Abstract: A control unit of a communication device decrypts, when receiving via an antenna from a reader/writer a cipher key encrypted with a key same as a common key recorded in a recording unit by the reader/writer, the encrypted cipher key with the common key recorded in the recording unit, and when receiving via the antenna from the reader/writer a readout target address specifying a region of a data readout source in the recording unit encrypted with a cipher key same as the cipher key by the reader/writer, decrypting the encrypted readout target address with the cipher key, and transmitting the data recorded in the region specified by the readout target address obtained through decryption of the regions of the recording unit to the reader/writer via the antenna.

Abstract: A system for generating an enhanced polymorphic quantum enabled firewall in real-time typically includes a classical computer apparatus and a quantum optimizer in communication with the classical computer apparatus. The classical computer apparatus is configured to identify an unauthorized attempt to access information by an unidentified source, collect a first set of data about the unauthorized attempt, determine a type of the unauthorized attempt by analyzing the first set of data, and transmit the first set of data and the type of the unauthorized attempt to the quantum optimizer. The quantum optimizer upon receiving the first set of data and the type of the unauthorized attempt, generates a second key and a second level of encryption using the second key, generates a new protocol for transferring the second level of encryption over a network, and transfers the second level of encryption and the new protocol to the classical computer apparatus.

Abstract: A system uses a multi-level encryption and tokenization mechanism to allow for fields of a larger object to be individually tokenized and encrypted. Protected data is encrypted using an encryption key and a generated token is displayed in its place. The encryption key is then encrypted using a secondary key. To dereference a token, a requesting application provides the token and associated context to a token service, which searches a token store for a record having both the token and the context. If such a record is located, the token service generates a secondary key and decrypts the encryption key. The decrypted encryption key then decrypts the protected data and transmits the data to the requesting application.

Abstract: Methods and systems are provided for power management and security for wireless modules in “Machine-to-Machine” communications. A wireless module operating in a wireless network and with access to the Internet can efficiently and securely communicate with a server. The wireless network can be a public land mobile network (PLMN) that supports wireless wide area network technology including 3rd generation (3G) and 4th generation (4G) networks, and future generations as well. The wireless module can (i) utilize sleep and active states to monitor a monitored unit with a sensor and (ii) communicate with wireless network by utilizing a radio. The wireless module can include power control steps to reduce the energy consumed after sending sensor data by minimizing a tail period of a radio resource control (RRC) connected state.

Abstract: A secure vehicle access system comprises a vehicle and a key associated with the vehicle. The key comprises: a radio frequency, RF, key transceiver configured to: broadcast at least one signal; and listen for an acknowledgement message from the vehicle. The vehicle comprises: a radio frequency, RF, vehicle transceiver configured to: listen for the at least one broadcast signal from the key; and in response thereto, transmit an acknowledgement message back to the key to establish a communication link between the vehicle and the key. The key further comprises a ranging circuit configured to perform a distance determination between the vehicle and the key, following the establishment of the communication link, to determine whether to allow access to the vehicle.

Abstract: A system and method for cryptographically securing a device includes initializing a cryptographic processing circuit which includes provisioning a cryptographic key store associated with the cryptographic processing circuit with cryptographic key material; and establishing a first cryptographically secured connection between a main central processing unit of the autonomous device and the cryptographic processing circuit of the device; and implementing a cryptographic validation of resident firmware of the main central processing unit by validating a cryptographic digital signature ascribed to the resident firmware against an up-to-date cryptographic digital signature used for installing and/or updating the resident firmware of the main central processing circuit.

Abstract: The present disclosure deals with a system and a method to determine if an unauthorized user is attempting to access securely stored data. A user enters and stores sensitive data on a user device using a first computing system. The first computing system gathers sensitive data from the user device and stores the data on a second computing system. If the first computing system detects a potential data breach when trying to access the securely stored data, the first computing system may request the user to enter a subset of the securely stored data to confirm that the user has access to the securely stored data. The second computing system verifies the subset against the securely stored data and the securely stored data is made accessible to the user. If the second computing system is unable to verify the subset the second computing system triggers an event.

Abstract: Embodiments include method, systems and computer program products for identifying unusual activity in an IT system based on user configurable message anomaly scoring. Aspects include receiving a message stream for the IT system and selecting a plurality of messages from the message stream that correspond to an interval. Aspects also include determining a message anomaly score for each of the plurality of the messages, wherein the message anomaly score for each of the plurality of the messages is determined to be one of a default message anomaly score and a custom message anomaly score and calculating an interval anomaly score for the interval by adding the message anomaly score for each of the plurality of the messages. Aspects further include identifying a priority level of the interval by comparing the interval anomaly score to one or more thresholds.

Abstract: Embodiments of an invention for hardware enforced one-way cryptography are disclosed. In one embodiment, a processor includes a processor key location, instruction hardware, and execution hardware. The processor key location is to hold a processor key. The instruction hardware is to receive a first instruction in an instruction set of the processor. The first instruction is to encrypt input data with the processor key and return a handle. The instruction set lacks a second instruction corresponding to the first instruction to decrypt the handle with the processor key to return the input data. The execution hardware is to perform, in response to receipt of the first instruction by the instruction hardware, encryption of the input data with the processor key and to return the handle.

Abstract: Aspects of the invention can log a user into a primary device in a more efficient manner. For example, aspects of the invention may eliminate the need for the user to supply user credentials directly to a primary device. Instead, the companion device recognizes relevant primary devices located proximate to the companion device and automatically initiates a user login to the primary device without user intervention. Aspects of the invention can automatically login a user to known and unknown primary devices.

Abstract: Embodiments relate to systems and methods for electronically conditioning transmission of communications based on results of a connection assessment. An electronic file is executed at an electronic device, which causes a first query and a second query to be presented. A first query response and a second query response are identified. The first query response is stored in a locked configuration that inhibits the ability to modify the first query response to the first query. The second query response is stored but is not stored in the locked configuration. Query response data is generated that includes an identifier of the second query, an identifier of the second query response and an identifier of the electronic device. A connection variable is determined by assessing one or more network connections available to the electronic device. When a transmission condition is satisfied, the query response data is transmitted to another device.

Abstract: Atomically modifying a personal security device includes presenting the personal security device to a reader/writer coupled to an access module, the access module determining if the personal security device includes a factory security mechanism, and, if the personal security device includes a factory security mechanism, using the reader/writer and the access module to replace the factory security mechanism with another security mechanism. The access module may authenticate the personal security device in connection with replacing the factory security mechanism. Authenticating the personal security device may grant access to a user through a door controlled by the access module. Replacing the factory security mechanism may include replacing an application on the personal security device. An ISO/IEC 7816-13 application management request command may be used to replace the application.

Abstract: Methods are described for performing a timely authorization of digital credential data delivered from a mobile device that is without access to a local persistently stored permanent cryptographic key; through an interrogation with a point-of-sale that behaves according to the direction of a card specification; wherein the card specification expects the mobile device to create a cryptogram that is calculated, at least in part, using the permanent cryptographic key and, at least in part, from unpredictable data delivered from the point-of-sale to the mobile device during the interrogation.

Abstract: A method for certifying information about a subject entity, where the subject entity has trusted information associated with them, which is stored at one or more trusted entity computing systems, comprising the steps of a certifying entity obtaining information from one or more trusted entity computing systems, selecting trusted information from the obtained information, and certifying the trusted information as being from the trusted entity computing system and has not been modified.

Abstract: A communication device for performing encrypted communication with at least one further communication device in a communication network is provided. Advantageously, the device is adapted to communicate with a plurality of further communication devices. The communication device comprises a communication unit and a cryptographic unit. Moreover it comprises a key encryption key generator configured to generate at least one key encryption key jointly with the at least further communication device, using the communication unit. Also, it comprises a traffic encryption key generator configured to generate a traffic encryption key, specific to the communication device, for encrypting traffic data by the communication device. The cryptographic unit is preferably configured to encrypt the traffic encryption key using the at least one key encryption key. Moreover, the communication unit is preferably configured to transmit the encrypted traffic encryption key to the at least one further communication device.

Abstract: A data-hosting system facilitates binding a decoupled name to a data object. During operation, the system can receive a command to generate a decoupled name that binds a new name to the data object. The system generates a hash for the data object based on the data object's content, such that the hash is not generated based on a name for the data object. The system then obtains a private key for signing the data object, and generates the decoupled name for the data object by encrypting the data object's hash and the new name using the private key. This decoupled name binds the new name to the data object. When a client request the data object based on the network name, the system can return the decoupled name associated with content of the data object. The client can use the decoupled name to validate the data object.

Abstract: Methods and apparatus for supporting secure packet communications, e.g., SRTP, which use implicit index numbers for synchronization and sequencing of received packets. The secure communications methods and apparatus having an adaptive index learning mode of operation and a non-adaptive index learning mode of operation. The adaptive index learning mode of operation being used to determine a correct estimated sequence number roll over counter number and the implicit index number for one of a plurality of secure packets received when an adaptive index learning process condition is satisfied.

Abstract: The present disclosure provides methods and systems for secure logon. One or more method includes: determining, via authentication information provided by a user of an electronic device, that the user is authorized to access an online account provided by the online account provider; providing the user with a selectable option to enable an expedited logon process by which the user can access the online account by solely providing a particular authentication item of the user; receiving a verification credential in response to a next logon attempt using the expedited logon process; and verifying that the received verification credential matches an assigned verification credential provided to the user for use in conjunction with the next logon attempt using the expedited logon process.

Abstract: A computerized method for managing collaboration in a computerized system, comprising repeatedly applying any one of rules defined in the computerized system pertaining to objects of the computerized system, wherein the any one of the rules comprises an at least one condition concerning collaborativity of an object to which the any one of the rules pertains and the at least one condition is based on metadata of the object, by evaluating any one of conditions in the any one of the rules, thereby determining collaborativity of any one of the objects to which the any one of the rules pertains, and an apparatus for performing the same.

Abstract: Source and replica data in a storage area network is tracked during management of data encryption keys. Association of source and replica data allows for all copies of customer information in an enterprise to be managed as a single entity for deletion or tracked for management purposes by using referenced data encryption keys upon creation of replicas. Any replica from a source storage object can be created using the source storage object data encryption key or an associated key and tracked by these keys as a subset of the number of replicas created. Management of the data encryption keys can control the lifetime of data on a storage array and in the storage area network without managing every replicated instance for the lifetime of the data.

Abstract: In one embodiment, a memory system stores data encrypted with a cipher key in a block of a page in non-volatile memory, reads the cipher key version number associated with the page, determines whether the cipher key version number associated with the page is different from a cipher key version number of the cipher key used to encrypt the data and, if it is, writes a data pattern encrypted with the cipher key into the other blocks of the page, and stores the cipher key version number of the cipher key used to encrypt the data in the storage space in the non-volatile memory. Other embodiments are provided.

Abstract: Techniques to provide persistent uniform resource locators (URLs) for client applications acting as web services are described herein. In one or more implementations, the techniques utilize standard protocols and libraries (e.g., standard HTTP) without relying upon custom/propriety plug-ins. An intermediary server functions as a tunnel service is configured to provide functionality for handling communications between endpoints on behalf of client applications. Additionally, the tunnel service provides a mechanism to generate and assign persistent URLs (or comparable addresses) to client applications. Entities seeking to interact with the client applications use corresponding URLs to direct requests via the tunnel service and down to the appropriate client application.

Abstract: Methods and apparatus for supporting secure packet communications, e.g., SRTP, which use implicit index numbers for synchronization and sequencing of received packets. The secure communications methods and apparatus having an adaptive index learning mode of operation and a non-adaptive index learning mode of operation. The adaptive index learning mode of operation being used to determine a correct estimated sequence number roll over counter number and the implicit index number for one of a plurality of secure packets received when an adaptive index learning process condition is satisfied.

Abstract: Techniques are provided for protecting encryption key(s) and other protected material on devices, such as mobile devices. A device stores an encrypted container received from an online authentication service, wherein the encrypted container is encrypted using a first key stored by the online authentication service, wherein the encrypted container comprises a data item stored on the device. The device transmits the encrypted container using an online connection to the online authentication service to decrypt the encrypted container using the first key, wherein the encrypted container is decrypted by the online authentication service to provide a decrypted container only if the online connection satisfies one or more predefined online connection criteria. The device then receives the decrypted container from the online authentication service and obtains the data item from the decrypted container. Online secure containers are also disclosed that are optionally protected using a multi-layer encryption scheme.

Abstract: In a general aspect, a parameter is refreshed in a lattice-based cryptography system. In some aspects, a first value of a public parameter is obtained. The first value of the public parameter may have been previously used in an execution of a lattice-based cryptography protocol. A second value of the public parameter is generated based on the first value of the public parameter and random information. The second value of the public parameter is used in an execution of the lattice-based cryptography protocol.

Abstract: Converting technical data from field oriented electronic data sources into natural language form is disclosed. An approach includes obtaining document data from an input document, wherein the document data is in a non-natural language form. The approach includes determining a data type of the document data from one of a plurality of data types defined in a detection and conversion database. The approach includes translating the document data to a natural language form based on the determined data type. The approach additionally includes outputting the translated document data in natural language form to an output data stream.

Abstract: A method and system are provided for processing encrypted messages at a mobile device. A mobile device receives an encrypted message that comprises encrypted content as well as encryption information for accessing the encrypted content. At the mobile device, the encryption accessing information is obtained and stored to memory. The encryption accessing information is retrieved from memory in order to decrypt the encrypted content when the encrypted message is subsequently accessed.

Abstract: A server computing device may be deployed in telecommunication signaling network and configured to communicate with a subscriber profile repository, policy management component, a charging component, and/or other components in the network to intelligently determine whether a user equipment device should receive/use a service via a communication tunnel, to authorize and/or create a communication tunnel between a user equipment device and a tunnel termination function component, and to implement policy charging rules for the use of the service via the communication tunnel. The communication tunnel may carry a portion or a segment of a data flow for a specific service (or a portion of the communication link) between the user equipment device and a destination component. The server computing device may be configured to authorize/create different communication tunnels for different services and to implement different policy charging rules for different tunnels.

Abstract: A method for encryption and sealing of a plaintext file by hashing the plaintext file to produce a plaintext hash, encrypting the plaintext file to produce ciphertext, hashing the ciphertext to produce a ciphertext hash, hashing the plaintext hash and the ciphertext hash to produce a result hash, and sealing the ciphertext together with the result hash. This provides verification for non-repudiation and protects against undetected malware corrupting the plaintext or ciphertext files.

Abstract: A master public key is generated as a first set of lattices based on a set of attributes, along with a random vector. A master secret key is generated as a set of trap door lattices corresponding to the first set of lattices. A user secret key is generated for a user's particular set of attributes using the master secret key. The user secret key is a set of values in a vector that are chosen to satisfy a reconstruction function for reconstructing the random vector using the first set of lattices. Information is encrypted to a given set of attributes using the user secret key, the given set of attributes and the user secret key. The information is decrypted by a second user having the given set of attributes using the second user's secret key.

Abstract: Techniques to protect selected data in a cloud computing environment are disclosed. In various embodiments, an indication is received that a data value to be submitted, using a browser, to a remote node is to be protected. The data value is selectively encrypted. The encrypted data is provided value to the browser to be submitted to the remote node.

Abstract: A method implements searchable encryption of cloud stored data by appending tokenized keywords to an encrypted file destined for a cloud storage service. In some embodiments, the tokenized keywords are appended to the header of the encrypted file. Searching of cloud-stored encrypted files using the native search capability of the cloud storage service is then possible by performing the search using the tokenized keywords. In alternate embodiments of the present invention, a method enables searching of cloud stored encrypted file using a cloud search appliance.

Abstract: Provided is a re-encryption system. The re-encryption system includes a replacement key generation unit. The replacement key generation unit receives a master key owned by a manager, an allowable decryptor set before change, and an allowable decryptor set after change. The re-encryption system generates and outputs a replacement key to convert a ciphertext which can be decrypted with a secret key of a decryptor belonging to the allowable decryptor set before change to a ciphertext which can be decrypted with a secret key of a decryptor belonging to the allowable decryptor set after change.

Abstract: Devices generate security vectors based on their own attributes. A device's security vectors compose its transformation matrix. The devices securely share copies of their transformation matrices with other devices. A transmitting device adds its unique MAC to packets, encrypts those packets using its own transformation matrix, and transmits those packets. A receiving device uses its copy of the transmitting device's transformation matrix to decrypt the data in a packet, determining whether a MAC extracted from that packet matches the transmitting device's MAC. The receiving device can permit or prevent further processing of the packet's data depending on whether the MACs match. Each device can store a copy of a same program that can be used to derive derivative security vectors from existing security vectors. Each device in the network can derive the same set of derivative vectors for any selected other device in the network, thereby “evolving” the transformation matrices.

Abstract: Disclosed herein is a framework for generating and providing self-distinguishable identifiers as to users. In accordance with one aspect, an entry is retrieved from an object, wherein the entry includes one or more fields. The one or more fields may be concatenated to create a concatenated string. The framework may then determine if the concatenated string is unique from other concatenated strings in a listing of the object. If the concatenated string is determined to be not unique, a unique sequence identifier may be added to the concatenated string.

Abstract: Protecting the integrity and the effectiveness of a security agent that is installed in a user's device while the user's device operates online or offline. The security agent may be used for enforcing a security policy required by an organization or network to which the user's computer belongs. One aspect of exemplary embodiments of the present invention is to associate the content of one or more storage devices of the user's computer with the security agent and with a boot-loader program used by the user's computer.

Abstract: Systems and methods are provided for generating subsequent encryption keys by a client device as one of a plurality of client devices across a network. Each client device is provided with the same key generation information and the same key setup information from an authentication server. Each client device maintains and stores its own key generation information and key setup information. Using its own information, each client device generates subsequent encryption keys that are common or the same across devices. These subsequent encryption keys are generated and maintained the same across devices without any further instruction or information from the authentication server or any other client device. Additionally, client devices can recover the current encryption key by synchronizing information with another client device.

Abstract: The invention is a method for broadcast encryption that allows a broadcaster to send encrypted data to a set of users such that only a subset of authorized users can decrypt said data. The method comprises modifications to the four stages of the basic Cipher-text Policy Attribute-Based Encryption techniques. The method can be adapted to transform any Attribute-Based Encryption scheme that supports only temporary revocation into a scheme that supports the permanent revocation of users.

Abstract: In a vehicle network system, a plurality of ECUs are network-connected. The plurality of ECUs include a first ECU that has set therein a secret key from among the secret key and a public key that form a pair and are set on the basis of initialization processing performed when the vehicle network system is created, and a second ECU that has set therein the public key. The second ECU adds, to a transmission signal, an authentication keyword created from the public key and information capable of specifying the second ECU and transmits the transmission signal with the authentication keyword added thereto to the network. The first ECU acquires the authentication keyword and estimates the reliability of the communication signal on the basis of the acquired authentication keyword and the secret key.

Abstract: An electronic device that shares a secret key with another electronic device; receives a first response request transmitted from the another electronic device; generates a first response message based on the first response request and the secret key; receives a second response request transmitted from the another electronic device; and generates a second response message based on the second response request, the second response message transmitted to the another electronic device and including authentication data generated based on the secret key. The electronic device is authorized to receive data from the another electronic device when the authentication data matches expected authentication information generated by the another electronic device, and a predetermined time elapsed from a transmission of the second response request does not expire before the second response message is received by the another electronic device.

Abstract: The present invention relates to data rights management and more particularly to a secured system and methodology and production system and methodology related thereto and to apparatus and methodology for production side systems and are consumer side systems for securely utilizing protected electronic data files of content (protected content), and further relates to controlled distribution, and regulating usage of the respective content on a recipient device (computing system) to be limited strictly to defined permitted uses, in accordance with usage rights (associated with the respective content to control usage of that respective content), on specifically restricted to a specific one particular recipient device (for a plurality of specific particular recipient devices), or usage on some or any authorized recipient device without restriction to any one in specific, to control use of the respective content as an application software program, exporting, modifying, executing as an application program, viewing,

Abstract: A first component of a Hypervisor is loaded into the memory upon start up. The first component is responsible for context switching and some interrupt handling. The first component of the Hypervisor runs on a root level. An OS is loaded into a highest non-root privilege level. A second component of the Hypervisor is loaded into OS space together with the OS, and running on the highest non-root privilege level. A Virtual Machine Monitor is running on the root level. The second component of the Hypervisor is responsible for (a) servicing the VMM, and (b) enabling communication between VMM code launched on non-root level with the first component of the Hypervisor to enable root mode for the VMM. A Virtual Machine is running on a user level under control of the VMM.

Abstract: In a data protection compliant version control system, a change committed by a user in a version is stored. A cryptographic hash value generated based on a set of parameters corresponding to the user and the version is computed. The cryptographic hash value along with the change committed by the user is stored. The cryptographic hash value is associated with the change committed by the user by a redirection pointer. The redirection pointer is deleted to disassociate the change committed by the user from the cryptographic hash value, thereby disassociating the change committed by the user from the user. The change committed by the user is displayed in a user interface associated with the version control system.

Abstract: The disclosure generally describes computer-implemented methods, software, and systems for modeling and deploying decision services. One computer-implemented method includes encrypting, by operation of a computer, personally-identifiable information (PII) data using a first cryptographic key, wherein the PII data is associated with non-encrypted associated data, encrypting the encrypted first cryptographic key with a second cryptographic key, determining that the occurrence of a PII data disassociation event associated with the second cryptographic key has occurred, and rendering the PII data inaccessible by disassociating the second cryptographic key from the encrypted first cryptographic key.

Abstract: The methods and systems described herein provide for secure implementation of external storage providers in an enterprise setting. Specifically, the present invention provides for allowing the secure use of processes that may transmit files to external storage providers or access files from an external storage provider. In some arrangements, process, such as an untrusted process, may request access to a file. A security agent may intercept the request and encrypt the file. The file can then be transmitted to the external storage provider. A user may subsequently request access to the file. A security agent may intercept a message in connection with this request, determine whether the user is authorized to access the file, and decrypt the file.

Abstract: A device for generating an encrypted master key. The device comprises at least one input interface configured to receive a receiver identifier, a service provider identifier and a master key for the service provider; a memory configured to store a secret of the device; a processor configured to: process the receiver identifier using the secret to obtain a root key, process the service provider identifier using the root key to obtain a top key and process the master key using the top key to obtain an encrypted master key; and an output interface configured to output the encrypted master key. Also provided is a method for providing an encrypted master key to a receiver. An advantage is that the device can enable a new service provider to provide services to a receiver using an already deployed smartcard.

Abstract: A tamper-resistant security device, such as a subscriber identity module or equivalent, has an AKA (Authentication and Key Agreement) module for performing an AKA process with a security key stored in the device, as well as means for external communication. The tamper-resistant security device includes an application that cooperates with the AKA module and an internal interface for communications between the AKA module and the application. The application cooperating with the AKA module is preferably a security and/or privacy enhancing application. For increased security, the security device may also detect whether it is operated in its normal secure environment or a foreign less secure environment and set access rights to resident files or commands that could expose the AKA process or corresponding parameters accordingly.

Abstract: A master public key is generated as a first set of lattices based on a set of attributes, along with a random vector. A master secret key is generated as a set of trap door lattices corresponding to the first set of lattices. A user secret key is generated for a user's particular set of attributes using the master secret key. The user secret key is a set of values in a vector that are chosen to satisfy a reconstruction function for reconstructing the random vector using the first set of lattices. Information is encrypted to a given set of attributes using the user secret key, the given set of attributes and the user secret key. The information is decrypted by a second user having the given set of attributes using the second user's secret key.

Abstract: The present inventions, in one aspect, are directed to systems and circuitry for and/or methods of establishing communication having one or more pairing facilitator-intermediary devices (for example, a network connected server) to enable or facilitate pairing and/or registering at least two devices (e.g., (i) a portable biometric monitoring device and (ii) a smartphone, laptop and/or tablet) to, for example, recognize, interact and/or enable interoperability between such devices. The pairing facilitator-intermediary device may responsively communicates information to one or more of the devices (to be paired or registered) which, in response, enable or facilitate such devices to pair or register. The present inventions may be advantageous where one or both of the devices to be paired or registered is/are not configured (e.g., include a user interface or certain communication circuitry that is configured or includes functionality) to pair devices without use of a facilitator-intermediary device.

Abstract: A method of per-packet keying for encrypting and decrypting data transferred between two or more parties, each party having knowledge of a shared key that allows a per-packet key to differ for each packet is provided. Avoiding the use of a static session key during encryption offers several advantages over existing encryption methods. For example, rejecting packets received with duplicate sequence numbers, or sequence numbers that are beyond a specified deviation range mitigates Replay Attacks.