Abstract: Techniques are provided for generating and using a multi-signature token for electronic message validation according to the one or more embodiments as described herein. Specifically, a multi-signature token may be generated that includes at least two digital signatures and information (e.g., user information). Each of the at least two digital signatures may be generated using a private key of at least two key pairs that are maintained on a plurality of keystores that have at least two different implementations (e.g., security protocols). If the at least two digital signatures are valid, the multi-signature token may be determined to be valid and the client request may optionally be performed. If at least one of the at least two digital signatures is invalid, the client request is optionally not performed.

Abstract: A disclosed example gateway node includes network communicator circuitry, memory, instructions, and processor circuitry. The network communicator circuitry is to send a first portion of a multi-part secret key to a first secret holder node, and send a plurality of shares of a second portion of the multi-part secret key to second secret holder nodes. The processor circuitry is to execute the instructions to combine responses from the first secret holder node and at least one of the second secret holder nodes to generate a combined authentication message, the network communicator circuitry to send the combined authentication message to a terminal node for authentication.

Abstract: An aspect of the present invention is provided with a sensitive data protection code generating unit which generates a sensitive data protection code of a predetermined data length, a symmetric encryption key generating unit which generates a symmetric encryption key by using a key derivation function that takes, as input, the sensitive data protection code, a sensitive data encrypting unit which encrypts sensitive data by using the symmetric encryption key, a sensitive data protection code encrypting unit which encrypts the sensitive data protection code by using a public key provided from an sensitive data access support terminal, and a deleting unit which deletes the symmetric encryption key and the sensitive data after the encryption of the sensitive data, and deletes the sensitive data protection code after the encryption of the sensitive data protection code.

Abstract: A decentralized and/or hybrid decentralized method for secure cryptography key storage referred to as Mutual Dependency Architecture (MDA) includes the steps of encrypting the cryptographic key using an unlock key; encrypting the unlock key using an encryption tool to create an encrypted seed; and storing the encrypted seed; wherein a user must have access to a first storage area in the device and to a second storage area external to the device in order to access the cryptographic key. In one embodiment, the encryption tool is a store key that is stored in unencrypted form in the first storage area, while the encrypted seed is stored in the second storage area. In another embodiment, the encryption tool is a Hardware Security Module (HSM) having an authentication key that is encrypted using a store key and stored in the second storage area, while the encrypted seed and the store key are stored in unencrypted form in the first storage area.

Abstract: Systems and methods for enhanced mobile device authentication are disclosed. Systems and methods for enhanced mobile authentication are disclosed. In one embodiment, method for electronic device authentication may include (1) a server comprising at least one computer processor communicating a one-time passcode to an electronic device over a first communication channel; (2) the server receiving, from the electronic device over a second communication channel the one-time passcode encrypted with a private key associated with the electronic device; (3) the server decrypting the one-time passcode using a public key; (4) the server validating the one-time passcode; (5) the server generating a device identifier for the electronic device; and (6) the server persisting an association between the device identifier and the electronic device.

Abstract: Methods, apparatuses, and systems related to data management and security in a memory device are described. Data may be stored in a memory system, and as part of an operation to move data from one region to another in the memory system, the data may be validated using one or more hash functions. For example, a memory device may compute a hash value of some stored data, and use the hash value to validate another version of that stored data in the process of writing the other version stored data to a region of the memory system. The memory device may store another hash that is generated from the hash of the stored data and a record of transactions such that transactions are identifiable; the sequence of transactions within the memory system may also be identifiable. Hashes of transactions may be stored throughout the memory system or among memory systems.

Abstract: Systems and processes are described for establishing and using a secure channel. A shared secret may be used for authentication of session initiation messages as well as for generation of a private/public key pair for the session. A number of ways of agreeing on the shared secret are described and include pre-sharing the keys, reliance on a key management system, or via a token mechanism that uses a third entity such as a hub to manage authentication, for example. In some instances, the third party may also perform endpoint selection (e.g., load balancing) by providing a particular endpoint along with the token.

Abstract: A system and method for securing application programming interface (API) requests using multi-party digital signatures. The method includes generating, by a first system, at least one first secret share of a plurality of secret shares based on an API secret, wherein the plurality of secret shares includes the at least one first secret share and at least one second secret share, wherein the at least one second secret share is generated by at least one second system; and signing, by the first system, an API request using the at least one first secret share, wherein the API request is further signed by the at least one second system using the at least one second secret share, wherein the API request is signed without revealing any of the at least one first secret share to the at least one second system and without revealing any of the at least one second secret share to the first system.

Abstract: Systems and methods for performing cryptographic data processing operations in a manner resistant to external monitoring attacks. An example method may comprise: executing, by a processing device, a first data manipulation instruction, the first data manipulation instruction affecting a state of the processing device; executing a second data manipulation instruction, the second data manipulation instruction interacting with said internal state; and breaking a detectable interaction of the first data manipulation instruction and the second data manipulation instruction by executing a third data manipulation instruction utilizing an unpredictable data item.

Abstract: A technique, performed by an electronic device, of managing a security key is provided. The electronic device may receive security information from each of at least one other electronic device, determine a master electronic device based on a security level of the electronic device and a security level of a security level of the at least one other electronic device, the security level of the at least one other electronic device being included in the received security information, generate a security key as the electronic device is determined as the master electronic device, and determine a portion to be removed from the security key for each security level of a plurality of electronic devices including the electronic device and the at least one other electronic device, and provide each partial security key from which the determined portion is omitted, to the at least one other electronic device.

Abstract: In an example system for private key recovery performed by a processor of a key recovery computing system, a key recovery computing system is configured to provide an original private key. The original private key is associated with a storage location of a blockchain-based asset. The key recovery computing system is configured to receive supplemental recovery information provided by a user via a user computing device. A recovery seed is derived from at least a subset of the supplemental recovery information, wherein the recovery seed is non-invertible. The original private key and the recovery seed are stored relationally to the supplemental recovery information. In some embodiments, the processor is further configured to cryptographically protect at least one of the original private key and the recovery seed via a universal second-factor authentication (U2F) device.

Abstract: The present invention relates to methods for secure computation and/or communication. Entangled photons (118) are generated such that each participating party receives a series of optical pulses. Each party has private information (110, 112) which are never transmitted through public or private communication channels. Instead, each party converts their respective private information (110, 112) into measurement bases via an encryption process (114, 116) which are then applied to the entangled photons (118). After the measurement process, e.g., quantum frequency conversion (122, 124), reference indices are announced (124, 126) so that computation can be performed (128) without revealing the private information directly or indirectly.

Abstract: A method for secure online collaboration is provided. The method includes receiving, at a server of a cloud-based storage system, first encrypted data from a first client device. The cloud-based storage system stores a plurality of documents in an encrypted form. The method also includes determining a document of the plurality of documents that is associated with the first encrypted data. The document is not accessible to the server in a decrypted form. The first encrypted data represents an edit to a portion of the document. The method further includes determining a plurality of user accounts of collaborators of the document. The plurality of user accounts includes a first user account associated with the first client device. Moreover, the method includes providing the first encrypted data to one or more other client devices that are each associated with one of the plurality of user accounts, excluding the first user account.

Abstract: System and method for digitally signing messages using multi-party computation.

Abstract: A system and method for public API authentication by an API server includes receiving from a client/app a PK request for a Partial Key (PK), having a User ID, Session ID, rolling hash function (Fn2) version defining a client/app hash function (Fn2), and a received Temporary Key (TK); validating the received TK using Fn2 with the Session ID and either an Initial Key (IK) or a current PK; when the TK validation is complete, sending a PK calculated using a PK hash function (Fn1) with the User ID and a slot-generated rolling random number; receiving an API request for an API service having the User ID, Session ID, Fn2 version, and a received Authorization Key (AK); validating the received AK using Fn2 with the Session ID and the current PK; and when AK validation is complete, sending a successful response from the API service.

Abstract: The present disclosure discloses an information storage method performed at a server.

Abstract: Technologies for providing multiple device authentication in a heterogeneous network include a gateway node. The gateway node includes a network communicator to receive a request from a terminal node to authenticate a user of a set of heterogeneous nodes connected to the gateway node and broadcast a credential request to the nodes. Additionally, the gateway node includes a response combiner to combine responses from the set of nodes to generate a combined authentication message. The network communicator is further to send the combined authentication message to the terminal node for authentication. Other embodiments are described and claimed.

Abstract: Methods and apparati for securely transferring application storage keys in an application in a trusted computing environment, when the trusted computing base is modified. In an apparatus embodiment of the present invention, a computing device comprises: a protected partition in which an application can execute without attack from outside a trusted computing base of the partition; and a storage key derivation module which provides a first storage key to said application, where the value of the first storage key is derived from a computation dependent upon a first version of the trusted computing base that is launched on the platform.

Abstract: Methods and apparati for auditing uses of audited cryptographic keys.

Abstract: A layered secret sharing scheme in which a trust set of each of the parties receiving a share of the secret is received and used to generate an authorized set and an adversary set for reconstruction of a secret. In this regard, an access structure defining an authorized subset of participants may be based, at least in part, on the encoded trust subsets of the shares. The secret sharing scheme includes a secret generator that generates the shares distributed to the parties. In turn, an authorized subset of participants as defined by the access structure may provide shares to a dealer for reconstruction of the secret. However, if the participants requesting secret reconstruction are not an authorized subset of participants or if participants define an adversary subset, the secret reconstruction fails. In this regard, even if an authorized subset is present, if an adversary subset is present, the reconstruction may be “killed.

Abstract: An example operation may include one or more of splitting a session key into a plurality of partial shares, distributing the plurality partial shares to a plurality of content providers, respectively, where each content provider receives a different partial share of the session key, encrypting a stream of media content based on the session key, and transmitting the encrypted stream of digital content to a user device which has one or more partial shares among the plurality of partial shares.

Abstract: A system, method, and computer program product are provided for performing hardware-backed password-based authentication. In operation, a system receives a request to access software utilizing password-based authentication. Further, the system receives a password for the password-based authentication. The system computes a hash utilizing the password and a hardware-based authenticator associated with hardware of the system. Moreover, the system verifies that the hash computed utilizing the password and the hardware-based authenticator is correct for accessing the software.

Abstract: Sensitive electronic data may be encrypted using multiple identity credentials from multiple parties. Before the sensitive electronic data is encrypted, the multiple N identity credentials are input to a software application. Moreover, a minimum number Nmin of the N of the identity credentials are selected for decryption. The software application thus generates at least one of an encryption key and a decryption key as a keypair based on the N identity credentials and the minimum number Nmin of the identity credentials. The software application encrypts the sensitive electronic data using the encryption key to generate an encrypted version. Before decryption of the encrypted version, though, the software application may require input of the minimum number Nmin of the identity credentials. If the minimum number Nmin of the identity credentials are correctly input, the correct decryption key is generated and may be used to decrypt the encrypted version.

Abstract: A secret sharing scheme in which a trust structure of the parties receiving a share of the secret is encoded in the shares. In this regard, an access structure defining an authorized set of participants may be based, at least in part, on the encoded trust structures. The secret sharing scheme includes a secret generator that generates the shares distributed to the parties. In turn, an authorized set of participants as defined by the access structure may provide shares to a dealer for reconstruction of the secret. However, if the participants requesting secret reconstruction are not an authorized set of participants, the secret reconstruction fails. In this regard, secret sharing with asymmetrical trust structures may be provided in which the trust structures are not known by other parties in the scheme.

Abstract: A method of participation verification includes generating sets of cryptocurrency coins (coin sets). The coin sets have cryptocurrency coins and correlate to events for which participation is verified. The method includes generating user keys including unique public keys for each user and user secret keys. The method includes assigning a public key to a user, communicating the assigned public key to a user device and enabling download of a verification application. The method includes receiving a first coin request that includes identification of a first coin set, the assigned public key, and a data set. The method includes verifying user participation in an event based on the data set. The method includes executing a cryptocurrency transaction with the user device. The cryptocurrency transaction including public validation of a transfer of a cryptocurrency coin from the identified coin set to the user device via an append-only ledger.

Abstract: A system of peer identity verification that reduces the risk of identity theft in case of a data breach. The system does not require a vendor to maintain a database of sensitive customer-related data. Cryptographic keys are used. The system creates a one-time encryption keypair. The public and private keys of each user are saved securely on each user's device. While the public key for each user is stored remote from each user's device (such as in a cloud), the private key for a given user is not stored anywhere other than securely on that user's device. Thereafter, a user (i.e., the main user) requests another user to act as their “trusted peer” to be added to their “trust cluster.” If that other user accepts the request, the main user's private key is encrypted with that other user's public key and this encrypted data gets stored remotely, such as in a cloud.

Abstract: Secure distribution of data objects using a unique quantum-safe cryptographic key provided to a user requesting the data object that has been authenticated using a zero-knowledge authentication. A user may access the system by way of the zero-knowledge authentication to request access to a data object of a data library. The system may generate and associate a unique quantum-safe cryptographic key for the instance of the data library to be provided to the authenticated user. The data object is encrypted using the unique quantum-safe cryptographic key. The encrypted data object and the unique quantum-safe cryptographic key are provided to the authenticated user. Other instances of the data object may also be encrypted with other unique quantum-safe cryptographic keys. In turn, access to a unique quantum-safe cryptographic key may not be useful in decrypting other instances of the data object, and other data objects may not be decrypted using a given unique key for a given data object instance.

Abstract: A registry apparatus is provided for maintaining a device registry of agent devices for communicating with application providing apparatus. The registry comprises authentication information for uniquely authenticating at least one trusted agent device. In response to an authentication request from an agent device, the authentication information for that device is obtained from the registry, and authentication of the agent device is performed. If the authentication is successful, then application key information is transmitted to at least one of the agent device and the application providing apparatus.

Abstract: An Iconsent application allows a party to consent to a transaction or to a romantic advance. The party is given a request, and if accepted, the acceptance is stored along with the biometric indicating that the authorized user did in fact carry out the acceptance.

Abstract: Methods are described for constructing a secret key by multiple participants from multiple ciphertexts such that any quorum combination of participants can decrypt their respective ciphertexts and so generate a fixed number of key fragments that can be combined by a recipient to generate the secret key. Worked examples are described showing how the encryption keys for the ciphertexts may be key wrapped using a key encapsulation mechanism for which ciphers that are resistant to attack by a quantum computer may be used. In these cases, a post-quantum quorum system is realised. Methods are described by which the quorum key fragment ciphertexts may be updated so that the original key fragments become invalid without necessitating any change to the secret key.

Abstract: A security component according to an example embodiment includes: a user authentication processor configured to authenticate the input data by determining whether the input data is provided by an authorized user of the security component based on component user data of the input data; a master key generator configured to generate a master key based on the component user data of the input data in response to the user authentication processor authenticating the input data; a decryption processor configured to generate security data by decrypting encrypted data of the input data based on the master key; and a security storage configured to store the security data.

Abstract: Methods and apparatus for auditing uses of cryptographic keys. In a method embodiment of the present invention, a set of audited uses for a cryptographic key is defined; the key is generated inside a protected execution environment of a digital computer; all software and firmware that is usable in the execution environment to access the key is demonstrated to an auditor; and, for each audited use of the key, a non-tamperable audit record describing said use is released.

Abstract: A system and methods for identifying personal identifiable information in a data container are disclosed. The system and methods interrogate data at its most fundamental level, thereby allowing complex rule matching to occur. This can be coupled with a data in transit analysis mechanism, or be integrated into a data store search mechanism, to ensure maximum awareness of any potential issues with the security of the qualified data elements.

Abstract: For protection of multipart system applications using a cryptographically protected package, a package map and a package object store for decryption and verification at runtime on the target device platform, a method including associating a device class with a set of content signing and encryption keys; signing application files based on the device class of the target device platform; aggregating application files into a file container based on a structured construct; encrypting application files/file containers with an encryption key associated with the device class; generating a package map and object stores for cryptographic artifacts and detached package metadata for passwords associated with the device package; building, the device package and update packages of the device package, detached package metadata, and package install scripts for the target device platform; publishing, the update packages signed with update package provider and update package publisher signing keys, and encrypted with target de

Abstract: The invention relates to a method for setting up a secure session between a first entity and a second entity. In an embodiment, the first entity is a user authentication device and the second entity is an application running on a platform. The method comprises generating a first random number. A user enters a first string, derived from said first number, into the second entity. Further, the method includes applying a one-way function to the first string or to a derivative thereof, obtaining an encoded string. The method also comprises transmitting the encoded string to an intermediate node that is in connection to the first entity and the second entity. Further, the method comprises the step of sharing a second random number with the second entity. The method also comprises a step of deriving a secret key from the first and the second string.

Abstract: Data storage nodes that participate in a requested data statistical analysis as participant data storage nodes are determined and divided into a plurality of node sets. Data stored in each participant data storage node associated with a particular node set is encrypted, where the encrypted data is divided into a number of fragments at least equal to a number of participant data storage nodes associated with the particular node set. Each participant data storage node sends a portion of the encrypted data to each of the other participant data storage nodes within the particular node set. Each participant data storage node processes received encrypted data and data remaining on the particular participant data storage node to obtain a processing result. Each participant data storage node sends the processing result to a proxy node, wherein the proxy node performs data statistical analysis based on the processing result.

Abstract: Enabling access to encrypted information by providing a master key and a public key to a partial content owner, generating a ciphertext of content according to a complete content data, at least one content data partition and the public key, wherein the content data partition comprises a portion of the complete content data, providing the ciphertext of the content data and the public key to a validator, receiving a validation result from the validator, and acting upon the validation result.

Abstract: A secure data parser is provided that may be integrated into any suitable system for securely storing and communicating data. The secure data parser parses data and then splits the data into multiple portions that are stored or communicated distinctly. Encryption of the original data, the portions of data, or both may be employed for additional security. The secure data parser may be used to protect data in motion by splitting original data into portions of data that may be communicated using multiple communications paths.

Abstract: A data set shared by multiple nodes is encrypted. The data set can be split into independent records. The records can be encrypted and shared independently, without the need to modify and transmit the full data set. Although the records are encrypted with their own encryption key, they are all accessible by a single authentication method.

Abstract: Methods and apparatus are provided for secret sharing with a verifiable reconstruction type. An exemplary method comprises receiving a plurality of shares of a secret generated using a secret splitting scheme; reconstructing the secret if the plurality of shares satisfies a predefined reconstruction threshold; and generating a proof identifying at least one of the plurality of shares used in the reconstruction. The proof is optionally verified by a verifier and the verification is optionally based on auxiliary information derived by the secret splitting scheme used to share the secret. The verifier optionally implements layered access control, for example, based on a rank of the shares used for reconstruction. The reconstructed secret is optionally provided to the verifier. A user can be granted a level of access to a protected resource based on the proof, the reconstructed secret and one or more predefined policies. One or more steps can be proactivized to maintain share freshness.

Abstract: Secure logging systems and methods using cryptography and/or encryption with crash recovery. In some embodiments, the secure logging system includes an initialization module to initialize cells of a logging database, including inserting a pseudorandom number into each cell of the logging database. In some embodiments, the secure logging system includes an addition module to encrypt new log messages and add them to the logging database in a given number of pseudorandom cells of the logging database. In some embodiments, the secure logging system includes a listing module to determine where in the logging database the log message was stored and then to decrypt the encrypted log messages. These systems and methods improve computer related technology including by improving crash reconstruction, root cause analysis, network systems security, and logging system encryption and security.

Abstract: The present disclosure describes techniques that improve upon the use of authentication tokens as a means of verifying a user identity. Rather than facilitating the issuance of authentication tokens as bearer tokens, whereby any user may present an authentication token to a secure service provider for access to secure service, this disclosure describes techniques for generating recursive authentication tokens that are digitally signed by an Identity Service Provider (IDP) and the entity that purports to present the authentication token to the service provider. Additionally, a recursive token application is described that is configured to nest preceding authentication tokens that trace back to an initial secure service request. For example, a recursive authentication token received by a second service provider may include, nested therein, the first service provider recursive authentication token and a preceding client recursive authentication token that is associated with the initial secure service request.

Abstract: A client seeking to establish a cryptographically-secure channel to a server has an associated public key acceptance policy. The policy specifies a required number of certificates that must be associated with the server's public key, as well as one or more conditions associated with those certificates, that must be met before the client “accepts” the server's public key. The one or more conditions typically comprise a trust function that must be satisfied before a threshold level of trust of the client is met. A representative public key acceptance policy would be that certificate chains for the public key are valid and non-overlapping with different root CAs, and that some configurable number of those chains be present. The technique may be implemented within the context of an existing client-server SSL/TLS handshake.

Abstract: In one or more embodiments, an encryption key of a device may be split into multiple segments. One of the segments may be retained by an owner of the device, and some of the segments may be distributed to multiple entities. For example, one of the segments may be provided to a service provider, and one of the segments may be provided to an escrow agent. The escrow agent may process its segment, provide information based on its segment to a public ledger, and destroy its segment. A proxy agent may retrieve, from the public ledger, the information based on the segment provided to the escrow agent and obtain compensation. When the proxy agent obtains the compensation, the public ledger exhibits information utilizable to obtain the segment provided to the escrow agent. With the segments provided to the escrow agent and the service provider, the encryption key may be obtained.

Abstract: A user device can segment a secret (e.g., a data recovery key) into a master segment and a shared segment such that possession of both segments is necessary and sufficient to reconstruct the secret. The user device can provide the master segment to a server system. The user device can further segment the shared segment to generate a set of M shares such that any subset of the shares that includes at least a threshold number t of the shares can be used to reconstruct the shared segment, while fewer than t shares provide no information about the shared segment. The M shares can be distributed to shareholder devices. To reconstruct the secret, a recovery device can obtain the master segment and at least t of the M shares, then reconstruct the secret.

Abstract: A system for identifying one or more malicious parties participating in a secure multi-party computation (MPC), comprising one of a plurality of computing nodes communicating with the plurality of computing nodes through a network(s). The computing node is adapted for participating in an MPC with the plurality of computing nodes using secure protocol(s) established over the network(s), the secure protocol(s) support transmittal of private messages to each of the other computing nodes and transmittal of broadcast messages to all of the computing nodes, detecting invalid share value(s) of a plurality of share values computed and committed by the computing nodes during the MPC, verifying each of the share values according to a plurality of agreed share values valid for the MPC which are determined through a plurality of broadcast private messages, identifying identity of malicious computing node(s) which committed the invalid share value(s) failing the verification and outputting the identity.

Abstract: Apparatuses and techniques to utilize a scratch organization as a unit of virtualization. Potential hosts for a scratch organization are evaluated. The potential hosts include at least the first group of hardware processing devices and a second group of the plurality of hardware processing devices to provide remote client computing environments. A target host is selected from the potential hosts. The scratch organization to be hosted by the target host is generated. Data is loaded from a test source that is not the subject organization into the scratch organization. One or more test operations are performed on the scratch organization using the loaded data with the target host. The scratch organization is destroyed on the selected host after the one or more test operations have been performed.

Abstract: A first share value and a second share value may be received. A combination of the first share value and the second share value may correspond to an exponent value. The value of a first register is updated using a first equation that is based on the first and second share values and the value of a second register is updated using a second equation that is based on the second share value. One of the value of the first register or the value of the second register is selected based on a bit value of the second share value.

Abstract: A data processing system includes a plurality of subsystems, a plurality of local security controllers, and a central security controller. Each subsystem of the plurality of subsystems has a security component for providing a security function. A local security controller corresponds to each one of the subsystems. Each local security controller ensures compliance of the security component with local security policies of the subsystem to which the local security controller corresponds. The central security controller is coupled to the local security controller of each of the plurality of subsystems. The central security controller ensures data processing system compliance with system wide security policies. In the event of a detected security violation, the local security controller may respond automatically, without involvement of the central security controller. A method for securing the data processing system is also provided.

Abstract: In an example system for private key recovery performed by a processor of a key recovery computing system, a key recovery computing system is configured to provide an original private key. The original private key is associated with a storage location of a blockchain-based asset. The key recovery computing system is configured to receive supplemental recovery information provided by a user via a user computing device. A recovery seed is derived from at least a subset of the supplemental recovery information, wherein the recovery seed is non-invertible. The original private key and the recovery seed are stored relationally to the supplemental recovery information. In some embodiments, the processor is further configured to cryptographically protect at least one of the original private key and the recovery seed via a universal second-factor authentication (U2F) device.