Abstract: Using various embodiments, methods and systems for securing user data are described. In one embodiment, a system includes a server side application accessing a service key from a conventional key vault and an escrowed key which can then be used to compute a key to the key using which information can be encrypted. Other embodiments include using a timer service to further safeguard secure user information.

Abstract: A method and system for authenticating a device is disclosed. The method includes the steps of: receiving a helper bit string and a first MAC; measuring a first response bit string of a physical unclonable function of the device with respect to a challenge bit string; subtracting the first response bit string from the helper bit string; decoding a result of the subtraction using a uniformly distributed random matrix, the shared secret bit string being provided from the decoding if the helper bit string was encoded using a previously measured second response bit string that is within a threshold level of similarity to the first response bit string, the decoding outputting an error value otherwise; determining a second MAC based on the shared secret bit string, the uniformly distributed random matrix, and the helper bit string; and determining whether the second MAC matches the first MAC.

Abstract: An example system can include a reference biometric template (RBT) reader, an authenticator, and an auxiliary system. In some examples, during an initial enrollment process, the RBT reader obtains a biometric from a user, transforms the biometric into an RBT, and provides different shares of the RBT to the authenticator and the auxiliary system. The authenticator and the auxiliary system create respective shares of helper data. In some examples, the authenticator and the auxiliary system use a non-commutative transformation function to embed a secret key in their respective shares of the helper data. The auxiliary system provides its share of the helper data to the authenticator. The authenticator combines its share of the helper data with the share provided by the auxiliary system to create a full version of the helper data. The helper data can be used in a subsequent authentication process between the RBT reader and the authenticator.

Abstract: A computer-implemented method includes: receiving, by a platform including one or more computing devices, a blockchain authorization information generation request from a client, in which the blockchain authorization information generation request includes a target blockchain identifier and user information; determining, based on the target blockchain identifier, a target blockchain; determining a blockchain parameter of the target blockchain, in which the blockchain parameter indicates one or more requirements for authorization information used to join the target blockchain; generating blockchain authorization information based on the blockchain parameter and the user information, in which the blockchain authorization information conforms to the one or more requirements; and sending the blockchain authorization information to the client.

Abstract: Data masking is provided by, for at least one predetermined data item in data to be sent, applying a one-way function to that data item to produce a first value, producing a masked data item by encrypting the first value via a deterministic encryption scheme using a current encryption key for a current epoch, and replacing that data item by the masked data item. A data-provider computer sends the masked data to the data-user computer. On expiry of the current epoch, the data-provider computer generates a new encryption key for the encryption scheme in a new epoch, produces mask-update data, dependent on the current and new encryption keys, and sends the mask-update data to the data-user computer. The mask-update data permits updating, at the data-user computer, of masked data items produced with the current encryption key into masked data items produced with the new encryption key.

Abstract: The present disclosure is directed to systems and methods to protect against SCA and fault injection attacks through the use of a temporary or ephemeral key to cryptographically alter input data portions. Universal resistant block (URB) circuitry receives a seed data value and a at least one secret key data value and generates an ephemeral key output data value. Cryptographic circuitry uses the ephemeral key data value to transform an input data portion to produce an transformed output data portion. The use of an SCA or fault injection attack on the transformed output data portion will reveal only the ephemeral key data value and not the at least one secret key data value. Further, where a unique ephemeral key data value is used to transform each input data portion, an attacker cannot discover the ephemeral key in a piecemeal manner and must instead discover the complete ephemeral key data value—significantly increasing the difficulty of performing a successful SCA or fault injection attack.

Abstract: A computer-implemented method and system for controlling remote access to a computer system is disclosed. A method includes generating a secret value at a first computer system; sharing the secret value with associated computer systems; choosing a time length for validity; computing a derived key based on the secret value; and controlling remote access to the computer system based on the derived key and a unique identifier associated with the first computer system.

Abstract: This disclosure relates to method and system for providing a light weight secure communication for computing devices. In one example, the method includes generating a new encryption key based on a selected encryption key from among a plurality of encrypted keys and a current synchronized hash based on a set of pre-defined rules, generating an updated synchronized hash based on a message to be transmitted and the current synchronized hash using a pre-defined hash algorithm, encrypting the message to be transmitted using the new encryption key to generate an encrypted message, transmitting the encrypted message, and replacing the current synchronized hash with the updated synchronized hash. The set of pre-defined rules and the pre-defined hash algorithm are retrieved from a pre-installed library. Further, the current synchronized hash, the plurality of encryption keys, and the pre-installed library are synchronized between the first computing device and the second computing device.

Abstract: Technologies for secure data transfer include a computing device having a processor, an accelerator, and a security engine, such as a direct memory access (DMA) engine or a memory-mapped I/O (MMIO) engine. The computing device initializes the security engine with an initialization vector and a secret key. During initialization, the security engine pre-fills block cipher pipelines and pre-computes hash subkeys. After initialization, the processor initiates a data transfer, such as a DMA transaction or an MMIO request, between the processor and the accelerator. The security engine performs an authenticated cryptographic operation for the data transfer operation. The authenticated cryptographic operation may be AES-GCM authenticated encryption or authenticated decryption. The security engine may perform encryption or decryption using multiple block cipher pipelines. The security engine may calculate an authentication tag using multiple Galois field multipliers. Other embodiments are described and claimed.

Abstract: A system for establishing a trusted path for secure communication between client devices and server devices, such as between an account holder and a financial institution, can provide the core security attributes of confidentiality (of the parties), integrity (of the information), anti-replay (protection against replay fraud) and/or anti-tampering (protection against unauthorized changes to information being exchanged and/or modules that generate and communicate such information). A messaging layer implementation in favor of a transport layer implementation can provide a trusted path. This infrastructure features secure cryptographic key storage, and implementation of a trusted path built using the cryptographic infrastructure. The trusted path protects against unauthorized information disclosure, modification, or replays. These services can effectively protect against Man-in-the-Middle, Man-in-the-Application, and other attacks.

Abstract: Systems, methods, and computer-readable media for generating a keystream using media data and using the keystream to encrypt and decrypt messages are described herein. The keystream may be generated independently and at least partially in parallel by both a sender and a receiver of a message. The sender may use its independently generated keystream to encrypt a message and a receiver may use its independently generated keystream to decrypt the message. Both the sender and receiver may utilize the same algorithm for generating their respective keystreams, thereby ensuring that the same keystream is generated by both sender and receiver. The sender may share a session key with a receiver using an asymmetric encryption technique. The session key may contain a collection of subkeys. Both the sender and the receiver may independently determine media database indices that match the subkeys and aggregate the corresponding media data streams to obtain the keystream.

Abstract: A method for generating a key includes: obtaining key parameters indicated by a network side, the key parameters at least comprising a next hop chaining counter (NCC) and frequency point information for generating a key, the frequency information being a frequency of one Synchronization Signal Block (SSB) of a target cell; and generating an AS key based on the key parameters.

Abstract: Embodiments described herein enable the interoperability between processes configured for pointer authentication and processes that are not configured for pointer authentication. Enabling the interoperability between such processes enables essential libraries, such as system libraries, to be compiled with pointer authentication, while enabling those libraries to still be used by processes that have not yet been compiled or configured to use pointer authentication.

Abstract: An access point AP authentication method, a system, and a related device are provided, so as to improve security of accessing an AP of a WLAN by a terminal. The method is as follows: determining, by the terminal, an AP feature according to a feature generation rule corresponding to the access point AP of the wireless local area network WLAN; sending, by the terminal to the AP, a request message for requesting to provide an AP feature, and obtaining a response message that is returned by the AP according to the request message; and determining, by the terminal according to the response message and the determined AP feature, whether the AP can be authenticated.

Abstract: First data from a user device is received on an electronic computing device. The first data is encrypted to generate second data. The second data is fragmented and stored in a plurality of data stores.

Abstract: A physical layer secret key generation scheme exploiting randomness of the road surface and driving behavior is described herein. A symmetric key generation scheme can be implemented in any existing V2V visible light communication. By analyzing and simulating numerous samples taken from NGSIM vehicle trajectory data, the natural driving behavior and road surface roughness can be exploited as a source of randomness to generate symmetric cryptographic security keys.

Abstract: A device may cause a Media Access Control Security (MACsec) session to be established on a first link of a link aggregation group (LAG) that includes a plurality of links with a different device. The device may cause a data structure to be updated to identify the first link as a MACsec enabled LAG link and may send traffic via the first link. The device may cause a MACsec session to be established on at least one additional link of the LAG and may cause the data structure to be updated to identify the at least one additional link as a MACsec enabled LAG link. The device may send, after causing the data structure to be updated to identify the at least one additional link as a MACsec enabled LAG link, additional traffic via the first link and the at least one additional link.

Abstract: A secondary OS device unlocking system includes a key management system and a server device. The server device includes a storage device storing primary OS information, a remote access controller device, and a BIOS. During server device initialization operations, the BIOS sends the remote access controller device a request to unlock a storage device using a storage device locking key stored in the key management system. In response to the storage device not being unlocked, the BIOS retrieves secondary OS information and boots using the secondary OS information to provide the secondary OS that retrieves the storage device locking key and uses it to unlock the storage device, and then performs a reboot operation. The BIOS then retrieves the primary OS information from the unlocked storage device, and boots using the primary OS information to provide a primary OS.

Abstract: A cloud system and a device associate cloud user authentication information and local user authentication information with each other and manage the cloud user authentication information and the local user authentication information. The local user authentication information and the execution request are transmitted to the device, and the cloud user authentication information and an execution result are transmitted to the cloud system.

Abstract: A method for securing user data that is stored to a tape cartridge having a medium auxiliary memory (MAM) is described. When user data is sent to a tape library from a client, the tape library sends a request to a cloud based key management service for a data key to encrypt the user data and an encrypted data key that corresponds to the data key. The data key is used to encrypt the user data which is then stored to the tape cartridge and the encrypted data key is stored to the MAM. Upon decrypting the encrypted user data, the encrypted data key is extracted from the MAM and sent to the cloud based key management service where it is used to produce the data key from the cloud based key management service which is then sent to the tape library. When the tape library is in possession of the data key, the encrypted data in the tape cartridge can then be decrypted and sent to a requester of the user data.

Abstract: The disclosure is directed to a network gateway device (“gateway”) that provides various network management features, including a device zoning feature in which client computing devices (“client devices”) connected to the gateway are assigned to different device zones. The client devices connected to the gateway form a local area network (LAN) of the gateway, and can access an external network, e.g., Internet, using the gateway. Each of the device zones has a specific set of network access privileges. Different device zones can have different network access privileges and can provide device isolation in the LAN at different degrees.

Abstract: A transmitting device and a receiving device independently generate shared encryption keys by exchanging a ternary datastream composed of trits encoded by polarized photons generated and measured using one of two polarization orientations. The first orientation defines two mutually-orthogonal polarization axes and a mixed polarization state formed by a combination of the two axes for that orientation. The second orientation also define two mutually-orthogonal polarization axes and a mixed polarization state formed by a combination of the two axes for that orientation. The mutually-orthogonal axes of one orientation are combinations of the mutually-orthogonal axes of the other orientation. The sender and receiver independently choose an orientation for each trit and use trits where each party's polarization orientations agree to determine addresses in separate cryptographic tables belonging to each party.

Abstract: A method is provided for protecting a trained machine learning model that provides prediction results with confidence levels. The confidence level is a measure of the likelihood that a prediction is correct. The method includes determining if a query input to the model is an attempted attack on the model. If the query is determined to be an attempted attack, a first prediction result having a highest confidence level is swapped with a second prediction result having a relatively lower confidence level so that the first and second prediction results and confidence levels are re-paired. Then, the second prediction result is output from the model with the highest confidence level. By swapping the confidence levels and outputting the prediction results with the swapped confidence levels, the machine learning model is more difficult for an attacker to extract.

Abstract: At least any one of input keys KA0, KA1, KB?0, and KB?1 is set so that the input keys KA0, KA1, KB?0, and KB?1 which satisfy KA1?KA0=KB?1?KB?0=di are obtained, and an output key Kig(I(A), I(B)) corresponding to an output value gi(I(A), I(B)) is set by using the input keys KA0, KA1, KB?0, and KB?1, where input values of a gate that performs a logical operation are I(A), I(B)?{0, 1}, an output value of the gate is gi(I(A), I(B))?{0, 1}, an input key corresponding to the input value I(A) is KAI(A), and an input key corresponding to the input value I(B) is KB?I(B).

Abstract: A key updating method includes receiving, by a terminal, a key updating notification sent by an operation server, generating, by the terminal, a new private key and a new public key using a trusted execution environment (TEE) system of the terminal, storing the new private key in the TEE system, performing signature processing on the new public key using an upper-level private key of the new private key to obtain to-be-verified signature information, and sending, by the terminal to the operation server, a storage request carrying a device identifier of the terminal, the new public key, and the to-be-verified signature information.

Abstract: A module such as an M2M device or a mobile phone can include a removable data storage unit. The removable data storage unit can include a nonvolatile memory, a noise amplifying memory, and a cryptographic unit. The nonvolatile memory can include (i) shared memory for access by both the module and the cryptographic unit, and (ii) protected memory accessible only by the cryptographic unit. The cryptographic unit can use a noise memory interface and noise amplifying operations in order to increase and distribute bit errors recorded in the noise amplifying memory. The cryptographic unit can (i) generate a random number using the noise amplifying memory and (ii) input the random number into a set of cryptographic algorithms in order to internally derive a PKI key pair. The private key can be recorded in protected memory and the public key signed by a certificate authority.

Abstract: A system, a method and a computer program product and a system, for Key Fragment Management (KFM). The KFM system comprises a plurality of KFM instances and a client device. At least two KFM instances are executed on execution platforms of two different service providers. Each KFM instance retains a root key fragment. The client device is configured to perform a cryptographic process relating to a data item using a data-specific key. Each KFM instance is configured to generate a data-specific key fragment based on a data identifier of the data item and based on the root key fragment in response to the client device requesting to generate the data-specific key for the data item. The data-specific key is generated based on a plurality of data-specific key fragments generated by the each KFM instances.

Abstract: An apparatus comprises an encryption key generator to generate a media encryption key to encrypt data in number of memory components, where the encryption key generator is configured to wrap the media encryption key to generate an encrypted media encryption key, The encrypted media encryption key is stored in a non-volatile memory. The apparatus comprises firmware having instructions to transition the apparatus to and from a secure state using the encrypted media encryption key.

Abstract: A computation device (200) arranged to evaluate a data function (S) mapping a number (n) of input variables to a number of output variables (m). The computation device comprises selection mechanism (220) receiving as input selection variables and an evaluation mechanism (210) arranged to receive the one or more evaluation variables and to evaluate the evaluation functions for the received evaluation variables, an evaluation function receiving as input the evaluation variables.

Abstract: A method for transmitting, by a transmitter, a packet to a receiver of a communication system. The packet including data encrypted according to a symmetric key encryption protocol by determining the value of a generation information and determining an encryption key according to the value of the generation information. The data to be included in the encrypted packet to be transmitted is encrypted according to the encryption key. A truncated information is calculated based on the generation information. A verification code for the encrypted packet is calculated according to the encrypted data and the first portion of the generation information. The encrypted packet to be transmitted is formed according to the truncated information, the verification code and the encrypted data.

Abstract: The current document is directed to distributed-secure-storage systems, and processes carried out within the distributed-secure-storage systems, that provide for secure storage and retrieval of confidential and critical data, referred to as “secrets,” within distributed computer systems. The secret-storage systems partition an input secret into multiple secret shares and distribute the secret shares among multiple secret-share-storing node subsystems, without persistently storing the secret itself. An agent within a client device subsequently requests a secret share corresponding to a secret, or a share of data derived from the secret share, from each of the multiple secret-share-storing nodes. The multiple secret-share-storing nodes additionally cooperate to periodically alter the stored secret shares corresponding to a secret in a way that allows agents to recover the original secret, or derived data, from all or a portion of the altered secret shares or derived-data shares.

Abstract: A system and method provides access to one or more web services by capturing a human perceptible rendering on a separate device, identifying a code from the human-perceptible rendering captured and granting access to the one or more web services, responsive to the code identified and an identifier of the user.

Abstract: A device may store raw random data in a raw random data store. The raw random data may include a first plurality of data strings. The device may generate, using a quotient ring transform (QRT), cryptographic random data based on the raw random data. The cryptographic random data includes a second plurality of data strings that is transformed from the first plurality of data strings based on an extraction state stored in an extraction state store. The device may store the cryptographic random data in a cryptographic random data store and may use the cryptographic random data for various purposes.

Abstract: A method for remotely acquiring secret key, comprising steps of detecting an injection key acquisition instruction; generating a temporary key pair when the injection key acquisition instruction is detected; acquiring a locally stored private key in a random key pair, and using a private key in the random key pair to perform signature on a public key in the temporary key pair to generate a temporary key signature; acquiring a first identity authentication certificate; sending the temporary key signature and the first identity authentication certificate to a remote injection server; receiving an injection key ciphertext signature and a second identity authentication certificate which is returned by the remote injection server according to the temporary key signature and the first identity authentication certificate; and acquiring and storing an injection key according to the injection key ciphertext signature and the second identity authentication certificate.

Abstract: Secure vehicular communication is described herein. An example apparatus can include a processor and a vehicular communication component. The vehicular communication component can be configured to generate a vehicular private key and a vehicular public key, provide the vehicular public key to a plurality of external communication components wherein each respective one of the plurality of external communication components is positioned on a different transportation assistance entity, provide data to at least one of the plurality of external communication components, receive, in response to providing the data, additional data from the at least one of the plurality of external communication components, wherein the additional data is encrypted using the vehicular public key, and decrypt the additional data using the vehicular private key.

Abstract: An information processing apparatus that authenticates sets of distributed authentication information without collecting, the sets of distributed authentication information, to be collected at any one of apparatuses included in a system.

Abstract: Embodiments herein describe techniques for validating binary files used to configure a hardware card in a computing system. In one embodiment, the hardware card (e.g., an FPGA) includes programmable logic which the binary file can configure to perform a specialized function. In one embodiment, multiple users can configure the hardware card to perform their specialized tasks. For example, the computing system may be server on the cloud that hosts multiple VMs or a shared workstation. Permitting multiple users to directly configure and use the hardware card may present a security risk. To mitigate this risk, the embodiments herein describe techniques for validating encrypted binary files.

Abstract: A data encryption system receives data to be encrypted prior to being transmitted to a storage unit. The received data is analyzed to determine a secure storage approach based on a risk level associated with the received data. In response to the risk level satisfying a threshold risk level the data encryption system uses a convergent encryption technique to encrypt the received data, but in response to the risk level failing to satisfy the threshold risk level, the data encryption system encrypts the received data using a key based on a random number. The encrypted data is transmitted to a storage unit.

Abstract: A method of encoding data, including: obtaining a data stream comprising a first sequence of values; duplicating of the first sequence of values; offsetting the duplicate first sequence of values; braiding the first sequence of values and the offset duplicate first sequence of values, creating a braided data sequence; and outputting the braided data sequence.

Abstract: The disclosure concerns an encryption function applied to a first word, a second word, a third word, and a fourth word including: multiplying the third word by the fourth word; adding the result of the multiplication; subtracting the result of the addition to the second word from the result of the addition to the first word; adding the result of the subtraction; combining with a constant the result of the addition of the third word to the result of the subtraction; and multiplying by two the result of said combination and circularly shifting the codes of the respective results of the addition of the fourth word to the result of the subtraction, of the addition of the second word to the result of the multiplication, and of the addition of the first word to the result of the multiplication.

Abstract: Techniques are presented for efficiently provisioning application-agnostic resource access to a variety of applications without modification to the native access control mechanisms of the applications and without transmission of a user's credentials over the network. A user of an application is authenticated by an authorization provider. An access token for the authenticated user is generated. A session password is generated based at least in part on the access token. The session password is applied by the user to the native access control mechanism of an application to facilitate access to resources (e.g., set of subject data) by the application. The resource access is achieved without modification to the native access control mechanism of the application and without transmission of the credentials (e.g., username, password, etc.) of the user over the network.

Abstract: A method to protect a device key in a device comprising at least one secure element locally connected to at least one time programmable memory storing a global value in form of a bit string comprising locked bits and unlocked bits. The locked bits are irreversibly pre-programmed in the one-time-programmable memory during an initialization phase of the device while the un-locked bits remaining in an initial state may be programmable by the secure element. The secure element is configured to generate, at initialization of the device, a device specific value by using the global value, program the device specific value previously obtained in the one time programmable memory, and erase the global value by programming the unlocked bits of the corresponding bit string. A further object of the disclosure includes a device configured to carry out the method.

Abstract: A cryptographic communication method using a dynamically-generated private key is provided. A signal generation unit outputs a second signal obtained by giving an error in a predetermined range to a signal obtained based on a first signal. An error correction generation unit outputs a third signal obtained based on the second signal and auxiliary information for correcting an error included in the second signal. A private-key generation unit generates a first private key based on the third signal. An encryption calculation unit outputs an encrypted signal obtained by encrypting a fourth signal based on the first private key.

Abstract: A computer-implemented method includes: receiving, by a platform including one or more computing devices, a blockchain authorization information generation request from a client, in which the blockchain authorization information generation request includes a target blockchain identifier and user information; determining, based on the target blockchain identifier, a target blockchain; determining a blockchain parameter of the target blockchain, in which the blockchain parameter indicates one or more requirements for authorization information used to join the target blockchain; generating blockchain authorization information based on the blockchain parameter and the user information, in which the blockchain authorization information conforms to the one or more requirements; and sending the blockchain authorization information to the client.

Abstract: There is disclosed a method of handling a sensor, comprising the steps of: challenging a subset of sensor components under uniform conditions; receiving output signal values from said subset; for each component, determining the statistical moment of order i of the temporal distribution of the output signal value of said each sensor component; and determining one or more pathological sensor components whose sum of the distances of values to other components of the subset is greater than a threshold, the distance between two sensor components being determined by the difference of the ith statistical moment values of the two temporal distributions associated to the components obtained when challenging said subset under uniform conditions. Described developments comprise the use of imaging sensors, key or identifier generation, authentication mechanisms, determination of thresholds, use of helper data files, adjustments of light sources and/or beam shaping, handling of lossy compression and of videos.

Abstract: A processor of a remote crypto cluster (RCC) may obtain an encrypted specific key from at least one data source through at least one network. The processor of the RCC may derive intermediate data in blind based on the encrypted specific key. The intermediate data may include information from which a derived key is derived. The processor of the RCC may send the intermediate data in blind to a client device.

Abstract: Disclosed is an input/output circuit for a physical unclonable function generator circuit. In one embodiment, a physical unclonable function (PUF) generator includes: a PUF cell array comprising a plurality of bit cells configured in a plurality of columns and at least one row, and at least one input/output (I/O) circuit each coupled to at least two neighboring columns of the PUF cell array, wherein the at least one I/O circuit each comprises a sense amplifier (SA) with no cross-coupled pair of transistors, wherein the SA comprises two cross-coupled inverters with no access transistor and a SA enable transistor, and wherein the at least one I/O circuit each is configured to access and determine logical states of at least two bit cells in the at least two neighboring columns; and based on the determined logical states of the plurality of bit cells, to generate a PUF signature.

Abstract: Various techniques provide systems and methods for facilitating data encryption/decryption and almost immediate erasure of associated information. In one example, a method includes receiving first data in a first memory. The method further includes receiving a first key in a second memory. The method further includes generating, by a logic circuit, second data based on the first data and the first key. The method further includes providing the second data for transmission. The method further includes erasing the first data and/or the first key in one-half clock cycle of generating the second data. Related methods and devices are also provided.

Abstract: A method, apparatus, and computer-readable medium for searching polymorphically encrypted data includes generating one or more pseudonymous tokens by encrypting a ciphertext using a first algorithm and an encryption key, the first algorithm comprising a polymorphic algorithm configured to generate a distinct pseudonymous token for each application of the polymorphic algorithm to the same plaintext, storing, the one or more pseudonymous tokens in one or more data stores, and identifying data in the one or more data stores that corresponds to the ciphertext by querying the data store using a search token generated by encrypting the plaintext using a second algorithm and the encryption key, the search token being distinct from the one or more pseudonymous tokens.

Abstract: A data management system manages secured data for a plurality of users. The data management system utilizes an access authorization system to authenticate users seeking access to the data management system. The access authorization system provides access tokens to authenticated users. The access tokens enable the authenticated users to access the data management system without again providing authentication data. The access authorization system includes, for each user, an access policy that governs whether the users can use the access tokens to access the data management system. The access tokens have a finite lifetime. If the users use the access tokens within the finite lifetime and if the users satisfy all of the access rules of the access policies, then the lifetime of the access tokens can be extended a finite number of times.