Abstract: A disclosed security broker receives a request message addressed to a message queue associated with an edge resource, identifies the message source, and leverages an authentication module to verify that the source has authorization to access the targeted message queue. The security broker may then deliver the request message to the targeted edge resource message queue. If the edge resource and security broker are physically isolated, the security broker may format the request message as a file, store the file to a storage device, and transfer the storage device to the edge resource, which may then process the file and upload the request message to the edge resource's message queue module. The security broker also monitors a response message from the edge resource, purges sensitive data from the response. If the broker and cloud resource are physically isolated, the response may be formatted and delivered as a file.

Abstract: A honeypot file is cryptographically secured with a cryptographic key. The key, or related key material, is then placed on a central keystore and the file is placed on a data store within the enterprise network. Unauthorized access to the honeypot file can then be detecting by monitoring use of the associated key material, which usefully facilitates detection of file access at any time when, and from any location where, cryptographic access to the file is initiated.

Abstract: A method and apparatus for reader device registration, activation, and use are described. The method may include receiving, by a commerce platform, a registration request generated by a reader device, wherein the registration request comprises at least identification data for the reader device. The method may also include transmitting, to the reader device, a registration code. The method may also include receiving, by the commerce platform from a merchant system, a second registration code purported to be the registration code transmitted to the reader device. The method may also include generating an encryption key associated with the reader device and transmitting the encryption key to the merchant system, wherein the encryption key is provided by merchant system to the reader device for use by the reader device when communicating with the commerce platform during merchant transactions.

Abstract: A first user device may be used to request provisioning of a secure credential on a second user device. A provisioning system may facilitate the provisioning in a manner that ensures security and privacy of the requesting parties. The provisioning requests may be made using an application on the first user device such as a third-party application or using a web application via a browser. The credential may be added to a digital wallet on the second user device. The credential may be useable by the second user device to perform one or more contactless transactions.

Abstract: Aspects of the present disclosure relate to systems and methods for providing strong resource identification. When a resource is created, saved, or re-based, a cryptographic key pair may be generated and associated with the resource. A public key of the cryptographic key pair may be used as a unique identifier. Information about the resource, such as the name of the resource and its actual location may be stored in an index based upon the resource's public key. Sharing the resource with other devices may comprise sending the resource's key, as opposed to information about the resource's actual location, to one or more recipient device.

Abstract: Systems and methods for detecting faults in a power distribution network are described. In an aspect, the systems and methods determine a probability that each node of the network is powered and a probability that each distribution line in the network is faulted. In another aspect, the systems and methods determine the probabilities by transmitting a signal over a power distribution network with an active sounding system. In an additional aspect, the systems and methods determine the probabilities by utilizing collected data coupled to the power distribution network.

Abstract: A method for verifying a secret decryption of an escrow agent by a client operatively connected to the escrow agent includes initiating enrollment of the client with the escrow agent, wherein the enrollment results the escrow agent generating a key pair comprising a public key and a private key, obtaining the public key from the escrow agent, wherein the private key is not shared with the client, encrypting the secret with the public key to obtain an encrypted secret, after encrypting the secret, encrypting, based on a verification trigger, a verification value using the public key to obtain an encrypted verification value, sending the encrypted verification value to the escrow agent, obtaining a secret decryption response from the escrow agent, making a determination, based on the secret decryption response, that the escrow agent is not capable of decrypting the secret, and based on the determination, performing a remediation action.

Abstract: A centralized data repository system, in various embodiments, is configured to provide a central data-storage repository (e.g., one or more servers, databases, etc.) for the centralized storage of personally identifiable information (PII) and/or personal data for one or more particular data subjects. In particular embodiments, the centralized data repository may enable the system to populate one or more data models (e.g., using one or more suitable techniques described above) substantially on-the-fly (e.g., as the system collects, processes, stores, etc. personal data regarding a particular data subject). In this way, in particular embodiments, the system is configured to maintain a substantially up-to-date data model for a plurality of data subjects (e.g., each particular data subject for whom the system collects, processes, stores, etc. personal data).

Abstract: Systems and methods for encrypted content management are provided and include generating an asymmetric key pair for a user, including a user private key and a user public key. A symmetric encryption key is generated based on unique information known to the user. The user private key is encrypted using the symmetric encryption key to generate a user escrow key. Plaintext data is encrypted into ciphertext data using a content symmetric key and stored in a data storage unit. An ephemeral pair of keys is generated and includes an ephemeral public key and an ephemeral private key. A shared-secret key is generated based on the ephemeral private key and the user public key using a diffie-hellman exchange algorithm and the content symmetric key is encrypted using the shared-secret key. The encrypted content symmetric key and the ephemeral public key are stored in an encrypted content management storage unit.

Abstract: The present invention relates to the field of tracing and anti-counterfeit protection of physical objects, and particularly to preparing and performing a secure authentication of such objects. Specifically, the invention is directed to a method and a system for preparing a subsequent secured authentication of a physical object or group of physical objects by a recipient thereof, to a method and system for authenticating a physical object or group of physical objects, to a method and system of securely providing a time-variant combination scheme for authenticating a physical object or group of physical objects according to the above methods, and to related computer programs corresponding to said methods. The invention is based on the concept of increasing the security level by increasing the information entropy of the data on which the anti-counterfeit protection is based by means of random data communicated to authenticating entities in an algorithmically hidden way.

Abstract: Aspects of the present disclosure include methods for generating a sampled profile including a plurality of sampling points having a plurality of characteristic values associated with the detected non-visible light, identifying one or more macroblocks each includes a subset of the plurality of sampling points, calculating a number of occurrences of the local pattern value within each subset of the plurality of the sampling points for each of the one or more macroblocks, generating a first array including a plurality of weighted values by calculating the plurality of weighted values based on the numbers of occurrences of the local pattern value and corresponding sizes of the one or more macroblocks, assigning a unique index to each of the plurality of weighted values, generating a second array of the unique index by ranking the plurality of weighted values, and generating a third array including a plurality of ranking distances.

Abstract: Examples described herein relate to apparatuses and methods for evaluating an encryption key based on policies for a policy operation, including, but not limited to, receiving user request for the policy operation, determining one or more of a node, group, client, or user associated with the user request, determining the policies associated with the one or more of the node, group, client, or user based on priority, and evaluating at least one key attribute of an encryption key based, at least in part, on the policies.

Abstract: Disclosed are various embodiments for providing limited access within a private network. A connection request is received from a client device coupled to a public network. A remote desktop environment is implemented in a private network in response to the connection request. Access to the public network through the remote desktop environment may be restricted to communicating with a particular storage service.

Abstract: A lighting device for communication with a mobile terminal, comprising: a lighting means, and an electronic operating device for operating the lighting means, a data storage unit, in which a first key is stored in a memory area reserved therefor, an encryption unit configured to read out the first key from the reserved memory area and, in accordance with a specifiable encryption operation, to convert measurement value data and/or identification data intended for transfer to the mobile terminal into a message encrypted by means of the first key, and a transmitting unit configured to transmit the encrypted message to the mobile terminal.

Abstract: In some examples, a non-transitory machine readable storage medium has machine readable instructions to cause a computer processor to segment a datastream into a plurality of equal length blocks each of which has a fixed length, separately encrypt each equal length block using a first encryption key, swap a subset of bits of a first encrypted equal length block with a subset of bits of a second encrypted equal length block such that both of the blocks each have a length equal to the fixed length, and separately encrypt each block using a second encryption key.

Abstract: Systems and methods for supporting inter subnet partitions in a high performance computing environment. In accordance with an embodiment, a fabric manager can define a range of P_Key values, among a plurality of P_Key values, as a inter subnet partition (ISP) P_Key range. The fabric manager can communicate this defined range of P_Key values to a number of subnets, via their subnet managers. The subnet managers in each subnet retain management over their subnets. As there is no central management that configures each side of inter subnet communication, subnet managers on within participating subnets can set up ISP membership, and then exchange information with the other subnet.

Abstract: The disclosure provides for two or more transceiver devices and a system that utilizes one or more encrypters and one or more decrypters comprising one or more communication sources that provides transmission(s) and at least one connector, wherein transmission(s) from one or more communications sources enter a first transceiver through the connector and travels to a randomized encrypted data sub-channels (REDS) encrypter and wherein the (REDS) encrypter securely sends encrypted transmission(s) to a second transceiver. The encrypted transmission(s) enter a second transceiver and are sent to a randomized decrypted data sub-channels (RDDS) decrypter wherein the transmission(s) are decrypted.

Abstract: The present invention relates to the field of tracing and anti-counterfeit protection of physical objects, and particularly to preparing and performing a secure authentication of such objects. Specifically, the invention is directed to a method and a system for preparing a subsequent secured authentication of a physical object or group of physical objects by a recipient thereof, to a method and system for authenticating a physical object or group of physical objects, to a method and system of securely providing a time-variant combination scheme for authenticating a physical object or group of physical objects according to the above methods, and to related computer programs corresponding to said methods. The invention is based on the concept of increasing the security level by increasing the information entropy of the data on which the anti-counterfeit protection is based by means of random data communicated to authenticating entities in an algorithmically hidden way.

Abstract: The present application describes a method, system, and non-transitory computer-readable medium for end-to-end encryption during a secure communication session. According to the present disclosure, a first device receives an invitation to a secure communication session. The invitation includes a token, which the first device transmits to the call initiating device. Next, the first device performs a three-way handshake with the call initiating device to negotiate a first encryption key and a second encryption key for the secure communication session. The first device encrypts first communication data using the first encryption key and transmits the encrypted first communication data to the call initiating device.

Abstract: A system for cryptographic processing comprises message unit (1, 7, 12) for providing a first message representation (3, 6, 11), wherein the first message representation is a representation of a message. The system comprises key unit (2) for providing a key representation (4, 9, 14), wherein the key representation is an encrypted representation of a first key of a first cryptographic algorithm and a second key of a second cryptographic algorithm, wherein the first cryptographic algorithm is different from the second cryptographic algorithm. The system comprises step unit (5, 10, 15) for performing a step of the first cryptographic algorithm and a step of the second cryptographic algorithm based on the first message representation (3, 6, 11) and the key representation, to obtain a second message representation (6, 11, 16).

Abstract: An exemplary embodiment of the present invention provides a method of verifying an identity of a person-to-be-identified using biometric signature data. The method includes creating a face sample database based on biometric signature data from a plurality of individuals, calculating a feature database by extracting selected features of entries in the sample database, calculating positive samples by calculating a feature absolute value distance for a same position of any two different images from one person, calculating negative samples by calculating a feature absolute value distance for a same position of different people, calculating a key bin feature using a learning algorithm, calculating a classifier from the key bin feature for use in identifying and authenticating an acquired face image of a person-to-be-identified and identifying and authenticating the person-to-be-identified using the classifier and the acquired face image of the person-to-be-identified.

Abstract: A server device of an authentication system includes: an optical signal communication unit that causes optical signal transmitters to repeatedly transmit modulated optical signals, by notifying, of pieces of partial authentication information stored in an authentication information management unit, the optical signal transmitters respectively related to the pieces of partial authentication information; and an authentication processing unit that authenticates, when authentication is requested from a client device, the client device, based on integrated authentication information notified with the request, and integrated authentication information before being segmented into the respective pieces of partial authentication information notified by the optical signal communication unit.

Abstract: A predictive engine for analyzing existing vulnerability information to determine the likelihood of a vulnerability being exploited by malicious actors against a particular computer or network of computers. The predictive engine relies on multiple data sources providing historical vulnerability information, a plurality of predictive models, and periodic retraining of the prediction ensemble utilizing predictive models. Modeling schemes may also be used when retraining the predictive models forming the prediction ensemble.

Abstract: There is provided a method comprising: receiving, by an apparatus of a data center, a request message from a server computer of said data center, the apparatus and the server computer being physically separate entities communicatively coupled with each other, said message requesting data center specific information stored into a read-only memory area of the apparatus; initiating deciphering of the request message in response to receiving the request message; and as a response to successfully deciphering the request message, transmitting a response message to the server computer, said message comprising the data center specific information acquired from the read-only memory area of the apparatus.

Abstract: The disclosure provides for two or more transceiver devices and a system that utilizes one or more encrypters and one or more decrypters comprising one or more communication sources that provides transmission(s) and at least one connector, wherein transmission(s) from one or more communications sources enter a first transceiver through the connector and travels to a randomized encrypted data sub-channels (REDS) encrypter and wherein the (REDS) encrypter securely sends encrypted transmission(s) to a second transceiver. The encrypted transmission(s) enter a second transceiver and are sent to a randomized decrypted data sub-channels (RDDS) decrypter wherein the transmission(s) are decrypted.

Abstract: In one embodiment, a method for securing data on a semi-trusted server is implemented on a computing device and includes: receiving at least a current session key from a user device for use during a current session, where the current session key is suitable for encrypting data and for decrypting data encrypted with the current session key, decrypting communications received from the user device during the session with said session key, encrypting with the session key at least one of communications to be sent to said user device and personal data generated during the session, storing the encrypted personal data, and discarding the current session key upon completion of the session, thereby limiting possible access to the stored encrypted personal data other than during the session. Related apparatus and methods are also described.

Abstract: A method and a device for maintaining a multicast group member are disclosed. The method includes sending a query message to a switch at intervals of a preset period, so that the switch sends the query message to each multicast group member included in a multicast group; acquiring a count value of current period query responses received by the switch in a current period; and maintaining, according to the count value of current period query responses and a count value of previous period query responses, the multicast group member included in the multicast group. The device includes a first sending module, an acquiring module, and a maintenance module. In the present disclosure, a multicast group member is maintained using a flow table maintained in a switch, which decreases load of a controller, and improves processing efficiency of maintaining, by the controller, the multicast group member.

Abstract: A data processing apparatus determines whether or not administrator authority of a user is set, and whether access is made locally or from the network. When the access is made locally, even if the user has the administrator authority, folders of all users are not displayed. The folders of all users are displayed only when the user having the administrator authority accesses from the network.

Abstract: Systems and methods for updating a transactional device having a reader is provided. In one embodiment, the method includes: reading data on a command token, wherein the data is stored in a memory device; identifying the token as a command token based on the data; generating transaction data that include an instruction based on the token data and a code identifying the instruction as a command data; and transmitting the transaction data to a remote device for command execution.

Abstract: A method and apparatus for enabling a cloud server to provide screen information data indicating a screen to be displayed on a client device are provided. The method of enabling a cloud server to provide screen information data relating to a screen to be displayed on a client device includes: generating the screen information data; determining whether or not to protect the generated screen information data based on characteristics of an object configuring the screen; encrypting the provided screen information data based on the determining; and transmitting the encrypted the screen information data to the client device.

Abstract: An NFC device may include a first and second controller interfaces, a first communication channel coupled to the first controller interface, and a second communication channel connected to the second controller interface. A secure element may include a secure element interface connected to the first communication channel and encryption/decryption circuitry configured to encrypt data to be sent on the first communication channel for being framed into the encrypted frames and to decrypt encrypted data extracted from the encrypted frames and received from the first communication channel. The secure element may also include management circuitry configured to control the encryption/decryption circuitry for managing the encrypted communication with the NFC controller.

Abstract: There is described a challenge-response method for a client device. The method comprises steps of: (a) receiving challenge data, wherein the challenge data is content encrypted using an encryption key, the content including a nonce; (b) using a secured module of the client device to access the content by decrypting the challenge data using a decryption key of the secured module, the decryption key corresponding to the encryption key; (c) processing a version of the content output by the secured module so as to obtain the nonce; and (d) providing the nonce as a response. There is also described a client device for implementing the above challenge-response method. There is also described a computer program which, when executed by a processor, causes the processor to carry out the above challenge-response method. Finally, there is described a computer readable medium storing the above-mentioned computer program.

Abstract: A method of protecting information in a data storage device is provided. The method includes receiving, in the data storage device, encrypted data via a host computer in which the data storage device is employed. The encrypted data is then decrypted, and re-encrypted, in the data storage device, either before storage or just before data is transferred back to the host computer. The decryption and re-encryption (transcription) is performed substantially independently of the host computer. In addition, a data storage device, readable by a computer system, for implementing the above method for protecting information is provided.

Abstract: Techniques for utilizing a trusted platform module of a host device are described. According to various embodiments, a client device that does not include a trusted platform module (TPM) may leverage a TPM of a host device to provide trust services to the client device.

Abstract: Devices, methods, systems, and computer-readable media for auto-commissioning of devices in a communication network are described herein. One or more embodiments include a method for auto-commissioning of a device added to a communication network, comprising: determining properties of signal transitions of the communication network via a device added to the network while the signal transitions of the communication network are passing unchanged, and processing the signal transitions of the communication network, via the device, based on the properties of the signal transitions.

Abstract: A method, computer program product, and system for selecting and generating a key to perform a cryptographic operation are described. The method includes receiving one or more inputs representing criteria for the key, the one or more inputs excluding an explicit identification of the key and one of the one or more inputs specifying the cryptographic operation; retrieving, from a memory device, information corresponding with the one or more inputs; selecting and generating the key based on the one or more inputs and the information; and performing the cryptographic operation using the key.

Abstract: A method, computer program product, and system for selecting and generating a key to perform a cryptographic operation are described. The method includes receiving one or more inputs representing criteria for the key, the one or more inputs excluding an explicit identification of the key and one of the one or more inputs specifying the cryptographic operation; retrieving, from a memory device, information corresponding with the one or more inputs; selecting and generating the key based on the one or more inputs and the information; and performing the cryptographic operation using the key.

Abstract: Disclosed herein are methods of and systems for facilitating decryption of encrypted electronic information to obtain unencrypted electronic information for consumption by an authorized recipient. A decryption server receives a request for decryption sent by a requesting entity. Subsequently, prior to fulfilling the request for decryption, authentication of the requesting entity may be performed based on a secondary credential. The secondary credential may be issued based on the primary credential. Thereafter, the decryption server retrieves the decryption key by communicating with a source entity, such as a certificate authority, that issued the decryption key. Subsequently, the decryption server decrypts the encrypted electronic information utilizing the decryption key. Thereafter, in an embodiment, the decryption server may transmit the unencrypted electronic information to the requesting entity.

Abstract: A method of encrypting and transferring data between a sender and a receiver using a network thereby transferring data in a secure manner includes the steps of a server receiving from the sender an identifier of the receiver; generating a transfer specific encryption key specific to the transfer; encrypting the data using the generated transfer specific encryption key; the server retrieving information specific to the receiver that is accessed according to the identifier of the receiver received from the sender, and using the retrieved information specific to the receiver to encrypt the transfer specific encryption key; transferring the encrypted data and the encrypted transfer specific encryption key over the network for receipt by the receiver; the server receiving from the receiver the encrypted transfer specific encryption key and identifier of the receiver; the server retrieving information specific to the receiver that is accessed according to the identifier of the receiver received from the receiver, a

Abstract: The present invention provides systems and methods for making efficient trust management decisions. A trust management engine is provided that processes requests for system resources, authorizations or certificates, and the identity of one or more root authorities that are ultimately responsible for granting or denying the requests. To determine whether a request should be granted, the trust management engine identifies a set principals from whom authorization may flow, and interprets each of the certificates as a function of the state of one or more of the principals. The processing logic iteratively evaluates the functions represented by the certificates, updates the states of the principals, and repeats this process until a reliable determination can be made as to whether the request should be granted or denied.

Abstract: A method, computer program product, and system for selecting and generating a key to perform a cryptographic operation are described. The method includes receiving one or more inputs representing criteria for the key, the one or more inputs excluding an explicit identification of the key and one of the one or more inputs specifying the cryptographic operation; retrieving, from a memory device, information corresponding with the one or more inputs; selecting and generating the key based on the one or more inputs and the information; and performing the cryptographic operation using the key.

Abstract: Devices, methods, systems, and computer-readable media for auto-commissioning of devices in a communication network are described herein. One or more embodiments include a method for auto-commissioning of a device added to a communication network, comprising: determining properties of signal transitions of the communication network via a device added to the network while the signal transitions of the communication network are passing unchanged, and processing the signal transitions of the communication network, via the device, based on the properties of the signal transitions.

Abstract: Hierarchical predicate encryption (HPE) for inner products with enhanced efficiency of operations. A cryptographic processing system includes a key generation device, an encryption device, and a decryption device. The key generation device generates, as a decryption key skL, a vector in which predicate information v{right arrow over ( )}t is embedded in a basis vector of a basis B*t for each integer t of t=1, . . . , L. The encryption device generates, as a ciphertext ct, a vector in which attribute information x{right arrow over ( )}t is embedded in a basis vector of a basis Bt for at least some integer t of t=1, . . . , L. The decryption device performs a pairing operation on the decryption key skL generated by the key generation device and the ciphertext ct generated by the encryption device, and decrypts the ciphertext ct.

Abstract: A first portion of a cryptographic key can be conveyed through a secure channel to a device that can interact with a home network. After the first portion is received, a prompt can be sent by the recipient of the portion through a non-secure channel to the sender of the portion to send a second portion of the key. The cryptographic key can be constituted from the received portions and used by the device to secure communications with home network.

Abstract: According to one embodiment, a method for implementing secure key management is provided. The method includes populating a section of information associated with a key, the section being populated with information relating to how the key was created. The method also includes populating the section with information relating to how the key was acquired by a secure module; and binding the section to the key, wherein the key is encrypted.

Abstract: Methods, systems, and computer programs for using hybrid encryption schemes are disclosed. In some implementations, a random value is obtained by a pseudorandom generator. A symmetric key is generated based on the random value. A public component is also generated based on the random value. Additionally, an initialization vector is generated based on the random value. The symmetric key and the initialization vector are used to generate an encrypted message based on an input message. The encrypted message and the public component are transmitted to an entity. At least one of the public component or the symmetric key is generated based additionally on a public key of the entity.

Abstract: Computer systems and methods ensuring high availability of cryptographic keys using a shared file system. The keys are encrypted with at least one shareable master key to generate corresponding encrypted cryptographic keys, which are stored in a key database in the shared file system. A master key manager with access to the key database is elected from among master key manager candidates and is assigned a common virtual address. All master key manager candidates have the shareable master key such that during a failover event the availability of the encrypted cryptographic keys is not interrupted as a new master key manager takes over the common virtual address from the previous master key manager. Additionally, a message authentication code (MAC) is deployed for testing the integrity of keys during their retrieval.

Abstract: Technologies are generally described for providing rapid data encryption and decryption for secure communication over an open channel with plausible deniability. In some examples, a single bit of information may be encoded by many alternative combinations of bits thus providing high security as well as enabling a single ciphertext to encrypt several different plaintexts of the same length simultaneously. The ability to encrypt several different plaintexts of the same length simultaneously may allow plausible deniability of messages. Encryption speed may be enhanced through accumulation of useful bit sets with desired properties in advance for later use. When the need arises, several plaintexts of the same size may be encrypted into a single ciphertext using accumulated bit combinations corresponding to different secret keys.

Abstract: According to an embodiment, a communication apparatus includes a key storage unit configured to store therein a cryptographic key; a receiving unit configured to receive a message; an analyzing unit configured to analyze whether the message includes an access request for the cryptographic key; a generating unit configured to, when the message includes the access request, generate request information used to request an access to the cryptographic key requested by the access request; and an access controller configured to control the access to the cryptographic key based on the request information.

Abstract: The subject matter herein relates to data processing and, more particularly, to encryption acceleration. Various embodiments herein provide devices and systems including a standardized encryption application programming interface embedded in firmware to perform encryption services. Some such embodiments move encryption operations away from operating system processes into firmware. As a result, encryption operations are generally accelerated.