Abstract: Data protection in a storage system that includes a plurality of Non-Volatile Memory Express (‘NVMe’) Solid State Drives (‘SSDs’), including: retrieving, from a plurality of NVMe SSDs (‘Non-Volatile Memory Express Solid State Drives’) of a storage system, one or more unencrypted shares of a master secret; reconstructing the master secret using the shares of the master secret; decrypting one or more encrypted device keys using the master secret; and using the decrypted device keys to perform a plurality of accesses to one or more of the NVMe SSDs.

Abstract: A method, a system, and a computer program product provide a method for managing a decentralized venture capital (“VC”) fund in a decentralized autonomous organization (“DAO”) configured to use a secure communication environment. The method includes securing authentication information, including user authentication information. The securing of the authentication information includes using a public key in the process to encrypt the authentication information and then decomposing the authentication information into subcomponents that are distributed randomly across a plurality of member computers. The method further includes recovering the authentication information by recombining the authentication information from its subcomponents then using a private key in the process to decrypt the authentication information.

Abstract: Methods, systems, and devices for authenticating software images are described. A system may include one or more control units that use software images for managing different functions of the system. The system may also include a secure storage device configured to validate or authenticate the software images used by the different control units of the system. A software image of a control unit may be authenticated by generating a first hash associated with a portion of its underlying source code and generating a second hash associated with a corresponding portion of the source code of the copy of the software image stored to the secure storage device. Different patterns of the source code of the software images may be used to generate the hashes. The first hash and second hash may be compared, and the software image may be authenticated based on the hashes matching.

Abstract: A method for securely receiving a multimedia content by a client device operated by one or more operator(s) involving a dedicated provisioning server of a security provider managing symmetric secrets used by the client devices and operators license servers. The provisioning server provides to the client device one or more generations of operator specific unique device secrets, which are then exploited by the various operators' license servers to deliver licenses such that authorized client devices can consume protected multimedia contents.

Abstract: Methods, non-transitory computer readable media, network traffic manager apparatuses, and systems that assist with detecting changes to a firmware software components, and configuration parameters includes obtaining an executable file comprising a basic input-output system firmware and software component data of a hardware component at run-time. A hash value for the obtained executable file at the run-time is identified. The identified hash value is compared with a stored hash value associated with the obtained executable file to determine when the obtained executable file is unmodified, wherein the stored hash value was determined at a build time of the hardware component. The obtained executable file of the hardware component is executed when the obtained executable file is determined to be unmodified.

Abstract: Various embodiments relate to a method performed by a processor of a computing system. An example method includes generating a symmetric content encryption key. Content is encrypted using the content encryption key to generate cipher text. A hash of the cipher text is generated. Each of the hash and the content encryption key is signcrypted using each of a signcrypting party public key, a signcrypting party private key and a recipient public key to generate a signcrypted envelope message. The cipher text is embedded in a component of the signcrypted envelope message. The signcrypted envelope message is transmitted to a recipient. The recipient can designcrypt the signcrypted envelope message using each of the recipient public key, a recipient private key, and the signcrypting party public key to retrieve the content encryption key and hash of the cipher text. The recipient can decrypt the cipher text using the content encryption key.

Abstract: Systems, methods, and computer-readable media are disclosed for systems and methods for anonymization of user data for privacy across distributed computing systems. Example methods may include determining, by a first computer system, a request for content to present at a user device, wherein the request for content is associated with a user account, determining a first search query associated with the user account, and determining a first keyword associated with the first search query. Some methods may include generating a first hash value for the first keyword, sending the first hash value to a second computer system for identification of first content for presentation at the user device, and causing the second computer system to send the first content to the user device for presentation, wherein the first computer system does not receive the first content.

Abstract: In aspects of multiplication operations on homomorphic encrypted data, a computing device stores homomorphic encrypted data as a dataset, and implements an encryption application that can perform multiplication operations on ciphertexts in the homomorphic encrypted data, where the ciphertexts include polynomial variables of the ciphertexts. The encryption application can compute and store intermediate polynomial variables that are computed as the multiplication operations are performed. The encryption application can then utilize one or more of the intermediate polynomial variables rather than recomputing the intermediate polynomial variables as the multiplication operations are performed on the ciphertexts.

Abstract: A user terminal generates a first key pair and a second key pair, transmits a permission request including a public encryption key of the second key pair after electronically signing the permission request with a secret encryption key, and acquires, from permission information transmitted from a right-holder terminal, a content decryption key by using a secret decryption key of the second key pair and uses the content. The right-holder terminal stores a third key pair and the content decryption key, verifies the permission request received, and encrypts the content decryption key by using the public encryption key of the second key pair included in the permission request and transmits the permission information including the encrypted content decryption key after electronically signing the permission information with a secret encryption key of the third key pair. The permission request and the permission information are transmitted and received via a blockchain.

Abstract: Embodiments of the present technology pertain to systems and methods for secure creation, custody, recovery, and management of a digital asset. Embodiments include receiving a custody request for a master private key. Embodiments further include dividing the master private key into a plurality master private key portions using a cryptographic algorithm, the cryptographic algorithm comprising a threshold number of the plurality master private key portions necessary for later reconstruction of the master private key, the threshold number of the plurality master private key portions being a subset of the plurality master private key portions.

Abstract: There is provided an encryption device to suppress calculation in the reverse direction in whitebox model encryption. The encryption device includes: having a predetermined relationship that outputs a plurality of output values according to a plurality of input values configured of plain text, with a part of the plurality of output values being inputted to a trapdoor one-way function, the predetermined relationship being defined by the output values that are not inputted to the trapdoor one-way function and one arbitrary input value of the plurality of input values; and having a property of encrypting a part of the plurality of output values according to the trapdoor one-way function, and the trapdoor one-way function not being able to decrypt encrypted data in a state in which a trapdoor is unknown.

Abstract: A technique includes encrypting plaintext to provide a set of projective coordinates that represents a point of an abelian variety curve and represents ciphertext. The technique includes encoding the projective coordinates with metadata, which is associated with the ciphertext.

Abstract: A method for tokenizing credentials is disclosed. In addition to a token, a verification value can be provided for each interaction. The verification value can be generated based at least in part on a dynamic data element. The dynamic data element may be kept secret, while the verification value can be distributed for use during an interaction. When the verification value is used, it can be validated by re-creating the verification value based at least on the stored dynamic data element.

Abstract: An example method of sharing a resource between software containers includes detecting a request from a first software container to access a resource of a different, second software container, an operational state of the second software container being controlled by a container engine running on the host computing device. The method also includes accepting or rejecting the request based on whether the first and second software containers, which each contain a respective software application, are part of a same logical software application. An example host computing device configured to share resources between software containers is also disclosed.

Abstract: A method, a system, and a computer program product provide crowd bootstrapping between a first user and a second user. The method includes securing authentication information, including user authentication information and payment authentication information for the first user and the second user. The securing of the authentication information includes using a public key in the process to encrypt the authentication information and then decomposing the authentication information into subcomponents that are distributed randomly across a plurality of member computers. The method further includes recovering the authentication information by recombining the authentication information from its subcomponents then using a private key in the process to decrypt the authentication information.

Abstract: Implementations of the present specification provide a blockchain-based transaction method and apparatus, and a remitter device. The method includes: calculating a transaction amount commitment, a first commitment random number ciphertext, and a second commitment random number ciphertext; and submitting transaction data to the blockchain, the transaction data including the transaction amount commitment, the first commitment random number ciphertext, and the second commitment random number ciphertext, for the transaction amount commitment and the first commitment random number ciphertext to be recorded into a remitter account, and the transaction amount commitment and the second commitment random number ciphertext to be recorded into a remittee account.

Abstract: Embodiments relate to a system, program product, and method for use with a physical computing device to process a data access request. The associated data is encrypted with a key pair that includes both a persistent key and a transient key. Both keys require authentication to access the requested data. The transient key is subject to real-time monitoring, with changes in situational data selectively affecting the validity of the transient key, and selectively changing the physical state of the physical computing device.

Abstract: In a storage system that includes a plurality of NVMe SSDs, data protection may be carried out by: for each of the plurality of NVMe SSDs, encrypting a device key using a master secret, wherein the device key, when not encrypted, is used to encrypt and decrypt data in one or more namespaces on the NVMe SSD; generating a plurality of shares from the master secret; and storing a separate share of the plurality of shares in a namespace prohibited from encryption on each NVMe SSD.

Abstract: An example method includes retrieving, based on firmware map data stored in a firmware map, first portions of a system firmware while omitting retrieval of second portions to form a combined portion. The firmware map data is indicative of the first portions of the system firmware that remain unchanged over a normal lifetime of the system firmware, and the firmware map data is also indicative of the second portions of the system firmware that may vary over the normal lifetime of the system firmware. The method further includes calculating at least one master hash code based on the combined portion, and storing the at least one master hash code in a hash code table in association with the firmware map data.

Abstract: Methods and apparatus for isolating the introduction of software defects in a dispersed storage network (DSN) are disclosed. In various embodiments, a search strategy is employed whereby after identifying a test failure in a current version of the memory software code, a sequence of interim versions of the code between the current version of the memory software code and a previous successfully tested version of the code is determined. A first version of the memory software code is selected from the sequence of interim versions (e.g., from the middle of or approximately in the middle of the sequence) and tested. When testing of the first version does not result in a test failure, a second version of the memory software code is tested, the second version selected from a sub-sequence of the sequence of interim versions between the first version of the code and the current version of the code.

Abstract: An Internet-of-Things (IoT)-enabled lock is provided to control access to a secure physical asset. Disparate authorized systems make requests for an access and receive authorization to access the asset. An authorized user with an authorized mobile device is dispatched to the asset pursuant to a request. Proximity-based mobile device authentication is performed when the mobile device is in a configured proximity of the asset and the mobile device establishes a wireless connection to the lock. A second factor authentication is performed on the user that operated the mobile device. A One-Time Code (OTC) is generated and provided to either the lock or the mobile device for access to the asset. Access events and service information for the asset are stored in a shared data repository. Each system has access through to the shared data repository to all auditing information associated with the asset.

Abstract: Systems, devices, and methods for controlling access to vehicles in rental, loaner, shared-use, and other vehicle fleets. Some of the present systems, devices, and methods use encrypted virtual keys that can be relayed to a vehicle computing device via a user's mobile device. Such virtual keys can be command-specific such that successful use of a virtual key results execution of a predetermined command or group of commands, and further commands require one or more additional virtual keys with the additional commands. Others of the present systems, devices, and methods provide tools: for provisioning or initial pairing of vehicle computing devices with corresponding vehicles, identifying and permitting a user to select locally available vehicles, prompting vehicle computing devices to retrieve pending commands from a server, and/or various other functions described in this disclosure.

Abstract: An apparatus for generating encoded data includes processing circuitry configured to encode data using a Mojette transform (MT) based on generating encoded representations of data blocks. Generating the encoded representations of data blocks includes reading data in the form of a data block formatted according to specified settings to comprise rows and columns, creating a set of projections, and outputting the created set of projections to enable storage of the data in the form of the set of projections. The apparatus then transmits the encoded data over a network to another device. Additionally, creating the set of projections includes applying the Mojette transform on the data block, and creating a first number of projections based on mapping each row of the data block to a corresponding projection, wherein the first number of projections carries the same information as a corresponding row.

Abstract: Electronic locking devices, systems, and methods may require the utilization of an electronic key generated by an electronic key generation device. The electronic key may be generated using a data payload received from a server and/or an administrative device. The administrative device is enabled to remotely manage the locking device and locking system via, for example, a software application running on the administrative device and/or a website.

Abstract: A compliance application automatically produces certification controls by translating framework controls. The framework controls are common certification controls used in production of the certification. The application retrieves framework controls including metadata from a compliance framework data store. Metadata of the framework controls map the framework controls to the certification. In addition, the application retrieves certification parity data associated with the metadata. Certification controls are produced based on the framework controls and the certification parity data. A view of the certification including the certification controls is provided to a customer requesting the certification.

Abstract: A method for assisting in improving the security of an electronic operation carried out via a secure element. The method comprises the following steps. A first application of the secure element is selected and writes a piece of contextual data in means of recording of the secure element. Then, a second application is selected, reads the contextual data in the means for recording and verifies if the contextual data satisfies a predefined condition. If yes, it is considered that the context of the selecting of the second application is legitimate and the electronic operation can continue normally.

Abstract: A computer implemented method of instantiating an encrypted disk image for a virtualized computer system includes providing a software component executing in a first virtual machine for instantiation in a first hypervisor, the software component invoking a second hypervisor within the first virtual machine; and providing a basic input output system (BIOS) for the second hypervisor, the BIOS being configured to decrypt and load the encrypted disk image to instantiate the virtualized computer system as a second virtual machine in the second hypervisor, and wherein the software component is further configured to migrate the second virtual machine at a runtime of the second virtual machine to the first hypervisor so as to provide a wholly encrypted disk image for the second virtual machine executing in the first hypervisor.

Abstract: Technologies are generally described for methods and devices for generating a final signature. The methods may comprise receiving a message by a processor. The methods may comprise generating a random number by a random number generator. The methods may comprise forwarding, by the processor, the random number to a cloaking element generator. The methods may comprise forwarding, by the processor, a private key to the cloaking element generator. The methods may comprise forwarding, by the processor, a group to the cloaking element generator. The methods may comprise forwarding, by the processor, a homomorphism to the cloaking element generator. The methods may comprise processing, by the cloaking element generator, the random number, the group, the private key, and the homomorphism to produce a cloaking element. The methods may comprise applying the cloaking element to transform the message into the final signature.

Abstract: In one embodiment, data for use by a processor is stored in a memory. A network interface communicates over a network with a second device. At a processor, a Somewhat Homomorphic Encryption (SHE) of a plurality of secret shares is generated. The SHE of the plurality of secret shares is sent to the second device. The following is performed in a loop: a first result of a homomorphic exclusive-or operation performed by the second device on the SHE is received, a SHE of the first result is performed, yielding a second result, a SHE of the second result is performed yielding a third result, the third result is transmitted to the second device, and a final SHE result is received from the second device. The received final SHE result is decrypted in order to produce a final Somewhat Homomorphically Decrypted (SHD) output. The final SHD output is then output. Related methods, systems, and apparatus are also described.

Abstract: A method for tokenizing credentials is disclosed. In addition to a token, a verification value can be provided for each interaction. The verification value can be generated based at least in part on a dynamic data element. The dynamic data element may be kept secret, while the verification value can be distributed for use during an interaction. When the verification value is used, it can be validated by re-creating the verification value based at least on the stored dynamic data element.

Abstract: A method for tokenizing credentials is disclosed. In addition to a token, a verification value can be provided for each interaction. The verification value can be generated based at least in part on a dynamic data element. The dynamic data element may be kept secret, while the verification value can be distributed for use during an interaction. When the verification value is used, it can be validated by re-creating the verification value based at least on the stored dynamic data element.

Abstract: A system and method for private key management in a public key encryption system are disclosed. In one embodiment, the system and method may utilize a “fake” private key to provide the private key management.

Abstract: A material set, such as an asymmetric keypair, is processed using an associated workflow to prepare the material set for activation and/or use. In one embodiment, a material set is generated and information about the material set is communicated to a workflow manager. Based at least on the information, the workflow manager generates a workflow that when accomplished will allow the material set to be activated and/or used. In another embodiment, a service provider provides a key manager, workflow manager and destination for the key, such as a load balancer that terminates SSL connections. A key can be generated by the key manager, sent through the workflow manager for processing (potentially communicated to third parties such as a certificate authority, if needed) and installed at a destination.

Abstract: In a storage system that includes a plurality of storage devices, data protection may include, for each of the plurality of storage devices: encrypting data of the storage device using the device key for the storage device; and encrypting the device key for the storage device using a master secret; generating a plurality of shares from the master secret; and storing the encrypted data, the encrypted device key, and a separate share of the plurality of shares in each storage device.

Abstract: According to one embodiment, an apparatus is configured to receive a request to communicate a message including a body to an intended recipient and to receive a first public key of the intended recipient and a second public key of the intended recipient. The apparatus is further configured to encrypt the body using a first message key to produce a first encrypted body, to encrypt the first message key using the first public key to produce a first encrypted message key, to encrypt the first encrypted message key and the first encrypted body using a second message key to produce a second encrypted body, and to encrypt the second message key using the second public key to produce a second encrypted message key. The apparatus is also configured to communicate an encrypted message to the intended recipient, the encrypted message including the second encrypted message key and the second encrypted body.

Abstract: A method for putting a first device in secure communication with a second device. The first device generating at least one first datum dependent on a private key specific to the first device and a public key specific to the second device. The second device generating at least one second datum dependent on a private key specific to the second device associated with the second device public key, and dependent on a third datum dependent on a public datum specific to the first device. Implementing a test verifying whether the first and second data meet a predetermined condition, and putting the first device in secure communication with the second device only if the predetermined condition is met. Before generating the second datum generating the third datum so that the predetermined condition is met only if input data are identical to reference secret data associated with the second device.

Abstract: A start switch device includes a start button configured to send a command to start or stop a vehicle drive device, a biometric sensor arranged on the start button for reading a biometric information of an operator to operate an operating surface of the start button, a light source configured to emit an illuminating light from an inside of the start button toward the operating surface, and a design part arranged around the biometric sensor on the operating surface and configured to define a design on the operating surface by the illuminating light transmitted therethrough.

Abstract: Technologies are generally described for methods and devices for generating a final signature. The methods may comprise receiving a message by a processor. The methods may comprise generating a random number by a random number generator. The methods may comprise forwarding, by the processor, the random number to a cloaking element generator. The methods may comprise forwarding, by the processor, a private key to the cloaking element generator. The methods may comprise forwarding, by the processor, a group to the cloaking element generator. The methods may comprise forwarding, by the processor, a homomorphism to the cloaking element generator. The methods may comprise processing, by the cloaking element generator, the random number, the group, the private key, and the homomorphism to produce a cloaking element. The methods may comprise applying the cloaking element to transform the message into the final signature.

Abstract: Two parties to a communication establish public and private keys through the use of implicit certificates. Each party establishes a new static key pair, and determines a difference between the new static key pair and the previously established keys. The differences are exchanged and used to determine new public static keys. Each party generates an ephemeral key pair from the static key pair, and a shared secret is derived from a combination of the ephemeral keys and the new static keys.

Abstract: Embodiments of a system and method for interactive barcode communication are described. In one embodiment, a mobile device presents a barcode to an information or transaction receptacle associated with the point of entry device. One embodiment provides for a method of transmitting data from an unconnected point of access device using an interactive barcode communication system on a mobile device, where the method comprises accessing a set of data on a point of access device, wherein the point of access device is unconnected from a data network with access to a central system database; dividing the set of data into multiple sections; incorporating the multiple sections into scan images for display during per-user transactions at the point of access device; and displaying the point of access data along with per-user transaction data during an interactive barcode communication transaction.

Abstract: Provided is a method according to the present invention comprising the steps of: (a) generating a message digest of a particular file when a request for authenticating same is obtained; (b) when a message digest encoded with a private key of a first user and a message digest encoded with a private key of a second user are obtained, and if the (i) (A) information for the message digest, which was encoded with the private key of the first user, decoded with a public key of the first user, (ii) (B) information for the message digest, which was encoded with the private key of the second user, decoded with a public key of the second user, and (C) the message digest generated in step (a) match, then registering, in a database, a hash value of the message digest encoded using the private key of the first user, private key of the second user and a private key of a server; and (c) obtaining a transaction ID reflecting location information of the registered hash value in the database.

Abstract: A method by which a hardware security module can attest remotely to its measure of trust as determined by its security certifications and the Level of Assurance it can be relied on to support without the human witnessing elements that are currently used to validate this trust. In a further embodiment the Level of Assurance can be transported to a second hardware security module.

Abstract: Systems and methods verifying a user during authentication of an integrated device. In one embodiment, the system includes an integrated device and an authentication unit. The integrated device stores biometric data of a user and a plurality of codes and other data values comprising a device ID code uniquely identifying the integrated device and a secret decryption value in a tamper proof format, and when scan data is verified by comparing the scan data to the biometric data, wirelessly sends one or more codes and other data values including the device ID code. The authentication unit receives and sends the one or more codes and the other data values to an agent for authentication, and receives an access message from the agent indicating that the agent successfully authenticated the one or more codes and other data values and allows the user to access an application.

Abstract: A computer system for facilitating care of a patient with a rare, complex, or chronic medical condition is provided. The system may include a server and a patient data module programmed to receive patient medical records pertaining to a patient, process the patient medical records to extract patient medical data pertaining to the patient, create a patient webpage specific to the patient which includes the patient medical data, and store the patient webpage. The system may also include a patient identification card provided to the patient which has an internet URL corresponding to the patient webpage encoded within a machine readable code. The patient data module may be programmed to receive, from a computer, a request to view the internet URL and transmit the patient webpage to the computer.

Abstract: When this image processing apparatus accepts an initial connection request from a mobile terminal, it displays a generated PIN code on a console unit 210, and when it accepts information corresponding to the PIN code from the mobile terminal, it compares that information with the generated PIN code, and performs authentication. When the authentication is successful, it generates a public key and a private key, and transmits the generated public key to the mobile terminal.

Abstract: Privacy-preserving stream analytics (personal data collection method, apparatus, and/or system) from an electronic (e.g., mobile) device providing communications, such as to a network (e.g., Internet). Data queries from a data analyst are received but not directly answered with a truthful query response. Truthful responses are privatized and anonymized based on a randomized response mechanism which releases privatized data and not the original answer. Anonymously transmitting randomized responses from the data owner to data aggregator using shares, each share of which is individually transmitted to an independent aggregator, which is configured for independently and asynchronously process each share, and sharing results with one another to arrive at a query response over an aggregate number of data owners.

Abstract: An example method includes retrieving, based on firmware map data stored in a firmware map, first portions of a system firmware while omitting retrieval of second portions to form a combined portion. The firmware map data is indicative of the first portions of the system firmware that remain unchanged over a normal lifetime of the system firmware, and the firmware map data is also indicative of the second portions of the system firmware that may vary over the normal lifetime of the system firmware. The method further includes calculating at least one master hash code based on the combined portion, and storing the at least one master hash code in a hash code table in association with the firmware map data.

Abstract: In a general aspect, a method for authenticating a plurality of slave devices connected to a master device can include: generating and sending by the master device a respective challenge to each slave device; in each slave device, generating a response to the respective challenge and transmitting it to the master device; verifying by the master device the response of one of the slave devices; returning by the master device the remaining responses to respective slave devices distinct from those that generated the responses; and verifying by each slave device the response returned thereto by the master device and transmitting the result of the verification to the master device.

Abstract: The secure configuration of a headless networking device is described. A label associated with the headless networking device is scanned and a public key is determined. scanning a label associated with a networking device. A configuration process is initiated for the networking device using the public key associated with the networking device that was determined based on the scanned label.

Abstract: The secure configuration of a headless networking device is described. A label associated with the headless networking device is scanned and a public key is determined. scanning a label associated with a networking device. A configuration process is initiated for the networking device using the public key associated with the networking device that was determined based on the scanned label.