Abstract: A system and method for encrypting and decrypting data exchanged between a multi-tile processing unit and a storage, where a plurality of keys are used for the encryption. Each of the plurality of keys is associated with a different one or more sets of the processors. Encryption hardware is configured to select a key to use for encryption/decryption operations in dependence upon the set of tiles associated with the data being exchanged. Each write request from a tile contains identifier bits associated with that tile's set of tiles, enabling the encryption hardware to select the key to use for encrypting the data in the write request. Each read completion for a tile contains identifier bits associated with that tile's set of tiles, enabling the encryption hardware to select the key to use for decrypting the data in the read completion.

Abstract: A system includes a protected memory, and a processor, operatively coupled to the protected memory, to perform operations including receiving, from a secrets and service provider system via a brokering agent, an encrypted version of a set of secrets data corresponding to a target state of the device, in response to receiving the encrypted version of the set of secrets data, requesting, from the secrets and service provider system via the brokering agent, permission to transition to the target state, receiving, from the secrets and service provider system via the brokering agent, permission to transition to the target state, and in response to receiving permission to transition to the target state, storing the set of secrets data in the protected memory to complete the transition to the target state.

Abstract: The present disclosure relates to a method for performing a cryptographic operation, the method including generating a first count value by a monotonic counter of a processing device, transmitting the first count value from the monotonic counter to a memory of the processing device, selecting a first encryption key from the memory based on the first count value, and providing the selected first encryption key to a cryptographic processor.

Abstract: There is provided a system, method, and computing device for distribution of cryptographic key generation data in a secure network, the secure network comprising a security server and one or more clients. The method including: receiving or generating indexed random data; communicating at least a portion of the indexed random data to one of the clients; and receiving or communicating the indices of the portions of the indexed random data shared with the client, a portion of the indexed random data is used for cryptographic key generation for encrypted communication between the client and another client. In some cases, the above is repeated for each client, wherein the indexed random data is unique for each client.

Abstract: A method for posting of anonymous directed transaction includes: storing a plurality of entity profiles, each including an entity identifier and a secret value; receiving a transaction request from a first entity, the request including transaction data and a specific entity identifier associated with a second entity; identifying a specific entity profile that includes the specific entity identifier; generating a first hash value via application of one or more hashing algorithms to the transaction data; generating a second hash value via application of one of more hashing algorithms to a combination of the first hash value and the secret value included in the identified specific entity profile; and posting the first hash value and second hash value to a publicly accessible data source.

Abstract: Disclosed are methods for encrypting communications with a remote endpoint via a memory device. In one embodiment, a memory device is configured to receive, from the application, a request to establish a communications session with a remote computing device, establish a shared symmetric key, the shared symmetric key shared between the memory device and the remote computing device, receive a message from the application, the message including an identifier of the remote computing device and a payload, generate a ciphertext using the symmetric key and the payload, and return the ciphertext to the application.

Abstract: An electronic locking device includes an electronically controllable locking mechanism, a memory, a wireless transceiver configured to communicate wirelessly with a user device to receive an encrypted package containing a biometric template corresponding to an authorized user, and a processor. The processor is configured to decrypt the encrypted package and store the biometric template in the memory, receive a biometric input corresponding to a user attempting to access the electronic locking device, determine if the biometric input matches the biometric template of the authorized user, and activate the electronically controllable locking mechanism in response to a determination that the biometric input matches the biometric template of the authorized user.

Abstract: Methods and systems are provided for use with digital data processing systems to control or otherwise limit access to networked resources based, at least in part, on transactional artifacts and/or derived artifacts.

Abstract: A processor-based method for secret sharing in a computing system is provided. The method includes encrypting shares of a new secret, using a previous secret and distributing unencrypted shares of the new secret and the encrypted shares of the new secret, to members of the computing system. The method includes decrypting at least a subset of the encrypted shares of the new secret, using the previous secret and regenerating the new secret from at least a subset of a combination of the unencrypted shares of the new secret and the decrypted shares of the new secret.

Abstract: A cryptographic system comprising an encryption device to generate a ciphertext; a master re-encryption key generation device to generate a master re-encryption key that cannot decrypt a ciphertext generated by the encryption device, but can generate a re-encryption key for changing an access range for a ciphertext generated by the encryption device; re-encryption device to generate a re-encryption key for re-encrypting a target ciphertext generated by the encryption device, using the master re-encryption key, and re-encrypts the target ciphertext to generate a re-encrypted ciphertext, using the generated re-encryption key; and a decryption device to decrypt at least one of the ciphertext generated by the encryption device and the re-encrypted ciphertext generated by the re-encryption device.

Abstract: Embodiments of the present disclosure relate to methods, apparatuses and computer readable storage media for inter-network communication. A first edge protection proxy in a first network receives a request for an access token from a network repository function in the first network. The access token is to be used by a first network function in the first network to request a service from a second network function in a second network. The first edge protection proxy validates the request based on configurations allowed to access services provided by networks different from the first network. If the validation of the request is successful, the first edge protection proxy transmits the request to a second edge protection proxy in the second network. The transmitted request comprises verified information concerning the first network function.

Abstract: Encryption key exchange processes are disclosed. A disclosed method includes initiating communication between a portable communication device including a token and a first limited use encryption key, and an access device. After communication is initiated, the portable communication device receives a second limited use key from a remote server via the access device. The portable communication device then replaces the first limited use key with the second limited use key. The second limited use key is thereafter used to create access data such as cryptograms that can be used to conduct access transactions.

Abstract: The invention relates to the field of technical infrastructures that ensure the implementation of financial transactions between economic entities, in particular to payment systems that provide ease of use and confidential data security. The present invention is the method of authenticating a customer, the method of carrying out a payment transaction comprising said authentication method, and the payment system implementing the specified methods, which ensure the achievement of a technical effect consisting in expanding the functionality of the payment system and reducing its vulnerability, in particular, by making it possible to conduct a payment transaction in a contactless way, on condition that the reference value of the customer authentication data is stored exclusively on the customer's device, as well as by combining the advantages of online and offline customer authentication procedures.

Abstract: The present disclosure describes a computer-implemented method that includes: receiving data encoding a current geolocation of a mobile computing device, a classification status of one or more files on the mobile computing device being requested by a user of the mobile computing device, and a current network domain on which the mobile computing device is registered; and based on the current geolocation of the mobile computing device, the classification status of the one or more files on the mobile computing device, and the current network domain of the mobile computing device, determining an encryption status of the one or more files on the mobile computing device.

Abstract: A process for centralized user file encapsulation, encryption, notarization and verification using a blockchain and a system that certifies data in a proprietary “capsule” file format, with tamper-proof blockchain are disclosed. By utilizing a hybridization of both cloud and blockchain storage mechanisms, the present invention allows for the performant and cost-effective certification of large amounts of data. Furthermore, the generation of the capsule allows for users to store both the data payload and its digital notarization. The system then allows for users to share the capsule with others (by way of permissions enforced by the notary system) and upload it for verification of authenticity at a later point in time.

Abstract: Techniques are described for generating and presenting a digital document for a transfer. A check service may generate the digital document based on provided check data. The digital document may be stored on a user device and presented to a recipient, for example through the display of the user device. The digital document may also be provided to the recipient in an email or other type of communication. The check service may generate a digital watermark to include on the digital document. The watermark may be unique to the particular document, and may be algorithmically generated based on data that is associated with the particular document, such as a serial identifier, a transaction identifier, an amount, a user identifier of the sender, etc. The digital watermark may be regenerated when the recipient presents the document for payment, to confirm document validity.

Abstract: A save folder to be used in order for an analysis data acquisition device to save an analysis data file in a storage is created by a creator. When a file determiner determines that the analysis data file is saved in the created save folder, the analysis data file saved in the save folder is registered by a registrator in an analysis database of a database storage device. When an end determiner determines that an instruction for ending registration of the analysis data file in the analysis database has been given, a region processor makes the save folder unavailable for the registration of the analysis data file in the analysis database.

Abstract: Representations of authentication objects are provided for selection via an interface. An authentication object may be generated to include information obtained from one or more sensors of a device. A selected authentication object may contain information sufficient for authentication with a corresponding system. The interface may provide multiple representations of authentication objects that are usable with different service providers. The interface, executed by a first device, may be configured to authenticate a second device.

Abstract: Systems, methods, and computer-readable media are provided for mobile-based transaction pre-authorization. One example method comprises receiving, from a device (such as a mobile device), a pre-authorization request including at least selection of a payment method, and generating a pre-authorization for a purchase based on the selected payment method. The method further comprises receiving a transaction request, determining whether the received transaction request is associated with the pre-authorization, and processing the transaction request based on the determination. Systems and computer-readable media implementing the above method are also provided. User interfaces are also provided for enabling the use of such methods, systems, and computer-readable media on, for example, mobile devices.

Abstract: A tie cell includes a first flip-flop having a physically unclonable function (PUF), a second flip-flop that generates a PUF key value, and logic that logically combines the PUF value and the PUF key value to generate an output signal having a constant logical value. The PUF value is based on a power-up value stored in the first flip-flop, which power-up value is generated based on physical and/or electrical characteristics produced from a manufacturing process. The output value is generated to tie digital logic to the constant logical value.

Abstract: An example method facilitates enabling Key Encryption Key (KEK) rotation for a running multi-tenant system without requiring system downtime or interruption. The example method facilitates decrypting a set of one or more DEKs using a preexisting KEK; using a new KEK to re-encode the DEKs using the new KEK, all while simultaneously enabling servicing of tenant requests. This is enabled in part, by strategic caching of tenant DEKs in a secure local memory, wherein the cached tenant DEKs are maintained in the clear and are readily accessible to running processes that are using the DEKs to decrypt and access tenant data, irrespective of the state of a background process used to implement the KEK rotation to the new KEK.

Abstract: Various embodiments relate to a method performed by a processor of a computing system. An example method includes receiving a digitally signed cross-border payment message, the digitally signed cross-border payment message generated by digitally signing a first hash of a cross-border payment message with a first financial institution private key. A first financial institution public key is retrieved, the first financial institution public key of a public/private key pair that includes the first financial institution private key. The first financial institution public key is verified that it is associated with a first financial institution. A second hash of the cross-border payment message is generated.

Abstract: An operating method for a credit card, the method comprising: step S1, a microprocessor is powered on to perform system initialization; step S2, the microprocessor hibernates and is awakened when a preset interruption is detected so as to execute step S3; and step S3, the microprocessor executes preset interruption processing by entering a preset interruption processing flow, and exits the preset interruption processing flow when the preset interruption processing is finished, then returns to step S2. Alternatively, the method comprises: step s1, the microprocessor is powered on to perform system initialization; step s2, the microprocessor checks whether a preset interruption marker is set, and if so, the preset interruption marker is reset so as to execute the preset interruption processing, otherwise the microprocessor executes step s3; and step s3, the microprocessor hibernates, is awakened when detecting the preset interruption so as to set the preset interruption marker, and then returns to step s2.

Abstract: A method comprising: receiving, at a block device interface, an instruction to write data, the instruction comprising a memory location of the data; copying the data to pinned memory; performing, by a vector processor, one or more invertible transforms on the data; and writing the data from the pinned memory to one or more storage devices asynchronously; wherein the pinned memory of the data corresponds to a location in pinned memory, the pinned memory being accessible by the vector processor and one or more other processors.

Abstract: A system and method of data protection that provides the security of field level data protection with the ease of implementation and transparency of system level data protection at various layers is disclosed. The system utilizes blockchain technology to implement improved data protection. A smart contract application is deployed among all devices covered by the data protection system. Ledgers are similarly deployed either on each device or on dedicated ledger nodes to provide a record of all transactions occurring with the protected data. As a device writes data to a storage medium or initiates transmission of the data over a communication medium, the smart contract intercepts the data and applies a desired protection protocol to the data. As a result, enterprise wide security may be deployed that provides field level encryption without requiring modifications to existing applications or development of custom applications.

Abstract: There is provided a method. The method comprises generating, by the first network node, a new security key; informing, by the first network node, a user equipment of the new security key and when the first network node will start to use the new security key; obtaining, by the first network node, when the user equipment will start to use the new security key; and bringing, by the first network node, the new security key into use.

Abstract: A protected key to be used by a select processor on behalf of an entity unauthorized to use the protected key is created. The creating includes obtaining a system mask and a system key. A clear key is wrapped with the system key to provide a wrapped key. The system mask is applied to the wrapped key to create the protected key.

Abstract: Various embodiments are described that relate to random noise addition to a communication. A first secure network can employ a first encryption scheme and a second secure network can employ a second encryption scheme. In order to communicate between the first secure network and the second secure network such that the schemes are not decipherable, random noise can be added to a communication designated to transfer from the first secure network to the second secure network.

Abstract: A multi-platform data storage system configured to maintain containers including one or more virtual storage resources. The multi-platform data storage system can, for example, include a storage interface configured to enable access to a plurality of storage platforms that use different storage access and/or management protocols, the plurality of storage platforms storing data objects in physical data storage; and a storage mobility and management layer providing virtual management of virtual storage resources corresponding to one or more data objects stored in the plurality of storage platforms, the storage mobility and management layer including at least a container management sub-system that manages logical containers that contain one or more of the virtual storage resources.

Abstract: Disclosed herein are system, method, and computer program product embodiments for generating folder keys and using folder keys to access folder paths. In an embodiment, a computer system may instantiate a graphical user interface (GUI) to display folder and sub-folder contents as well as a folder key. A user may input a folder key as a representation of the displayed sub-folder of the corresponding folder path. The folder key may include one or more symbols that the computer system may store and associate with the folder path. Using the folder key, the computer system may retrieve a particular sub-folder, manage security or permissions related to folders, and/or facilitate navigation between sub-folders. Using a folder key may aid a user in quickly navigating to a particular sub-folder and may allow a computer system to avoid loading unnecessary intermediate sub-folders as a user navigates to a particular desired sub-folder.

Abstract: A lock node for storing data and a protected storage unit. The lock node includes an input section which provides a plurality of key maps, each corresponding to one of a plurality of primary keys, respectively, applied to the input section, each key map including at least one main key, a variable lock section producing a derived key from a logical operation on the main keys corresponding to the primary keys applied to the input section, and an output section producing the data in response to the derived key.

Abstract: The invention provides implementations of the block cipher in resource-constrained ARM devices that may be applied to both 32-bit and 64-bit versions of side-channel resistant and vectorized code and provides improves both efficiency and compactness by using of algorithmic techniques and features specific to a target platform. Specifically, an unprotected 32-bit implementation improves speed while reducing code size and a vectorized implementation improves performance and speed the implementation of block cipher.

Abstract: A computer program for managing and manipulating archive zip files of a computer. The program includes a system and method for opening, creating, and modifying, and extracting zip archive files. The program is fully integrated into Microsoft Windows Explorer and is accessed via Explorer menus, toolbars, and/or drag and drop operations. An important feature of the program is the archive manager which may be used to open a zip file, create a new zip file, extract zip files, modify zip files, etc. The program is integrated into Microsoft Windows Explorer using the shell name space extension application program interface developed by Microsoft.

Abstract: A system and method to encrypt digital data is disclosed. Digital data is received from a data source by an encryption system. A first data store is designated to store the received digital data. An encryption key is selectively assigned to encrypt the received digital data. A selective portion of the received digital data is encrypted with the assigned encryption key to create encrypted digital data. The encrypted digital data is stored in the first data store.

Abstract: Provided is a system of encryption key management, which is used by a service provision server which provides a cloud service. The system comprises a key access server which encrypts the service key using a master key corresponding to the service key and provides the service key in response to a service key request from the service provision server and a master key management server which extracts a plurality of key fragments from the master key, processes the extracted key fragments to be stored in a distributed manner, and provides the master key reconstructed from the key fragments in response to a master key request from the key access server.

Abstract: An example non-transitory computer-readable medium includes instructions that, when executed by a processor, cause the processor to receive a request for data. The instructions also cause the processor to determine a region containing the data based on the metadata. The instructions cause the processor to traverse a tree in the metadata to determine key generation information relating a decryption key for the region to a root key.

Abstract: Rules are applied at a network perimeter to outbound network communications that contain file attachments. The rules may, in a variety of circumstances, require wrapping of an outbound file from the endpoint in a portable encrypted container. The network perimeter may be enforced locally at the endpoint, or at any network device between the endpoint and a recipient.

Abstract: An example method facilitates enabling Key Encryption Key (KEK) rotation for a running multi-tenant system without requiring system downtime or interruption. The example method facilitates decrypting a set of one or more DEKs using a preexisting KEK; using a new KEK to re-encode the DEKs using the new KEK, all while simultaneously enabling servicing of tenant requests. This is enabled in part, by strategic caching of tenant DEKs in a secure local memory, wherein the cached tenant DEKs are maintained in the clear and are readily accessible to running processes that are using the DEKs to decrypt and access tenant data, irrespective of the state of a background process used to implement the KEK rotation to the new KEK.

Abstract: Cryptographic systems and methods are disclosed, including numerous industry applications. Embodiments of the present invention can generate and regenerate the same symmetric key. The cryptographic systems and methods include a key generator configured to use two or more inputs to reproducibly generate the symmetric key and a cryptographic engine configured to use the symmetric key for encrypting and decrypting data.

Abstract: Embodiments of the disclosure are directed to the use of controlled randomization in authorizing virtual reality interactions. More specifically, a user of a virtual reality (VR) device may seek to initiate an interaction within the virtual reality environment. In order for the interaction to be allowed for the user, a processing computer may need the user to supply an additional credential. In some cases, the user may enter the additional credential using a series of virtual keypads that are rendered in the virtual reality environment. These keypads may have varying layouts that are determined in a controlled manner (e.g., pseudo-randomly) using pre-determined mathematical procedures. The layout of a subsequent keypad may be partially based on the user's selection in a preceding keypad. The keypad positions for the user's selections may be provided to the processing computer to solve for the credential which can be used for validation purposes.

Abstract: A lock node for storing data and a protected storage unit. The lock node includes an input section which provides a plurality of key maps, each corresponding to one of a plurality of primary keys, respectively, applied to the input section, each key map including at least one main key, a variable lock section producing a derived key from a logical operation on the main keys corresponding to the primary keys applied to the input section, and an output section producing the data in response to the derived key.

Abstract: Embodiments for performing self-contained, consistent data masking in a distributed computing environment by a processor. A data masking operation is performed on one or more datasets in one of a plurality of data formats such that a key of each value of each key-value pair representing a common set of columns or paths for the one or more datasets is masked.

Abstract: A multi-platform data storage system configured to maintain containers including one or more virtual storage resources. The multi-platform data storage system can, for example, include a storage interface configured to enable access to a plurality of storage platforms that use different storage access and/or management protocols, the plurality of storage platforms storing data objects in physical data storage; and a storage mobility and management layer providing virtual management of virtual storage resources corresponding to one or more data objects stored in the plurality of storage platforms, the storage mobility and management layer including at least a container management sub-system that manages logical containers that contain one or more of the virtual storage resources.

Abstract: A system, method, and computer readable medium (collectively, the “system”) are provided. The system may include a processor configured to perform operations and/or steps comprising storing, by a processor, a session key on a mobile device, wherein the session key is encrypted. The system receiving a transaction request, decrypting the session key, and broadcasting a signal configured for being received by a magnetic stripe reader. Track 1 data and/or track 2 data may be encoded in the signal. The track 1 data and/or the track 2 data may also comprise a dynamically generated value that is generated based on the session key.

Abstract: The present disclosure relates to systems and method for securely entering a confidential access code into a user device. A system for allowing secure entry of a confidential access code into a user device may include one or more memories storing instructions and one or more processors configured to execute instruction to perform operations. The operations may include receiving a request for confidential access, prompting the user, via the user interface, to enter a group of inputs into a single-entry field, receiving a dummy sequence of inputs, receiving or providing an indicator signal, receiving an access sequence of inputs, parsing the group of inputs received to identify the access sequence of inputs based on the location of the indicator signal, comparing the access sequence of inputs to the confidential access code associated with the user, and granting or denying access to the confidential information based on the results.

Abstract: A system that provides responses to requests obtains a key that is used to digitally sign the request. The key is derived from information that is shared with a requestor to which the response is sent. The requestor derives, using the shared information, derives a key usable to verify the digital signature of the response, thereby enabling the requestor to operate in accordance with whether the digital signature of the response matches the response.

Abstract: An apparatus in one embodiment comprises at least one processing device having a processor coupled to a memory. The processing device implements a messaging policy enforcement server that receives from a first client device metadata of an encrypted message to be sent from the first client device to a second client device. The received metadata comprises a first key utilized by the first client device to encrypt the message with the first key being encrypted utilizing a second key associated with the second client device. The messaging policy enforcement server processes the received metadata to determine one or more policies applicable to the encrypted message and to generate a further encrypted version of the encrypted first key utilizing one or more additional keys corresponding to the one or more policies. The further encrypted version of the encrypted first key is sent to the second client device in modified metadata of the encrypted message.

Abstract: The positions in a text in which partial character strings in a pattern appear are efficiently detected. A partial-character-string position detecting device 1 takes inputs of a secret text [t] of a text t, a secrete text <p> of a pattern p, a secret text <c> of a vector c, and a secret text <E> of a matrix E and outputs a secret text <H> of a matrix H. A first matrix generating part 20 generates a secret text <F> of a matrix F, in which F[i][j]=E[i][j+i mod n+1] (where it is assumed that E[i][n]=¬c[i]). A second matrix generating part 30 generates a secret text <F?> of a matrix F?, in which F[i][j]=1 is set if c[i]=0 or if c[i]=1 and F[k][j]=1 for every k that is successively c[k]=1, otherwise F[i][j]=0 is set, where k=i, . . . , n?1. A third matrix generating part 40 computes <H[i][j]>=<F[i][j?i mod n+1]>?<c[i]>?¬<c[i?1]> to generate the secrete text <H>.

Abstract: A scalable and efficient cryptographic architecture is provided for processing data using deeply-pipelined algorithms and circuitries. The architecture can be implemented as circuitry in a fixed logic device, or can be configured into a programmable integrated circuit device. The same top-level design may be used for different choices of data channels, processing depth, parallelism level, and/or system throughput. An encryption pipeline processing block performs rounds of processing upon a block of said data using an encryption process and receives a respective round encryption key for each round of processing. An encryption key pipeline block provides the respective round encryption key for each round of processing by selecting, for each round of processing, the respective round encryption key from at least a first round encryption key corresponding to a first channel and a second round encryption key corresponding to a second channel.

Abstract: Encrypting data without losing their format is important in computing systems, because many parties using confidential data rely on systems that require specific formatting for data. Information security depends on the systems and methods used to store and transmit data as well as the keys used to encrypt and decrypt those data. A policy broker is disclosed that maintains keys for clients in confidence, while providing cryptographically secure ciphertext as tokens that the clients may use in their systems as though they were the unencrypted data. Tokens are uniquely constructed for each client by the policy broker based on policies set by a receiving client detailing the formatting needs of their systems. Each client may communicate with other clients via the policy broker with the tokens and will send tokens unique to their system that the policy broker will translate into the tokens of the other party.