Abstract: Described is system for transforming a SHARE protocol into a proactively secure secret sharing (PSS) protocol. A PREFRESH protocol is performed that includes execution of the SHARE protocol. The PREFRESH protocol refreshes shares of secret data among multiple parties. The SHARE protocol is a non-proactively secure secret sharing protocol.

Abstract: Encryption key(s) and/or other protected material are protected on devices. A secret splitting scheme is applied to a secret, S, that protects at least one data item to obtain a plurality of secret shares. At least one secret share is encrypted to provide at least one encrypted secret share using an encryption scheme that uses at least one other secret share as the encryption key. A subset of the plurality of secret shares and encrypted secret share(s) is required to reconstruct the secret, S. One or more secret shares and/or encrypted secret shares are provided to at least one device, for example, based on a corresponding key-release policy, to allow access to the data item(s) secured by the secret, S. The secret, S, comprises, for example, a secret key used to protect at least one content item and/or a key used to protect one or more of a content container and a vault storing one or more protected data items.

Abstract: A portable electronic device is provided. The portable electronic device includes a data interface module that processes files associated with a user, the data interface module receives and validates a password from a user of the portable electronic device before the user is allowed access to files processed by the data interface module, an encryption key formed by the data interface module upon validation of the password, the encryption key further comprising the password, a hard coded private string and a serial number of the portable electronic device and a data storage area that stores files received from the data interface module the stored files are encrypted using the encryption key and where neither the encryption key or the password are stored in an unencrypted format anyplace within the portable electronic device.

Abstract: Described is system for secure proactive multi-party computation. The system securely evaluates a circuit in the presence of an adversary. The circuit receives inputs of secret values from a set of servers. A RobustShare protocol is initialized to allow each server to distribute their secret values among the other servers. A RauDouSha protocol is initialized to generate random sharings of the secret values. A Block-Redistribute protocol is initialized to redistribute the secret values amount the set of servers. For each layer of the circuit, a permutation of the secret values is performed, and each layer of the circuit is evaluated. The Block-Redistribute is protocol is initialized to re-randomize the secret values such that privacy of the secret values is preserved. A sharing of the secret values is determined for each output gate, and a Reco protocol is initialized to reveal each sharing of secret values to an intended recipient.

Abstract: Preventing a rollback attack in a computing system that includes a primary memory bank and a backup memory bank, including during startup of the computing system: determining whether the computing system is attempting to use firmware in the backup memory bank; responsive to determining that the computing system is attempting to use firmware in the backup memory bank, determining whether the firmware in the backup memory bank is a previous version of firmware in the primary memory bank; responsive to determining that the firmware in the backup memory bank is a previous version of firmware in the primary memory bank, determining whether a system administrator has authorized the use of the firmware in the backup memory bank; and responsive to determining that the system administrator has authorized the use of the firmware in the backup memory bank, configuring the computing system to utilize the firmware in the backup memory bank.

Abstract: Disclosed are systems and method or updating full disk encryption (FDE) software on a computer. An example method comprises: blocking operations of the FDE software on a boot drive of the computer; installing one or more components of the updated FDE software; deploying an updated pre-boot compatibility verification component of updated FDE software; rebooting the computer and executing, before booting of an operating system, the updated pre-boot compatibility verification component; determining, by the updated pre-boot compatibility verification component, a compatibility of the boot disk with the updated FDE software without decrypting and encrypting the boot disk of the computer by the updated FDE software; if the boot disk is determined to be compatible with the updated FDE software, authenticating a computer user and booting the operating system of the computer; and unblocking one or more operations of the updated FDE software on the boot drive.

Abstract: A system for protecting content includes a mobile device screen including a plurality of pixels, whereby each of the plurality of pixels have first sub-pixel units that include a first viewing angle and second sub-pixel units that include a second viewing angle. Within each of the plurality of pixels, the first sub-pixel units are adjacent to the second sub-pixel units. A processing unit is coupled to the mobile device screen and determines a portion of the mobile device screen that displays sensitive content. The processing unit obscures the sensitive content displayed on the portion of the mobile device screen by deactivating the first sub-pixel units at the portion of the mobile device screen that displays the sensitive content and activates the second sub-pixel units at the portion of the mobile device screen that displays the sensitive content.

Abstract: Described is a system for mobile proactive secret sharing. The system utilizes a Secret-Share protocol to share, by server Pj, a secret s among a set of servers , such that a degree of polynomials used to share the secret s is d and a shared secret is denoted as [s]. A GenPoly protocol is used to cause the servers in the set of servers to generate l random polynomials of degree D. A Secret-Redistribute protocol is used to redistribute the shared secret [s] to a set of new servers ?. Finally, a Secret-Open protocol is used to open the shared secret [s].

Abstract: Exemplary systems and methods are directed to decrypting electronic messages in a network. The system includes a processor configured to receive or monitor message sources for encrypted messages, where private keys associated with the encrypted messages are not previously provided to the system. For each message, extract a set of user certificate identifiers and corresponding encrypted session keys, securely communicate with private key provider to decrypt the encrypted session key with an acquired private key, and decrypt the message with the unencrypted session key.

Abstract: A method performed by a processor of a computer, includes obtaining a security key associated with data, dividing the security key into key fragments, and distributing different ones of the key fragments to different proxy storage devices. Key fragments are received from the proxy storage devices, a reconstructed security key is generated based on the key fragments received from the proxy storage devices, and programmatic access to the data is controlled based on the reconstructed security key. Related computer program products and systems are disclosed.

Abstract: Techniques for managing digital assets are described that enable a principal to designate a plurality of users that will gain access and ownership of the principal's account that contains the various digital assets of the principal in the event of a transfer of assets. The account may be a network accessible account that maintains various digital assets of the principal, such as multimedia, applications, virtual machines, data, and others. In the event of a transfer, access to the account can be controlled by a cryptographic secret, where each of the designated users has been provided with a distinct share (part) of the cryptographic secret. A minimum number of shares of the secret are required before access to the principal's account will be granted. The minimum number may be configured by the principal in advance.

Abstract: A keystore is installed on a mobile app where the keystore is created and provisioned on a server, such as an app wrapping server, under the control of an enterprise. A generic (non-provisioned) wrapped app is installed on a device. The app prompts the user to enter a passphrase. When the user does this, an app keystore is created. It has a user section and a table of contents. The keystore files are hashed, creating “first” keystore hash values. The first keystore hash values are stored in the TOC. The TOC is then hashed, creating a TOC hash value. The passphrase entered by the user is then combined with the TOC hash value. This creates a “first” master passphrase for the keystore. The keystore is then transmitted to the device where it is installed in the generic (non-provisioned) wrapped app.

Abstract: Aspects of the disclosure provide a method. The method includes generating an identification based on a public key of an asymmetric key pair for a device, including the identification into an information unit to identify the device as a source of the information unit and transmitting the information unit.

Abstract: A computer system includes memory configured to store information regarding predetermined conditions of an encryption operation and a processor configured to analyze an inbound key and an outbound key of the encryption operation. The processor is also configured to determine that the encryption operation includes a translation from a first class of encryption to a second class of encryption based on the analyzing the inbound key and the outbound key, and to determine whether the translation is permitted based on the predetermined conditions.

Abstract: Disclosed is a key management method for administering a token with an administrative server and an authentication server wherein a set of keys stored therein in use differs so that at least a mutually exclusive key is stored in each of the token, the administrative server or the authentication server, the method comprising the steps of: the token transmitting an identity proxy ID 1 encrypted with an encryption key Key 1; the administrative server generating data Key 1a and Key 1b from Key 1 stored therein, whereby Key 1a and Key 1b can be used in conjunction to derive Key 1 but not separately; the administrative server generating an identity proxy ID 2 and an encryption key Key 2, whereby the administrative server records a token profile comprising an association information among ID 2, Key 1b and Key 2; the administrative server communicating ID 2, Key 1a and Key 2 to the token and the token storing ID 2, Key 1a and Key 2 wherein Key 2 is stored therein encrypted with Key 1; the administrative server commun

Abstract: The present invention relates to a system and method for facilitating access to secure network sites, such as sites providing secure financial information. An active software agent is utilized to fetch passwords and user identifiers from a user computing system and to use the passwords and identifiers to extract required information from the secure site. The password sites and identifiers are encrypted and an encryption key is stored at a network mode remote from the user's computer and is fetched in order to enable the passwords and identifiers to be decrypted so that the active agent can use them to obtain the required information.

Abstract: Systems and methods are disclosed for displaying electronic multimedia content to a user. One computer-implemented method for manipulating electronic multimedia content includes generating, using a processor, a speech model and at least one speaker model of an individual speaker. The method further includes receiving electronic media content over a network; extracting an audio track from the electronic media content; and detecting speech segments within the electronic media content based on the speech model. The method further includes detecting a speaker segment within the electronic media content and calculating a probability of the detected speaker segment involving the individual speaker based on the at least one speaker model.

Abstract: Secret values used in a multi-server authentication scheme are updated. Information is authenticated in a system comprising a plurality of processing devices each adaptable for communication with one or more other devices. The information is authenticated by generating at least first and second shares of a first password associated with a first device (such as a client device); storing the first and second shares in respective second and third devices of the plurality of devices; updating the first and second shares using a personalized proactivization value; assigning a version number to the updated first and second shares; and upon submission of additional information associated with the first device to at least one of the second and third devices, the second and third devices utilizing the respective updated first and second shares for a given version number to collectively determine a correspondence of the additional information with the first password.

Abstract: Techniques for providing revocation information for revocable items are described. In implementations, a revocation service is employed to manage revocation information for various revocable items. For example, the revocation service can maintain a revoked list that includes revoked revocable items, such as revoked digital certificates, revoked files (e.g., files that are considered to the unsafe), unsafe network resources (e.g., a website that is determined to be unsafe), and so on. In implementations, the revocation service can communicate a revoked list to a client device to enable the client device to maintain an updated list of revocation information.

Abstract: A privacy key is provided over a network. An information page is provided over the network. A submission of data that is to be transmitted over the network in response to the information page is detected. A subset of the data is to be encrypted using the privacy key is determined. The privacy key is used to encrypt the subset of the data.

Abstract: A method of adding a new device (121) to a device group (110), wherein the device group comprises at least one device (111) that hosts a trusted module (151), the method including: generating keys of the trusted modules (151, 153) and devices (111, 112, 113, . . . , 11N) in the device group and a key of the new device (121); distributing the generated keys to the trusted modules (151, 153) in the device group (110); distributing the generated keys to the devices in the device group, such that each device in the device group receives the key of the new device, the keys of the trusted modules and of all other devices in the device group, except for its own key; establishing a secure authenticated channel (130) between the trusted module (151) and the new device (121); and sending to the new device (121) the generated keys except for the key of the new device.

Abstract: Secret values used in a multi-server authentication scheme are updated. Information is authenticated in a system comprising a plurality of processing devices each adaptable for communication with one or more other devices. The information is authenticated by generating at least first and second shares of a first password associated with a first device (such as a client device); storing the first and second shares in respective second and third devices (such as authentication server devices); updating the first and second shares using a secret value T; assigning a version number to the updated first and second shares; and upon submission of additional information associated with the first device to at least one of the second and third devices, the second and third devices utilizing the respective updated first and second shares for a given version number to collectively determine a correspondence of the additional information with the first password.

Abstract: Described herein are techniques related to shielding data. A method and system for generating a transformation knowledge key (TKK) may include a TKK generator operable to generate a TKK used to shield the data. The TKK is configured to include at least two components. A library of shielding algorithms is configured to include at least two types of shielding algorithms. The TKK generator is configured to select the at least two types of shielding algorithms to generate the at least two components. The TKK generator is operable to concatenate the at least two components in a configurable order to generate the TKK.

Abstract: An improved technique involves storing current and one previous version of the secret shares in their respective databases. Along these lines, authentication servers split the proactivization process into several phases, during which they communicate a failure or success to complete that phase. During one of these phases, the authentication servers delete a previous version of their secret share and label the current version as the previous version. At another phase, the authentication servers generate a new version of each secret share (via one way deterministic transform) and store that new version alongside that previous version. Accordingly, when a user submits secret shares for authentication to the authentication servers, each authentication server determines the state of the corresponding authentication server and chooses the secret share according to that state.

Abstract: Some embodiments include a Trusted Security Module that creates secure connections using a set of split keys. Some embodiments include the creation of remote and local keys that are distributed to multiple devices. When the devices wish to communicate with each other, the remote and local keys are combined into connection keys to encrypt and decrypt messages. The remote and local keys may be combined in a variety of ways, including appending the remote key to the local key. A key mask may be used to create a connection key by using various combinations of bits from the remote key and from the local key. Other embodiments are described.

Abstract: A method begins by a processing module receiving data for dispersed storage, wherein the data has an associated user identification (ID), and obtaining a codec flag based on the associated user ID. The codec flag may indicate one or more codec types and a codec execution order. The codec types may include two or more of: a null data manipulation, one or more versions of a data integrity function, one or more versions of a compression function, and/or one or more versions of an encryption function. The method continues with the processing module manipulating the data to produce manipulated data utilizing the one or more codec types in the codec execution order, encoding the manipulated data using an error coding dispersal storage function to produce a plurality of encoded data slices, and sending the slices and codec flag to a plurality of DS storage units for storage.

Abstract: The invention provides a method of verifiable generation of public keys. According to the method, a self-signed signature is first generated and then used as input to the generation of a pair of private and public keys. Verification of the signature proves that the keys are generated from a key generation process utilizing the signature. A certification authority can validate and verify a public key generated from a verifiable key generation process.

Abstract: Technologies for distributed single sign-on operable to provide user access to a plurality of services via authentication to a single entity. The distributed single sign-on technologies provide a set of authentication servers and methods for privacy protection based on splitting secret, keys and user profiles into secure shares and periodically updating shares among the authentication servers without affecting the underlying secrets. The correctness of the received partial token or partial profiles can be verified with non-interactive zero-knowledge proofs.

Abstract: Techniques to store secret information for global data centers securely may provide a front end service for a back end data store. The front end service may be responsible for deployment, upgrade, and disaster recovery aspects, and so forth, of data center maintenance. Data centers may access data and data-related services from the back end data store through the front end service. Secrets that are needed to access secure data may be stored on behalf of the data centers without providing the secrets to the data centers.

Abstract: An RFID device such as an RFID tag (2) and method comprising: storing a current read key and a current ownership key; receiving, from the RFID reader system (4), a change read key command and an indication that the RFID reader system (4) holds the current ownership key; and in response, replacing the current read key with a new current read key enabling the RFID device (2) to be read by an RFID reader system (4) holding the new current read key. Also, an RFID reader system (4) and method for an RFID reader system (4) to process an RFID device (2), comprising: issuing a take ownership command to an RFID device (2); receiving a new ownership key from the RFID device (2); applying for authorization of the new ownership key; and receiving from the authorization apparatus (6) the new ownership key and an acknowledgement that may be communicated to the tag as evidence of authorization.

Abstract: A communication device and a cryptographic key creation method are provided that enable efficient creation of cryptographic keys of which different error rates are required. A communication device (11) that performs communication with another communication device (12) through a transmission link includes a cryptographic key sharing section (1103) that share a first cryptographic key with the other communication device, an error rate control section (1115, 1105-1108) that creates second cryptographic keys with error rates according to purposes of use of the cryptographic keys from the first cryptographic key, and an accumulation section (111, 1112) that separately accumulates the plurality of second cryptographic keys with the different error rates.

Abstract: A system for providing cost effective, secure key exchange from at least one first device to at least one second device through at least one proxy server is provided. The system includes a first key exchange message from the at least one first device to the at least one second device via the at least one proxy server. A second key exchange message from the at least one second device to the at least one first device via a media stream of the Internet is required to complete the computation of the session key. A method of securing a communication system is also set forth. The method includes the steps of providing a routing device for identifying a subscriber, and providing a master key exchange session, the master key exchange session including a key k to find a subscriber and a nonce r to answer a query to the subscriber, wherein the master key exchange session includes both the key k and the nonce r.

Abstract: An example of the present invention is a method of transmitting encrypted user data to a mobile terminal in a wireless telecommunications network. The method comprises sending to the mobile terminal a data packet. The data packet comprises both an identifier of encryption information to used in recovering encrypted user data, and user data encrypted using said encryption information.

Abstract: Embodiments provide techniques generating and managing encryption keys within a computing infrastructure. Embodiments provide a key publisher that generates and maintains key pairs in a list at a configurable interval. In addition, the key publisher publishes the list to other components within the computing infrastructure. Embodiments also provide a key consumer that downloads the list of encrypted key pairs and maintains an active window of keys to can be accepted from client devices that communicate sensitive data to the computing infrastructure. If the key consumer receives a key from a client device that is outside of the active window yet that corresponds to a future key pair in the list, the key consumer advances the active window towards the future key pair.

Abstract: A method for storing data begins with determining, by a computing device, where to store the data and continues with managing, by a dispersed storage network (DSN) access token module, a pairing between the DSN access token module and the computing device. The method continues with sending, by the computing device, at least a portion of the data to the DSN access token module and encoding, by the DSN access token module, the at least a portion of the data using a dispersed storage error encoding function to produce one or more sets of encoded data slices. The method continues with sending, by the DSN access token module, the one or more sets of encoded data slices and storage information to the computing device and sending, by the computing device, the one or more sets of encoded data slices to the DSN memory for storage therein.

Abstract: A “trusted domain” is established within which content received from a communications network, e.g., a cable TV network, is protected from unauthorized copying thereof, in accordance with the invention. In an illustrative embodiment, the trusted domain includes a device associated with a user which receives content from the cable TV network. The content may be encrypted using a content key in accordance, e.g., with a 3DES encryption algorithm before it is stored in the device. In addition, a first encrypted content key version and a second encrypted content key version are generated by respectively encrypting the content key with a public key associated with the device and another public key associated with the user, in accordance with public key cryptography. The first and second encrypted content key versions are stored in association with the encrypted content in the device storage.

Abstract: In some implementations, a method for providing a session key to a third party includes identifying a private key associated with a public key certificate in response to an event. A session key for a communication session is based, at least in part, on the private key, an associated seed for a random number generator, and public keys assigned to user equipment participating in the communication session. The private key associated with the public key certificate is automatically transmitted to an interception authority. The interception authorities are configured to grant a third party access to the private key and the associated seed to in response to a request from a third party authorized to access the communication session.

Abstract: A device includes a key store memory, a rule set memory, a plurality of cryptographic clients, and a key store arbitration module. The key store memory stores a plurality of cryptographic keys and the rule set memory stores a set of rules for accessing the cryptographic keys. A cryptographic client is operable to issue a request to access a cryptographic key(s) and, when access to the cryptographic key is granted, execute a cryptographic function regarding at least a portion of the cryptographic key to produce a cryptographic result. The key store arbitration module is operable to determine whether the request to access the cryptographic key is valid; when the request is valid, interpret the request to produce an interpreted request; access the rule set memory based on the interpreted request to retrieve a rule of the set of rules; and grant access to the cryptographic key in accordance with the rule.

Abstract: Aspects of the present invention provide machines, systems, and methods in which industrial control systems may be secured from compromise and/or disruption via authentication and firewall. In particular, an industrial controller may: randomly generate an exchange key and send the exchange key to a client device in response to a transaction request originating from the client device; combine the exchange key with a locally stored pass key to produce an authentication code; and compare a challenge key received from the client device to the authentication code to determine a match between the challenge key and the authentication code. A successful match between the challenge key and the authentication code may allow the client device to further access the industrial controller using a common industrial protocol (CIP), and a failed match between the challenge key and the authentication code may prevent the client device from further access to the industrial controller.

Abstract: An example of the present invention is a method of transmitting encrypted user data to a mobile terminal in a wireless telecommunications network. The method comprises sending to the mobile terminal a data packet. The data packet comprises both an identifier of encryption information to used in recovering encrypted user data, and user data encrypted using said encryption information.

Abstract: A portable encryption device with logon access controlled by an encryption key, with an on board cryptographic processor for reconstituting the encryption key from a plurality of secrets generated by a secret sharing algorithm, optionally shrouded with external secrets using an invertible transform resistant to quantum computing attacks. Another embodiment provides file decryption controlled by a file encryption key, with the on board cryptographic processor reconstituting the file encryption key from a version of the file encryption key which has been shrouded with a network authorization code. A method for encryption of a plaintext file by hashing, compressing, and encrypting the plaintext file, hashing the ciphertext, hashing the plaintext hash and the ciphertext hash, and sealing the ciphertext together with the resulting hash. A portable encryption device for performing the method is also disclosed.

Abstract: As a user of a social networking system views a page that includes information provided by the system, certain types of social interactions are monitored. If an interaction monitored for is detected, at least one recommendation unit is identified to present to user on the page. The recommendation unit is identified based on a description of the interaction. The recommendation unit suggests that the user perform a social interaction in the social networking system. The recommendation unit is transmitted to a device of the user and is presented to the user on the page without having to reload the entire page.

Abstract: Disclosed herein are a private key generation apparatus and method, and storage media storing programs for executing the methods on a computer. The private key generation apparatus includes a root private key generation unit and a sub-private key generation unit. The root private key generation unit sets a root master key and predetermined parameters capable of generating private keys, and generates a first sub-master key set capable of generating a number of private keys equal to or smaller than a preset limited number. The sub-private key generation unit generates private keys with the root private key generation unit by receiving the first sub-master key set from the root private key generation unit, to generate a private key corresponding to a user ID using the first sub-master key set, and issues the private key to a user.

Abstract: A method, non-transitory computer readable medium and application manager computing device comprises obtaining at least one cryptographic key from a request by a client computing device for a user session. User information corresponding to a user is encrypted or decrypted using the cryptographic key. The request is authenticated based on encryption or decryption of the user information. The cryptographic key is deleted after the completion or termination of the user session.

Abstract: Described is a technology by which access to a resource is determined by evaluating a resource label of the resource against a user claim of an access request, according to policy decoupled from the resource. The resource may be a file, and the resource label may be obtained by classifying the file into classification properties, such that a change to the file may change its resource label, thereby changing which users have access to the file. The resource label-based access evaluation may be logically combined with a conventional ACL-based access evaluation to determine whether to grant or deny access to the resource.

Abstract: A data distributing and accessing method for sharing a file via a network system includes steps of: dividing the file into a plurality of blocks; distributing the blocks in a plurality of data hosts interconnected via the network system; one of the data hosts receiving a file-reading request from a user host and issuing collecting requests to other data hosts to collect the blocks from the data hosts; and transferring the collected blocks from the data hosts to the user host to be combined into the file.

Abstract: A peer-to-peer (P2P) bot(s) in a network is identified using an already identified P2P bot. More specifically, such embodiments may facilitate determining a candidate set of computers, which may be potential P2P bots, by identifying computers in a network that have a private mutual contact with a seed bot, which is a computer identified as a P2P bot, and identifying additional computers that have private mutual contacts with the identified computers. Further, a confidence level indicative of a certainty of a membership of each of the candidate computers in the P2P botnet is determined and responsive to a determination that the confidence level of the candidate computer exceeds a determined threshold confidence level, the candidate computer is identified as a P2P bot.

Abstract: Implementations for providing role-based distributed key management (DKM) replication are described. A server node receives a request from a requester node to perform a DKM create or update function. The server node determines the role of the requester node based on a public key of the requester node. The server node determines whether the role of the requester node indicates that the requester node is authorized to request the DKM create or update function. If the requester node's role is authorized to request the DKM create or update function, then the server node performs the requested function. The DKM create or update function may involve a replication function. Public key and trust chains may be derived from physical cryptographic processors, such as TPMs.

Abstract: A feature is provided that facilitates securely creating and/or replacing cryptographic keys. A first key pair is created comprising first private key and first public key. A second (spare) key pair is created comprising second private key and second public key. The second key pair is associated with the first private key. The second key pair is divided into shares and distributed to at least two shareholders. When the first key pair is to be replace, the second key pair is recreated and authenticated with at least a portion of the distributed shares. A trust level is associated with the second key pair corresponding to a trust level of the first key pair. The first key pair may be invalidated upon authentication of the second key pair. Further configurations provide for the creation of additional spare key pairs.

Abstract: Efficient mechanisms are provided for transferring key objects associated with disk logical unit numbers and tape cartridges from one data center to another data center. A request is received to transfer a source data center key object from a source data center to a destination data center. The source data center key object corresponds to a data block, such as a disk logical unit number (LUN) or a tape cartridge, maintained in a storage area network (SAN) and includes a unique identifier, an encrypted key, and a wrapper unique identifier. The encrypted key is decrypted using a source data center key hierarchy. Key information is transmitted from the source data center to the destination data center. A destination data center key object is generated using a destination data center key hierarchy.