Abstract: A communication terminal which is capable of reducing load of a server apparatus by reutilizing a message key to be used for encrypting a message is provided.

Abstract: A key distribution system includes a representative user terminal 2p, a server apparatus 3, and an (n+1)-th user terminal 2n+1. The representative user terminal 2p uses a public key for the (n+1)-th user terminal 2n+1 and information for identifying the (n+1)-th user terminal 2n+1 to encrypt key information with a predetermined encryption function in Certificate-less Encryption to obtain ciphertext. The server apparatus 3 sends the ciphertext to the (n+1)-th user terminal 2n+1 when the (n+1)-th user terminal 2n+1 is added. The (n+1)-th user terminal 2n+1 uses a complete secret key for the (n+1)-th user terminal 2n+1 and the information for identifying the (n+1)-th user terminal 2n+1 to decrypt the ciphertext with a predetermined decryption function to obtain the key information.

Abstract: An information handling system and method includes a plurality of local area networks, an access point, and a client device. The access point includes a server processor in communication with access point network interface circuitry. The server processor is to implement a virtual private network server to establish a virtual private network with a virtual private network client implemented on a client device. The client device includes an application processor in communication with client device network interface circuitry. The application processor is to transmit a first VPN packet to the virtual private network access point via a first local area network and to transmit a second VPN packet to the virtual private network access point via a second local area network. The server processor is to convert the first and second VPN packets to first and second network packets, respectively, and transmit the first and second network packets to the wide area network.

Abstract: Various embodiments support or provide for a software environment in which one or more software components (e.g., APIs) can be relationally composed together by logic (e.g., as defined using a computer language) to form an operation that abstracts details of the composition, such as details relating to the multiple API calls being made in the composition, to implement the logic of the operation. Depending on the embodiment, a particular software component environment can comprise one or more of the following: a data connector to an external software service; stored authentication information to establish access to the external software service; an operation having defined logic for using at least one data connector or another operation (e.g., from operation repository); or an endpoint for deploying the operation for access.

Abstract: Disclosed embodiments relate to systems and methods for securely and privately auditing web sessions. Techniques include receiving, from a browser extension executing on a user endpoint device, encrypted browser session data and an encrypted session key, storing the encrypted browser session data and the encrypted session key; receiving, from an auditor endpoint device, an audit request associated with the stored encrypted browser session data; retrieving the stored encrypted browser session data and the stored encrypted session key based on the audit request; and transmitting at least some of the encrypted browser session data and the encrypted session key to the auditor endpoint device to enable access to the browser session data by the auditor endpoint device.

Abstract: The invention relates to a method for generating cryptographic keys according to a key derivation function model. An embodiment includes the following steps: defining a master key for different models of a product type from a manufacturer; defining a set of key derivation parameters for the key derivation function model; determining the key derivation parameters for the model for which a cryptographic key is to be derived; deriving a single cryptographic key or a set of cryptographic keys from the master key according to the key derivation function model taking into account the key derivation parameters, wherein the step of defining a set of key derivation parameters comprises at least the following parameters: key type identification and key type learning counter.

Abstract: Generating shared workspaces for enabling communications between users of different organizations and facilitating discovery of users associated with different organizations is described. A first user can generate a shared workspace and associate one or more other organizations therewith. The first user can designate first criteria associated with joining the shared workspace. The communication platform can receive a request from a second user to join the shared workspace. Based on a determination that the second user satisfies the first criteria, the communication platform can enable the second user access to the shared workspace. In some examples, an administrator associated with an organization of the second user can establish second criteria for users of the organization to join the shared workspace. In such examples, the communication platform can enable the second user access to the shared workspace based on a determination that the second user also satisfies the second criteria.

Abstract: A method for providing an encrypted search system includes receiving a search query for a keyword that appears in one or more encrypted emails stored on an untrusted storage device and accessing, a count table to obtain a count of unique emails within the emails that include the keyword. The method also includes generating a delegatable pseudorandom function (DPRF) based on the keyword, a private cryptographic key, and the count of unique emails that include the keyword and delegating at least a portion of the DPRF to the untrusted storage device that causes the storage device to evaluate the delegated DPRF, access an encrypted search index associated with the emails, and determine one or more encrypted emails associated with the delegated DPRF based on the encrypted search index. The storage device also returns, to the user device, an identifier for each encrypted email associated with the delegated DPRF.

Abstract: An information management method collects log information of one or more home electrical apparatuses corresponding to service providers. Display screen data is generated which indicates a status of the log information. The display screen data includes groups of information which each contain information on an apparatus, a service provider corresponding to the apparatus, and log information output from the apparatus. Provision of the log information of each group is individually selectable. The display screen data is provided via a network to a display terminal that performs access to a server device. Information is received from the display terminal, which indicates that selection on whether or not provision of the log information is performed. Provision of the log information is not performed on the selected group when a determination is made that refusal of provision of the log information on the selected group is performed.

Abstract: A software update monitor is configured to receive a software update intended for a safety critical control unit. The software update monitor determines a first verification code based on the received software update from a software update component and independently receives a second verification code associated with the software update from an update server. Next, it determines if the first verification code matches the second verification code. If the two codes match, the software update monitor effects the software update at the control unit. The software update monitor is configured to write the software update into a target memory location in a memory of the control unit. The software update monitor is configured to enable switching from a previous memory location, where an older software version may be running, to the target memory location, where the new software update is written, if the first and the second verification codes match.

Abstract: In some examples, a non-transitory computer-readable medium storing instructions executable by the processing resource to store an encryption key on the AP, at the AP, decrypt a management frame with the stored encryption key to determine state information of a station, store the state information, and generate a management frame at the AP based on the stored state information.

Abstract: To provide a provisioning system capable of providing a valid device with valid provisioning data and preventing intrusion of an unauthorized device. A device provisioning system that provides a device 4 with provisioning data for provisioning the device 4 includes: public key providing means configured to acquire a first public key unique to the device 4 from a blockchain 2 storing the first public key in association with a first trail in response to a query using the first trail; and provisioning data providing means configured to acquire the first public key through the public key providing means in response to a query using the first trail from the device 4 and transmit the provisioning data encrypted with the first public key to the device 4.

Abstract: A server device, a secret equality determination system, a secret equality determination method and a secret equality determination program recording medium are provided which, regardless of the server sharing scheme, can run with no difference in the number of communication rounds, whether carried out with a ring of order 2 or with a ring of an order greater than 2. This server device is provided with a secret shared data generation unit, a data storage unit, a mask unit, a random number share bit-conjunction unit, a random number share generation unit, a determination bit-conjunction unit and a secret shared data restoration unit. The secret shared data generation unit generates secret shared data. The data storage unit stores the secret shared data. The mask unit uses random number secret shared data to mask certain shared data. The random number share generation unit generates random number shares in which random numbers are secretly shared.

Abstract: A mechanism is provided by which a hardware filter on a border router of a wireless personal area network is not overloaded by increasing the probability that the hardware filter will capture all the nodes not on the corresponding WPAN. Network addresses for nodes within a subnet are allocated to have the same multicast address hash value in order to permit router multicast filtering to occur within hardware. Hardware filtering thereby relieves the router processor from performing filtering tasks, reducing resource consumption and decreasing the time used to perform filtering. Embodiments provide this functionality by assigning a unique multicast filter register value to each subnet within a network and allocating network addresses associated with that multicast filter register value through either DHCP or SLAAC address generation.

Abstract: A distributed resource model is described that maintains traits of resources in a distributed computing system. The traits include properties, commands, and events that, along with protocols operating in the distributed computing system, provide real-time access to the traits of resources in the distributed computing system, as well as real-time command of controls for the resources. Controllers manage and publish the traits of resources and provide various types of functionality, such as arbitration, complexity management, fan-out of capabilities, coordination, adaptation, and resource proxying.

Abstract: Systems and methods for providing multi-perimeter firewalls via a virtual global network are disclosed. In one embodiment the network system may comprise an egress ingress point in communication with a first access point server, a second access point server in communication with the first access point server, an endpoint device in communication with the second access point server, a first firewall in communication with the first access point server, and a second firewall in communication with the second access point server. The first and second firewalls may prevent traffic from passing through their respective access point servers. The first and second may be in communication with each other and exchange threat information.

Abstract: Apparatuses, systems, and methods for updating hash values in a memory. A memory device may include one or more hash circuits, each of which may generate a hash value based on an input, such as a row address, and a set of hash keys. To increase the unpredictability of operations in the memory, the hash keys may be changed responsive to one or more triggers. Example triggers may include, a power up/reset operation, a command issued to the memory, or internal logic of the memory (e.g., a timer). Responsive to one or more of these triggers, the hash keys may be regenerated. For example a new seed value may be generated and used by a random number generator to generate the new set of hash keys.

Abstract: A device may include a communication component that may communicatively couple to a first network. The device may also include a processor that may transmit a first signal via the communication component to a network address translation (NAT) system, the first signal including a first request to discover a server device. The NAT system may communicatively couple to the first network and a second network, such that the first network is inaccessible to the second network. The processor may then receive location data associated with the server device and transmit a second signal addressed to the server device based on the location data. The second signal is transmitted to the NAT system, such that the second signal may include a second request for a security policy from the server device. The processor may then receive the security policy via the NAT system and adjust one or more communication operations based on the security policy.

Abstract: Techniques for sharing private data objects in a trusted execution environment using a distributed ledger are described. The techniques described herein may enable sharing of data objects, referred to herein as private data objects (PDOs), between individuals and organizations with access and update policies mediated by execution of code (referred to herein as a “smart contract”) carried with the PDO in a secure enclave. A distributed ledger may serve as a “public commit log” to ensure that there is a single, authoritative instance of the object and provide a means of guaranteeing atomicity of updates across interacting objects.

Abstract: A method includes accessing, by a hypervisor executing by a processing device, a filtering queue that stores at least one packet determined to be malicious by a virtual machine, generating, by the hypervisor, a filtering rule in view of characteristics of the at least one packet determined to be malicious, and storing the filtering rule in a data store to apply to subsequent packets addressed to the virtual machine to determine whether any of the subsequent packets have similar characteristics with the at least one packet determined to be malicious.

Abstract: A computing device may receive a request to establish a virtualized environment to support a session for a client device in communication with the computing device over a network. The computing device may instantiate the virtualized environment in a trusted execution environment of the computing device, wherein the trusted execution environment may include one or more hardware resources that isolate the virtualized environment from a rich execution environment associated with the computing device. The computing device may cause a hardware security module associated with the computing device to obtain one or more cryptographic keys by communicating with a secure element of the client device, and the computing device may secure communication between a local operating system executing on the client device and the virtualized environment instantiated in the trusted execution environment using the one or more cryptographic keys.

Abstract: Systems and methods are provided for domain name system (DNS) resolutions in a network environment that includes multiple virtual private clouds (VPCs) attached indirectly to each other via a transit gateway that serves as a hub in a hub and spoke model. An administrator of a VPC may specify rules for resolving DNS resolution requests at the given VPC, and the rules may be taken into account by DNS resolvers at other VPCs attached to the same transit gateway based on information propagated by the transit gateway.

Abstract: Disclosed is an approach to implement a new layer of security within mobile devices using an encryption SDK, which implements a standalone component for applications to encrypt, decrypt, and view sensitive data on the device. A security layer is implemented on the device, wherein the security layer manages encryption for data retrieved onto the device from a cloud-based environment. Encrypted content is then generated at the security layer before storing the encrypted content by receiving the content object from the cloud-based environment and encrypting the content object with an encryption key that is password protected. The encrypted content is stored within an encrypted filesystem for presenting the content on the device.

Abstract: A garbled circuit and two garbled inputs are received by a server from each pair of a plurality of clients. The garbled circuit encodes a comparison function and the garbled inputs encode a respective data value from each of the clients in each pair. Thereafter, the server evaluates the garbled circuits using the corresponding garbled inputs to result in a plurality of comparison bits. The server can then sort the datasets in an ascending or descending order by using the comparison bits to compute the rank of each data value. Using the sorted datasets, the server determines a median value for the datasets and transmits data characterizing the median value to each of the clients.

Abstract: In various example embodiments, a system and method for determining a spam publication using a spam detection system are presented. The spam detection system receives, from a device, an image of an item and an item attribute for the item. Additionally, the spam detection system extracts an image attribute based on the received image, and compares the item attribute and the image attribute. Moreover, the spam detection system calculates a confidence score based on the comparison. Furthermore, the spam detection system determines that the item attribute is incorrect based on the confidence score transgressing a predetermined threshold. In response to the determination that the item attribute is incorrect, the spam detection system causes presentation, on a display of the device, of a notification.

Abstract: An intelligent electronic device (IED) includes memory and a processor operatively coupled to the memory. The IED establishes, over a communication network of a power system, a connection association (CA) with a receiving device using a media access control security (MACsec) Key Agreement (MKA) protocol. The IED automatically sends an announce message indicating a set of enabled application protocols on the IED to the receiving device.

Abstract: Techniques for metadata-based information provenance are disclosed. A node in a data provisioning layer receives encrypted payload data to be delivered to a recipient. The node generates provenance metadata that describes at least one action taken by the node with respect to the encrypted payload data. The node transmits the encrypted payload data and the provenance metadata via the data provisioning layer toward the recipient.

Abstract: A dongle for ciphering, receiving and transmitting data to and from an external device is provided. The dongle includes a user interface configured to receive authentication data to confirm an identity of a user. The dongle is disabled for ciphering data unless an authorised user is identified. A data transfer channel is configured to couple the dongle to the external device to receive and transmit user data between the dongle and the external device. A hardware encryption engine is configured to perform a ciphering transformation on user data received from the external device. The dongle is configured to perform a return transmission to return the user data that has been transformed to the external device via the data transfer channel in real-time using a single data transfer channel without storage of the user data on the dongle.

Abstract: A system may include a first node in a high-availability cluster; a second node in the high-availability cluster; a redundant interface between a network device and both the first node and the second node, wherein the redundant interface is associated with a redundancy group that designates one of the first node or the second node as a primary node in the high-availability cluster and that designates the other of the first node or the second node as a backup node in the high-availability cluster; a wireless interface of the first node, wherein the wireless interface is included in the redundant interface; and a wired interface of the second node, wherein the wired interface is included in the redundant interface.

Abstract: An implementation of the present application provides a computer—implemented method to increase the security of a blockchain—implemented transaction, the transaction including participation from a plurality of participating nodes, each participating node participating as a message originator, selector, and propagator. The method, implemented at a participating node, includes: receiving ciphertext from a prior node and determining whether the participating node is a selector node for said ciphertext received from the prior node. When the participating node is the selector node for said ciphertext, the method includes selecting a subset of said ciphertext, decrypting the selected subset of said ciphertext to provide opted ciphertext and transmitting said opted ciphertext to the next node. When the participating node is other than the selector node for said ciphertext, the method includes decrypting said ciphertext received from the prior node and transmitting the decrypted ciphertext to the next node.

Abstract: An example operation may include one or more of receiving, by a document validation node, documents from a plurality of document owner nodes over a blockchain network, generating, by the document validation node, commitments for the documents on the blockchain network, deriving, by the document validation node, proofs to verify predicates of the documents, and generating, by the document validation node, a document relationship graph (DRG) based on the commitments and the predicates.

Abstract: In an aspect, a wireless communication between a transmitter and a receiver involves determining updated keys according to a key management process for MAC layer encryption. Such key is propagated to a transmitter MAC and though a receiver key management process to a receiver MAC. After a delay, transmitter MAC device begins using the updated key, instead of a prior key, for payload encryption. Receiver MAC continues to use the prior key until a packet that was accurately received fails a message integrity/authentication check. Then, the receiver MAC swaps in the updated key and continues to process received packets. The packet data that failed the message integrity check is discarded. Transmitter MAC retries the failed packet at a later time, and if the packet was accurately received and was encrypted by the transmitter MAC using the updated key, then the receiver will determine that the message is authentic and will receive it and acknowledge it.

Abstract: In one embodiment, a request may be received from a first cloud network of a hybrid cloud environment to transmit data to a second cloud network of the hybrid cloud environment, wherein the request can include a security profile related to the data. The security profile may be automatically analyzed to determine access permissions related to the data. Based at least in part on the access permissions, data can be allowed to access to the second cloud network.

Abstract: Implementations of the present disclosure disclose a method and a terminal for controlling a shared device, the method includes: a user device establishes a connection with a shared device; the user device triggers the shared device to acquire personalized configuration information of a user, where the personalized configuration information is used for indicating a configuration preference of the user for the shared device. The method and the terminal in the implementations of the present disclosure are beneficial to improving user experience.

Abstract: The technology described herein is directed towards balancing workload between cluster nodes via redistribution of metadata data structures (e.g., memory tables corresponding to directory table partitions). Workload-related information of a node and its partitions' primary memory tables usage is measured, and if sufficiently high, causes a move of a highly-accessed memory table (corresponding to high workload on a first node) from the first node to a second node that has less workload. The second node can contain a backup (e.g., shallow) memory table to the primary node, whereby the move can be a logical move that transforms the backup memory table into a new instance of the primary memory table on the second node. The first node's primary memory table can be deflated into a backup table on the first node that backs up the new instance of the primary table on the second node.

Abstract: A delivery service system including a server that can be connected to a plurality of client terminals and a plurality of deliverer terminals 10 via the internet, wherein information about a client's desired pickup/delivery date, time, etc., for a pickup/delivery item, the information being input using the plurality of client terminals over the internet, is registered in databases on the server for each item. For new items registered in the databases, the server receives contract applications for items in which the area of the client's address corresponds to a service area from deliverer terminals that have accessed the databases via the internet, registers the applications in the databases, and notifies the client terminal associated with a new item for which applications are being received about the applications.

Abstract: A computer-implemented method comprises accessing, by a networking hardware device, identity awareness data for a plurality of client computing devices and device security policies of a plurality of IoT computing devices from at least one distributed data repository; authenticating, by the networking hardware device, a client computing device requesting access to at least one Internet of Things (IoT) computing device, based on the accessed identity awareness data; establishing, at the networking hardware device, firewall rules based on the accessed device security policies; creating, by the networking hardware device, a session for the authenticated client computing device to communicate with the at least one IoT computing device, wherein creating a session comprises posting information relating to the session as authentication session information to the at least one distributed data repository.

Abstract: The present disclosure is related to systems, methods, and processor readable media for distributing digital data over networks. Certain embodiments relate to systems, methods, and devices used within such networks where at least a substantial portion of the interconnected devices are capable of interacting with one or more neighbouring devices, and then to form such a time synchronous network using local network information.

Abstract: Embodiments of the invention relate to systems and methods for distributing information. In one or more embodiments of the invention, the method includes receiving, at a replicator, a single data stream originating from a data source, wherein the single data stream comprises a first plurality of data units from the data source; replicating, by the replicator, the single data stream to obtain a first replicated data stream and a second replicated data stream; transmitting the first replicated data stream to a first data recipient; and transmitting the second replicated data stream to a second data recipient.

Abstract: This disclosure is directed to engaging in a communications session, such as an audio call, video call, and/or an audio/video (A/V) call, using a first user equipment (UE) and then seamlessly switching to a second UE while the communications session is in progress. The A/V call system may be configured to provide an indication to the first UE of other UEs that may be registered with it using a common user account. The first UE may enable a user to select another of his or her UEs to transfer the ongoing communications session. The first UE may send the A/V call system a request to transfer of the communications session. The A/V system may add the second UE to the communications session and disengage the first UE from the communications session.

Abstract: An Internet Key Exchange protocol message indicating a first Internet Protocol Security traffic flow is to be established via a first device is obtained at the first device. The Internet Key Exchange protocol message is forwarded from the first device to a second device. An encryption key used to transmit traffic via the first Internet Protocol Security Traffic flow is received at the first device from a key value store. The key value store is populated with the encryption key in response to the second device obtaining the Internet Key Exchange protocol message. A first data packet to be transmitted via the first Internet Protocol Security traffic flow is obtained at the first device. The first device provides the first data packet encrypted with the encryption key of the first Internet Protocol Security traffic flow.

Abstract: A system comprises one or more slice-aggregated cryptographic slices each configured to perform a plurality of operations on an incoming data transfer at a first processing rate by aggregating one or more individual cryptographic slices each configured to perform the plurality of operations on a portion of the incoming data transfer at a second processing rate. Each of the individual cryptographic slices comprises in a serial connection an ingress block configured to take the portion of the incoming data transfer at the second processing rate, a cryptographic engine configured to perform the operations on the portion of the incoming data transfer, an egress block configured to process a signature of the portion and output the portion of the incoming data transfer once the operations have completed. The first processing rate of each slice-aggregated cryptographic slices equals aggregated second processing rates of the individual cryptographic slices in the slice-aggregated cryptographic slice.

Abstract: The present invention contributes to facilitating: setting for connection between a TEP in a virtual network configured by using a virtual tunnel and a virtual network; and management of the connection. A control apparatus includes: a connection detection unit configured to detect that a virtual machine has newly been connected to one of a plurality of tunnel endpoints each of which functions as an endpoint of a virtual tunnel used for a communication between virtual machines that belong to a virtual network; a virtual network determination unit configured to determine a virtual network to which the detected virtual machine belongs on the basis of information in which virtual machines and virtual networks are associated with each other; and a tunnel endpoint control unit configured to cause, if the tunnel endpoint has not participated in the determined virtual network, the tunnel endpoint to participate in the determined virtual network.

Abstract: A method is provided for carrying out a cryptographically secured authentication which complies with the Universal Authentication Framework (UAF) of the FIDO Alliance. It is thus possible to employ an existing infrastructure of the FIDO Alliance and the method can be embedded into the infrastructure using standard interfaces.

Abstract: The technology described herein is directed towards content rights data that are associated with content (a data item) to make that content selectively available or unavailable in responses by a data service to client requests. A client includes client content rights data in association with each request, (e.g., via a token), and the data service uses that client content rights data as query parameters (constraint criteria) in making a request for a data item. Client content rights data also may be used for accessing cached data. Availability constraints may include client location, brand, channel, device class and time (commence and cease).

Abstract: Methods and systems for providing bidirectional communications between client devices and server devices are described herein. Server devices in a cluster may bidirectionally communicate with client devices in a resource site via direct connections or virtual connections. One or more server devices may act as intermediate server devices for communications via virtual connections, and may distinguish different types of messages based on header contents of the messages.

Abstract: A method includes establishing a wireless link between a wireless interface of an endpoint and a WAP; exchanging, through the wireless link, network traffic associated with execution of an application at the endpoint; executing, at the endpoint, a security routine to monitor a security status of the endpoint; establishing, through the wireless link, a secure channel that shares the wireless link with the network traffic of the application, the secure channel to extend from the security routine to a supervisor through the wireless link and the WAP; conveying, from the security routine and through the secure channel, an indication of the security status; receiving, at the security routine and through the secure channel, a command to change a setting of the wireless interface associated with a characteristic of the wireless link; and accessing, from the security routine, the wireless interface to effect the change in response to receiving the command.

Abstract: Aspects of the invention include obtaining, via a processor, an original docker image from a customer, encrypting a disk image using content from the original docker image and encrypting a bootloader. A re-packaged image is created using the encrypted disk image and the secure encrypted bootloader. The re-packaged image is deployed by inserting the re-package image into a pod container and by means of using a mutating webhook, granting elevated privileges to said container and creating a secured Kubernetes pod for protecting workloads, wherein the secured Kubernetes pod has at least one virtual machine containing the pod container.

Abstract: This disclosure provides enhanced management of encryption key updates based on user group activity. A system utilizes a vault key and a combination of other security keys to control access to secret data shared by members of a group who are participating in a collaborative session, such as a channel or chat session. The vault key allows a system to control access to secret data with users that join a particular group while immediately restricting access from users that leave the group. Updates to the keys are initiated based on the activity of the members of a group, which can include, but is not limited to, a threshold change in a number of group members, a total number of group members, an amount of data shared between the group members, and/or an age of one or more keys used to secure data shared by the group.

Abstract: This relates to connecting a network of logical broadcast domains to the Internet. In an embodiment, selected signal packets are transmitted between two logical broadcast domains via a tunnel server. Outbound signal packets are communicated to the Internet via network address translation as to the outbound signal packets which are different than the selected signal packets.