Abstract: Preventing misuse of a cryptographic key by receiving a request to carry out a cryptographic operation using a cryptographic key from a requesting entity, distributing the request to a quorum comprising multiple computerized devices, receiving a decision from the multiple computerized devices on whether or not the cryptographic operation using the cryptographic key is allowed, and carrying out the cryptographic operation using the cryptographic key according to the decision from the multiple computerized devices.

Abstract: Techniques are disclosed for managing encrypted storage resources based on key-metadata. The per-key key-metadata is stored in a key management system/server (KMS) along with respective cryptographic keys. The cryptographic keys in the KMS may be data keys or wrapping keys for the data keys. The management of the storage resources is provided via a central console which is a user interface of a console server in authenticated communication with the KMS. The key-metadata associates cryptographic keys to their respective encrypted storage resources. This association is used by the console server to drive the console. The console allows an admin to view/list all encrypted storage resources and related cryptographic objects including keys and digital certificates, as well as to perform various administrative/management functions on them.

Abstract: Systems, apparatuses, and methods are disclosed for quantum entanglement authentication (QEA). An example method includes transmitting, a first electronic identification of a first subset of a first set of entangled quantum particles to a first computing device, transmitting, by the classical communications circuitry, a second number to a second computing device, wherein each entangled quantum particle in the first set of entangled quantum particles is entangled with a respective entangled quantum particle in a second set of entangled quantum particles, receiving, from the first computing device, a first number, the first number representative a measurement of the first subset of the first set of the entangled quantum particles, and in an instance in which the second number corresponds to the first number, authenticating a session between the first computing device and the second computing device.

Abstract: A computer-implemented method for providing cryptographic services, including providing key pairs. A key management service receives a web service application programming interface or other such request to generate a key pair. To respond to the request, the key management service obtains a pregenerated key pair that is securely stored and provides the key pair in response to the request.

Abstract: Technologies disclosed herein provide an apparatus comprising a fuse controller coupled to an aggregator. The fuse controller includes a plurality of fuses for storing a unique identifier of a device and a first secured value of a first password associated with the unique identifier. The aggregator is to receive the unique identifier and the first secured value from the fuse controller, send the unique identifier to an unlock host, receive a second password from the unlock host, compute a second secured value of the second password using a security function, and unlock one or more privileged features on the device based on the first secured value corresponding to the second secured value. In a specific embodiment, the first secured value corresponds to the second secured value if the first password is equivalent to the second password.

Abstract: An intelligent electronic device (IED) of an electric power distribution system includes processing circuitry and a memory that includes a tangible, non-transitory, computer-readable comprising instructions. The instructions, when executed by the processing circuitry, are configured to cause the processing circuitry to receive operating data associated with the electric power distribution system, determine whether the operating data matches with expected operating data, generate a connectivity association key (CAK) based on the operating data in response to a determination that the operating data matches with the expected operating data, and establishing a connectivity association based on the CAK.

Abstract: Systems and methods are provided for binding one or more components to an identification component of a hardware module. Each of the serial numbers for the one or more components are included within a module-specific authentication certificate that is stored within the identification component of the hardware module. When connected to a computing platform, an authentication system of the computing platform is capable of retrieving the module-specific authentication certificate. The authentication system can compare the list of serial numbers included in the module-specific authentication certificate with one or more serial numbers read over a first interface. If the two lists of serial numbers match, the authentication system can flag the hardware module as authenticate through authentication of all components of the hardware module.

Abstract: A method of generating a secret key according to one embodiment includes generating a share of each of a user and a plurality of other users for a secret key of the user, providing the share of each of the plurality of other users to a user terminal of each of the plurality of other users, receiving a share of the user for a secret key of each of the plurality of other users from the user terminal of each of the plurality of other users, and generating a new secret key of the user using the share of the user for the secret key of the user and the shares of the user for the secret key of each of the plurality of other users.

Abstract: A computer-implemented method for protecting a mobile device against unauthorized access may be provided. The method comprises encrypting the user data stored in a volatile memory of the mobile device if the mobile device is switched to a locked status, and decrypting the user data stored in the volatile memory if the mobile device is switched from the locked status into an unlocked status.

Abstract: A method including determining, by a first user device, encrypted content by encrypting content based on a first private key; encrypting, by the first user device, the first private key based on utilizing a second public key associated with a second user device; transmitting, by the first user device to a storage device, the encrypted content and the encrypted first private key for storage in association with a first account; receiving, by the second user device from storage device, the encrypted content and the encrypted first private key when the first user device is unable to access the encrypted content; decrypting, by the second user device, the encrypted first private key and the encrypted content based on a second private key; and transmitting, by the second user device to the first user device, the content to restore access to the content by the first user device is disclosed.

Abstract: Systems, apparatuses, methods, and computer program products are disclosed for session authentication and random number generation. An example method includes receiving, by decoding circuitry and over a quantum line, a set of qbits generated based on a first set of quantum bases. The example method further includes decoding, by the decoding circuitry and based on a second set of quantum bases, the set of qbits to generate a decoded set of bits. In this example method, the first set of quantum bases is determined without reliance on the second set of quantum bases and the second set of quantum bases is determined without reliance on the first set of quantum bases. The example method further includes generating, by random number generation circuitry, a number comprising the decoded set of bits.

Abstract: Multi-envelope encryption provides redundancy for highly-available storage of encrypted data. Data, such as a “snapshot” representing values of every block of a block storage volume or device at a specific point in time, may be encrypted before storage to prevent unauthorized access to the data. To further protect the data and prevent unauthorized access to the data, additional security measures may be taken. Multiple copies of the data key that is to be used to decrypt the data may be encrypted and stored separately from the encrypted data as envelopes. The different envelopes may each be encrypted using envelope keys. If one envelope key is later lost or otherwise becomes unavailable, the encrypted data can still be accessed by using a different envelope key to recover the data key and decrypt the data.

Abstract: An Internet of Things (IoT) network composite object includes a device owner with name server and sub-object list, sub-objects, and a blockchain recording the sub-objects. An IoT network composite object includes a device owner with composite object type name server, and blockchain. An IoT network coalition group includes coalition group name server, coalition group member list, and blockchain. An IoT network apparatus includes device identity generator, message publisher, network applier, device describer, and packer sender. An IoT network apparatus includes a device registrar to register device to first network through a portal to second network, device joiner, token requester, and authentication request sender. An IoT network apparatus includes an identity verifier to verify the identity of an authentication request, and an authentication request response returner.

Abstract: Examples associated with network compliance detection are described. One example includes storing a set of security rules for a device. The device monitors the device for compliance with the security rules. Upon detecting noncompliance with an identified security rule, the device may disable network access for the device, and establish a trigger. The trigger may disable network access for the device when network access for the device is restored prior to returning the device to compliance with the identified security rule.

Abstract: The disclosure details the implementation of an apparatus, method, and system comprising a portable device configured to communicate with a terminal and a network server, and execute stored program code in response to user interaction with an interactive user interface. The portable device contains stored program code configured to render an interactive user interface on a terminal output component to enable the user the control processing activity on the portable device and access data and programs from the portable device and a network server.

Abstract: A web of trust in a distributed system is established. A root of trust for at least two components in the distributed system validates information for the distributed system. The validated information is then used to create additional information for the distributed system. Versions of the information are usable to validate subsequent versions of the information such that validation of a version of the information can be performed by using one or more previous versions to verify that the version is a valid successor of a previously validated previous version.

Abstract: A method includes monitoring a media stream that is streamed over a network at a given media bit-rate in a sequence of traffic bursts. Respective data volumes of one or more traffic bursts of the sequence are estimated, and the given media bit-rate is derived from the estimated data volumes.

Abstract: According to one embodiment, a system receives, at a host channel manager (HCM) of a host system, a request from an application to establish a secure channel with a data processing (DP) accelerator, where the DP accelerator is coupled to the host system over a bus. In response to the request, the system generates a first session key for the secure channel based on a first private key of a first key pair associated with the HCM and a second public key of a second key pair associated with the DP accelerator. In response to a first data associated with the application to be sent to the DP accelerator, the system encrypts the first data using the first session key. The system then transmits the encrypted first data to the DP accelerator via the secure channel over the bus.

Abstract: Various embodiments are directed to securely verifying an identity of a user who is requesting to add or link a financial instrument to a third-party digital wallet using one-tap contactless card authentication. The financial instrument may be added or linked to the third-party wallet in at least two scenarios: pull provisioning and push provisioning. In either provisioning scenarios, the user may be required to authenticate the financial instrument being added or linked by successfully verifying the identity of the user via the one-tap contactless card authentication at a banking application associated with the financial instrument.

Abstract: Methods, systems, and devices for cryptographic key management are described. A memory device can issue, by a firmware component, a command to generate a first cryptographic key for encrypting or decrypting user data stored on a memory device. The memory device can generate, by a hardware component, the first cryptographic key based on the command. The memory device can encrypt, by the hardware component, the first cryptographic key using a second cryptographic key and an initialization vector. The memory device can store the encrypted first cryptographic key in a nonvolatile memory device separate from the hardware component.

Abstract: A cryptographic object management system is provided that includes physically separated first and second object management sites. The first and second object management sites each respectively include HSMs, a HSM server connected to each of the HSMs, and a persistent layer connected to the HSM server. The HSM servers respectively manage operation of each of the HSMs. The HSM server of the first object management site includes an object manager module that manages and controls the cryptographic object management system. The persistent layers respectively store cryptographic objects for use by the HSMs. Each of the HSMs respectively performs crypto-processing on one or more of the cryptographic objects.

Abstract: The technology disclosed herein provides network bound encryption that enables a trusted execution environment to persistently store and access recovery data without persistently storing the decryption key.

Abstract: Systems and methods are provided for a secondary authentication of a memory module. A nonce key is written to a nonce register of a register array on the memory module, the nonce register being accessible over two different interfaces. In various embodiments, the nonce key may be generated by a management system of the computing platform after performing one or more authentication processes for a memory module over a management interface. Authentication information for use in performing authentication can be stored in an identification component on the memory module. If authentication is successful, the management system can generate the nonce key and write it to the nonce register. Upon receiving a request to access an address, a memory controller can read the nonce register of the memory module at the requested address and compare the nonce key to an identifier included in the request.

Abstract: A computer implemented method in a system comprising an actor authorization node, an access right storage node and a file record node.

Abstract: A system includes processor(s) and at least one memory communicatively coupled to the processor(s). The processor(s) is/are configured to encrypt at least one set of asset encryption key parts into at least one set of encrypted asset encryption key parts using at least one symmetric key or at least one public key, each public key belonging to a corresponding one of at least one public/private keypair. At least a subset of the at least one set of asset encryption key parts are used to reconstruct the asset encryption key, which is used to perform an action using at least one asset key. The processor(s) is/are also configured to encrypt the encrypted asset encryption key parts and corresponding metadata using a public key of a public/private keypair so the at least one set of encrypted asset encryption key parts is doubly-encrypted.

Abstract: Systems, apparatuses, and methods are disclosed for quantum entanglement authentication (QEA).

Abstract: Embodiments described herein provide a tree-based key management protocol with enhanced computational and bandwidth efficiency. A tree structure including a plurality of nodes is formulated according to modules in a vehicle. A group key and a blinded key are computed for a leaf node from the plurality of nodes based at least in part on a multiplication operation defined in an ecliptic curve group. Or a group key and a blinded key are recursively computed for a non-leaf node based at least in part on a key derivation function and the multiplication operation involving a group key and a blinded key corresponding to nodes that is one level down to the non-leaf node.

Abstract: A distributed database encrypts a table using a table encryption key protected by a client master encryption key. The encrypted table is replicated among a plurality of nodes of the distributed database. The table encryption key is replicated among the plurality of nodes, and is stored on each node in a respective secure memory. In the event of node failure, a copy of the stored key held by another member of the replication group is used to restore a node to operation. The replication group may continue operation in the event of a revocation of authorization to access the client master encryption key.

Abstract: This application provide quantum key distribution methods, devices, and storage media. In an implementation, a method comprises: determining, based on a first mapping, a first quantum key of N first quantum keys corresponding to an ith node on a target routing path; determining, based on a second mapping, a second quantum key of N second quantum keys corresponding to the ith node; and generating, by the ith node based on the first quantum key corresponding to the ith node and the second quantum key corresponding to the ith node, a third quantum key corresponding to the ith node on the target routing path.

Abstract: A communication device includes a plurality of key distributing units, a plurality of communicating units, a monitoring unit, and a switching unit. The plurality of key distributing units have a quantum key distribution function for sharing a quantum key with an external distribution device. The plurality of communicating units communicate with an external communication device using the quantum key. The monitoring unit monitors operational status indicating at least one of transmission-reception status of photons in the quantum key distribution function, generation status of generating the quantum key, and obtaining status of obtaining the quantum key. The switching unit switches a control target, which either represents one of the key distributing units or represents one of the communicating units, from a first control target to a second control target other than the first control target according to the operational status.

Abstract: The performance of quantum key distribution by systems and methods that use wavelength division multiplexing and encode information using both wavelength and polarization of photons of two or more wavelengths. Multi-wavelength polarization state encoding schemes allow ternary-coded digits, quaternary-coded digits and higher-radix digits to be represented by single photons. Information expressed in a first radix can be encoded in a higher radix and combined with a string of key values to produce a datastream having all allowed digit values of that radix in a manner that allows eavesdropping to be detected without requiring the sender and receiver to exchange additional information after transmission of the information.

Abstract: A customer of a policy management service may use an interface with a configuration and management service to interact with policies that may be applicable to the customer's one or more resources. The customer may create and/or modify the policies and the configuration and management service may notify one or more other entities of the created and/or modified policies. The one or more other entities may be operated by user authorized to approve the created and/or modified policies. Interactions with the configuration and management service may be the same as the interactions with the policy management service.

Abstract: In general, techniques are described for an encryption key namespace of a kernel, executed by a host computing device, the encryption key namespace having a configuration file that stores an association of a key identifier and a container identifier by which the host computing device can obtain a data encryption key to use for decrypting/encrypting data for the container identified by the container identifier. In this way, a user may associate a container (or container image) with a unique key identifier. By configuring this association in the encryption key namespace for the container, the container may be identified and automatically associated with a key identifier for the appropriate key for decrypting/encrypting data for the container. The host computing device may then obtain, from a key management service, the key using the key identifier.

Abstract: Various embodiments of the present application set forth a computer-implemented method that includes generating, based on a resource file stored at an endpoint device, a credential data packet for authenticating with a first application executing in a first network, where the resource file includes a set of encryption keys associated with a plurality of applications including the first application, and where the credential data packet is encrypted with a device key signed by the endpoint device, and the credential data packet is signed by an endpoint device management (EDM) key extracted from the set of encryptions keys included in the resource file, sending, by the endpoint device, the credential data packet to the first application via a trusted communication channel, and receiving, by the endpoint device and in response to the credential data packet, an authorization packet from the first application via the trusted communication channel.

Abstract: A wideband chaotic waveform that is rateless in that it may be modulated at virtually any rate and has a minimum of features introduced into the waveform. Further, the waveform provided may be operated below a signal to noise ratio wall to further enhance the LPD and LPE aspects, thereof. Additionally, the present disclosure may provide a mix of coherent and non-coherent processing techniques applied to signal samples to efficiently achieve coarse synchronization with a waveform that is faster, more efficient and more accurate than using time domain signal correlators alone.

Abstract: The disclosed systems and method provide for an audio playback device to form a Bluetooth connection with an audio source device based on audio generated by an acoustic transducer. The audio is encoded with Bluetooth connectivity data corresponding to the audio source device. The acoustic transducer can be arranged on the audio source device, or it can be arranged on an audio playback device connected to the audio source device via a Bluetooth connection. The audio is received by a microphone of an audio playback device. The audio playback device then extracts the Bluetooth connectivity information from the audio, and forms a Bluetooth connection with the audio source device. If the Bluetooth connection is a Broadcast Audio stream, as defined by the LE Audio standard, multiple audio playback devices can be able to connect audio source device, allowing for a communal listening experience.

Abstract: A system for quantum key synchronization within a server-cluster is provided. The system may include a plurality of silicon-based servers encapsulated in quantum cases. Each quantum case may include a quantum tunneling transmitter module, a quantum random number generator and a quantum entanglement module. The quantum cases may communicate with each other via the quantum tunneling transmitter module or any other suitable manner. The quantum cases may only communicate with cases with which they are entangled. Therefore, in the event of a compromise on one of the servers, the quantum entanglement module, included in the case that encapsulates the compromised server, may become disentangled, and therefore not be able to communicate with the other servers included in the cluster using an internal communications protocol.

Abstract: A method for sharing read access to a document stored on memory hardware. The method includes receiving a shared read access command from a sharor sharing read access to a sharee for a document stored on memory hardware in communication with the data processing hardware, and receiving a shared read access request from the sharee. The shared read access command includes an encrypted value and a first cryptographic share value based on a write key, a read key, a document identifier, and a sharee identifier. The method also includes multiplying the first and second cryptographic share values to determine a cryptographic read access value. The cryptographic read access value authorizes read access to the sharee for the document. The method also includes storing a read access token for the sharee including the cryptographic read access value and the encrypted value in a user read set of the memory hardware.

Abstract: A transaction data processing method includes: receiving a first transaction document from a device of a transaction initiator, the first transaction document being associated with identity labels of a plurality of transaction participants; separately performing identity authentication on the plurality of transaction participants according to the identity labels of the plurality of transaction participants, to obtain an identity authentication result.

Abstract: A blockchain-based message transmission is provided. The system may include a plurality of silicon-based devices encapsulated in quantum cases. Each quantum case may include a quantum random number generator and a public key. The quantum random number generator may generate quantum-resilient random numbers to be used as private keys. The system may include a private network. The private network may include a subset of system's devices. A first device, included in the private network, may transmit a message to a second device included in the private network. A first quantum case that encapsulates the first device may intercept the message, generate a private key, encrypt the message using the private key, generate a data transaction block that includes message metadata, upload the data transaction block to a system blockchain and transmit the message to the recipient upon receipt of an approval from a majority of devices.

Abstract: Systems and methods provide a transient component limited access to data in a composition. One method includes receiving a request for the transient component to access data in the composition. The composition may include permanent components operable to utilize encryption keys generated at selected intervals from a seed value shared by the permanent components. The encryption keys utilized by the permanent components at each selected interval may be identical to one another. The method also includes generating a set of encryption keys from the seed value for a specified period of time. The set of encryption keys may be identical to the encryption keys to be utilized by the permanent components at the selected intervals to occur during the specified period of time. The method further includes granting the transient component access to data in the composition for the specified period of time via the set of encryption keys.

Abstract: A contactless card can include a plurality of keys for a specific operation, e.g., encryption or signing a communication. The contactless card can also include an applet which uses a key selection module. The key selection module can select one of the plurality of keys and the applet can use the key to, e.g., encrypt or sign a communication using an encryption or signature algorithm. The contactless card can send the encrypted or signed communication to a host computer through a client device. The host computer can repeat the key selection technique of the contactless device to select the same key and thereby decrypt or verify the communication.

Abstract: Embodiments include a method for secure data storage including constructing an encryption key from a plurality of key elements, the constructing including distributing the plurality of key elements to a plurality of key maintenance entities, each of the plurality of key maintenance entities employing a plurality of independent safe guards for their respective key elements of the plurality of key elements; and requiring access to the plurality of key elements to construct the encryption key. The method includes receiving a subset of the plurality of key elements via a twice-encrypted communications channel; and regenerating the encryption key at the client node; and after encrypting data, deleting the subset of the plurality of key elements received over the twice-encrypted communications channel, retaining any of the plurality of key elements previously stored at the client node.

Abstract: A method and a system for generating a hyper-entangled high-dimensional time-bin frequency-bin state, the method comprising generating a hyper-entangled state composed of a time-bin and frequency-bin encoded state, and individually modifying at least one of: i) the amplitude and ii) the phase of the state components at different frequency-bins and different time-bins of the hyper-entangled state. The system comprises a non-linear medium exited with multiple pulses in broad phase-matching conditions, a frequency mode separator and an amplitude/phase modulator, the frequency mode separator temporally and spatially separating frequency modes of the hyper-entangled state, the amplitude/phase modulator individually modifying at least one of: i) the amplitude (and ii) the phase of the state components at different frequency-bins and different time-bins of the hyper-entangled state.

Abstract: Methods and systems for authenticating a client device using entropy provided by a server and/or a device paired with the client device are described herein. The client device may receive a first user credential. The client device may receive first entropy from a wireless device. The client device may decrypt, using the first entropy, second entropy generated by a server. The client device may decrypt, using the second entropy, a second user credential that was stored in the client device. Based on a comparison of the first user credential with the second user credential, the client device may grant a user of the client device access to one or more resources.

Abstract: Systems and methods for managing provisioning of keys prior to a key rotation are provided. A license server generates a license that is associated with a renewal time. The renewal time is a time that is prior to a key rotation time, and triggers a receiver device to send a renewal request prior to the key rotation time. The renewal time may be a randomized time prior to the key rotation time that differs for different receiver devices. The license is transmitted to the receiver device. The license server then receives a renewal request from the receiver device that is triggered at the renewal time. The license server generates a next license that comprises a next key, whereby the next key is a decryption key for decrypting the encrypted signal after the key rotation time. The next license is transmitted to the receiver device prior to the key rotation time.

Abstract: Data security across data residency restriction boundaries is provided by obtaining and profiling a dataset on which a desired analysis is to be performed, with some results of the desired analysis to be transferred from one location to another, the dataset subject to data residency restrictions that restrict transfer of the dataset across a boundary to the another location, and the profiling identifying a profile level for the dataset, then automatically generating a container image based on the profile level and the data residency restrictions that restrict the transfer of the dataset across the boundary, the container image configured for instantiation and execution to process the dataset into a reformatted dataset not restricted by the data residency restrictions for transfer across the boundary, and storing the container image to a container registry.

Abstract: System, device, and method of providing authenticity and rights verification mechanism for media content and for its derived versions. A media authenticity server is configured to receive a content item, and to generate for it a record having a unique content identifier and indications of permitted modifications, and optionally also copyright information usage restrictions. The media authenticity server authorizes or blocks modifications requests regarding the content item. The media authenticity server tracks and logs the permitted modifications performed on the content item, and makes this log available for inspection to end-user devices via a web browser or via a content consumption application. Optionally, playback or consumption of a modified version of the content item is blocked, or is accompanied by a warning message, if the modified version is not associated with an authenticated log of permitted modifications.

Abstract: The present disclosure is designed to properly prevent tampering of data, which might take place in a data collection route. Data managing apparatus 100 includes a reception processing unit 131 configured to receive processing history information related to a history of processing performed on collected data and encrypted information of a first hash value generated from the processing history information using a public key associated with the processing, a generation processing unit 133 configured to generate a second hash value from the processing history information, and a maintaining unit 135 configured to maintain the processing history information when the first hash value, decrypted from the encrypted information using a private key associated with the data collection process, and the second hash value match.

Abstract: Methods, system and devices are provided that generate a sequence of sub-keys for cryptographic operations from a main key. The main key is operated on only once to generate the sub-keys of the sequence, with a transformation comprising one or more one-way functions. The respective bit values of the sub-keys of the sequence are set using respective bit values of the one or more one-way functions. Advantageously, deriving sub-key bits from respective output bits of one or more one-way functions removes or at least reduces correlations between the main key and the sub-keys, as well as between sub-keys, making it harder or even impossible to recover the main key or other sub-keys from a single sub-key, for example as found using a side-channel attack.