and output a data packet (70) on an audio carrier via the output transducer (15). The head-worn device (20) has an audio signaling block (26) for detecting and decoding the data packet (70) received by the input transducer (24). The head-worn device (20) has a controller (27) for controlling the operation of a short-range radio (28).

Abstract: A method implemented by a first content network element (NE) in an information centric network (ICN), the method comprising receiving, by a receiver, an interest packet through a first interface, wherein a header of the interest packet comprises a path filter, the path filter being associated with one or more segments on a path from a consumer to a producer, modifying, by a processor coupled to the receiver, the path filter based on information identifying one or more previous content NEs or one or more next content NEs on the path to produce a modified path filter, and transmitting, by a transmitter coupled to the receiver, the interest packet with the modified path filter to the next content NE.