Abstract: Systems and methods for adaptive attack resistant distributed symmetric cryptography are disclosed. A client computer may communicate with a number of cryptographic devices in order to encrypt or decrypt data. Each cryptographic device may possess multiple secret shares corresponding to distinct secret values, which may be used in the process of encrypting or decrypting data. The client computer may generate multiple commitments and transmit those commitments to the cryptographic devices. Each cryptographic device may generate a partial computation based on the commitments and their respective secret shares. The partial computations may be transmitted to the client computer. The client computer may use the partial computations to generate a cryptographic key. The client computer may use the cryptographic key to encrypt a message or decrypt ciphertext.

Abstract: An information handling system includes a BIOS and a service processor. The BIOS may generate, during a POST, a secret key that includes a symmetric key and a HMAC key and transmits the secret key to the service processor via an high-speed communication interface. After the POST, the BIOS transmits an SMI message that includes an encrypted message and a first hash value of the encrypted message. The encrypted message is encrypted using the symmetric key and the first hash value of the encrypted message is calculated using the HMAC key. The service processor calculate a second hash value of encrypted message based on the HMAC key and verify the encrypted message by comparing the first hash value and the second hash value. After a successful verification, the service processor decrypts the encrypted message and transmits a response to the BIOS.

Abstract: Techniques are provided that validate a participant in a video conference. As a video conferencing system is remote from a video conference participant, and user devices are not trusted, traditional methods such as client side facial recognition are ineffective at validating a participant from a video conferencing system. Thus, the embodiments encode modulated data for projection onto a face of the participant. A video of the participant is then captured. The conferencing system then confirms that the modulated data is present in the captured video.

Abstract: A device which can be implemented on a single packaged integrated circuit or a multichip module comprises a plurality of non-volatile memory cells, and logic to use a physical unclonable function to produce a key and to store the key in a set of non-volatile memory cells in the plurality of non-volatile memory cells. The physical unclonable function can use entropy derived from non-volatile memory cells in the plurality of non-volatile memory cells to produce a key. Logic is described to disable changes to data in the set of non-volatile memory cells, and thereby freeze the key after it is stored in the set.

Abstract: The present invention addresses the problem of providing a signal process in which a countermeasure against eavesdropping over a physical layer in a wireless communication is performed. An optical signal generation unit 11 generates, as an optical signal, multivalued information that is in a multivalued state and is based on prescribed data. An E/O conversion unit 112 converts the optical signal to an electrical signal. An optical signal amplification unit 12 amplifies the optical signal. An O/E conversion unit 13 converts the optical signal to an electrical signal. A radio wave transmission unit 14 transmits, as a radio wave, the multivalued information converted into the electrical signal. The problem is solved thereby.

Abstract: Techniques are described for controlling a first device that operates in a first mode. In an example, the first device receives, while it is operating in a first mode, a secret from a second device. The first device is capable of wireless data reception and incapable of wireless data transmission in the first mode. The first device determines that the secret is valid. Based at least in part on the secret being valid, the first device performs at least one of: switching an operational mode of the first device from the first mode to a second mode, or performing, while operating in the first mode, a command indicated by the second device. The first device is capable of the wireless data transmission in the second mode.

Abstract: Disclosed is a method of reducing smart contract fees for a decentralized application (DApp). A parameter of a request reception event and a public key of a user are stored in a task queue of a computation server. The computation server performs a task requested by the user, calls a state change function for the performed task from a smart contract, and transmits a transaction result to the user when the transaction result is returned. The user pays, to the smart contract, a fee corresponding to the generation of the request reception event, and the computation server pays, to the smart contract, a fee corresponding to a state change of the smart contract. Thus, by minimizing and uniformizing a fee to be paid by a user of a DApp system, it is possible to increase accessibility to a corresponding DApp.

Abstract: A transaction card includes a near-field communication (NFC) component, a security component, a wireless component, one or more memories, and one or more processors communicatively coupled to the one or more memories. The device receives a signal from a user device attempting to access a secure application, and energizes the NFC component based on the signal received from the user device. The device causes the security component to generate an encrypted code based on the NFC component being energized, and provides, via the security component, the encrypted code to the wireless component. The device provides, via the wireless component, the encrypted code to the user device to permit the user device to utilize the encrypted code as authentication for accessing the secure application.

Abstract: A system and method of securing a computer system by controlling write access to a storage medium by monitoring an application; detecting an attempt by the application to write data to said storage medium; interrogating a rules database in response to said detection; and permitting or denying write access to the storage medium by the application in dependence on said interrogation.

Abstract: A packet sending method includes generating, by a network device, a first packet, and sending the first packet. The first packet includes a first packet header, a second packet header, and protected data. The first packet header includes an indication field. The indication field indicates that the first packet includes the second packet header. The second packet header includes a type field. The type field indicates a first protection protocol. The protected data is protected by using the first protection protocol.

Abstract: In one implementation, a method for spatially designating private content. The method includes: presenting, via a display device, an indication of a private viewing region relative to a location of the computing system; determining a first location for presentation of graphical content; and presenting, via the display device, the graphical content at the first location. The method further includes: transmitting a characterization vector associated with the graphical content to at least one other device for display thereon according to a determination that the first location of the graphical content is outside of the private viewing area; and forgoing transmission of the characterization vector associated with the graphical content to the at least one other device according to a determination that the first location of the graphical content is inside of the private viewing area.

Abstract: A document management system integrates with a video conference system to ensure that proper electronic witness procedure is performed for document validation. The document management system accesses a video conference between a user and an electronic witness, and then instructs the user to electronically sign the document while the electronic witness observes. The document management system receives confirmation that the electronic witness observed the video of the user electronically signing the document. The document management system combines and stores portions of the video conference that correspond to the electronic witness's validation of the document.

Abstract: A method includes operating a mobile device to establish a communications channel between the mobile device and a shared computing terminal. The shared computing terminal is accessible to a plurality of users other than a user of the mobile device. In response to authentication of the user of the mobile device with a remote computing device, the mobile device receives a code from the remote computing device. The mobile device provides the code to the shared computing terminal via the communications channel to enable the shared computing terminal to request a temporary access token from the remote computing device. The temporary access token is used by the shared computing terminal to launch a computing session with the remote computing device without transfer of a long-lived access token of the user from the mobile device to the shared computing terminal.

Abstract: Rapid verification of executing processes includes receiving a seed from a verification unit. A checksum is generated at least in part by using a processor. The processor is coupled to a hierarchical memory, the hierarchical memory comprising an instruction cache, a data cache, and a shared memory accessible by both the instruction cache and the data cache. The shared memory is configured to store an executing program. A size of at least one of the instruction cache and the data cache is insufficient to store the entire executing program. The checksum is transmitted to the verification unit.

Abstract: Security functions for a memory corresponding to a smart security storage may be facilitated or executed through operation of utility application corresponding to a smart device. For example, encryption/decryption of data stored on the memory may be facilitated or executed by a security module under control of an access application corresponding to the smart device. Data securely stored on the memory may be explored and accessed by the smart device or a host computing device under control of the access application.

Abstract: A technique to protect a cloud database located at a database server and accessible from a database client. In this approach, a communication associated with a database session is intercepted. A hostname or network address associated with the communication is then evaluated to determine whether such information can be found in or otherwise derived from data in a database protocol packet associated with the database session. The information typically is placed there unavoidably by the cloud database client and normally cannot be spoofed by a process that does not understand or speak the proper database protocol semantics. Upon a mismatch, the database session is flagged as being potentially associated with a man-in-the-middle (MITM), in which case a given action may then be taken with respect to the database session that is then active. The technique provides for a MITM checkpoint in a cloud database service environment.

Abstract: Described herein are techniques for facilitating push provisioning of a user payment source into a user's digital wallet without the user having a physical card. The techniques allow an issuer to provide a button in an issuer's application for the user to simply push the button to request that the payment source be imported into a pay wallet or a merchant. In this way, the payment source information is “pushed” into the pay wallet. Using push provisioning, the user need not enter any physical card information. The described techniques generate a chain of trust that can be used to ensure that a user, through an issuer and using a gateway, authorizes a token service provider to provision the payment source into the pay wallet or merchant.

Abstract: Techniques for authenticating industrial devices in an industrial automation environment are disclosed herein. In at least one implementation, a physical unclonable function response of an industrial device is extracted. The industrial device transmits a security certificate signed by a certificate authority that includes a device public key to a system, wherein the system validates the security certificate, encrypts an authentication challenge using the device public key, and transmits the authentication challenge to the industrial device. The industrial device generates a device private key using the physical unclonable function response and decrypts the authentication challenge using the device private key.

Abstract: Disclosed herein are system, method, and computer program product embodiments for encryption key management. An embodiment operates by executing an initial non-backup instance of an application and generates a primary key using a cryptographic algorithm. The embodiment requests a customer to create a passphrase configured to encrypt and decrypt the primary key. The embodiment generates a derived key using a cryptographic algorithm and the customer passphrase as input. The embodiment then encrypts the primary key using the generated derived key and stores the encrypted primary key in a catalog.

Abstract: An approach for privacy-preserving auditable accounts on blockchain networks. The approach may include encoding tokens associated with a blockchain network. The encoding may include data relating to the current epoch, where an epoch is a specific time range. The tokens may be received from a user for inspection by an auditing entity. The approach may include performing an audit check on the encoded tokens. If the audit check succeeds, the auditing entity may submit an audit transaction verifying the tokens were generated in the current epoch and making the tokens auditable for the next epoch.

Abstract: In response to determining that the authentication function operating on the authentication node on a network is not responsive, a re-direct message may be communicated to at least one edge device on the network that requests of the authentication function on the authentication node be re-directed to a different authentication node.

Abstract: A method, system, and computer-readable memory containing instructions include receiving a DNS request containing authentication information, validating the authentication information, determining an appropriate action to take based on the validating status, and taking the appropriate action. Actions may include responding with an individualized network layer address or service location address, delaying sending a response message, sending a network layer address or service location address corresponding to a site containing authentication information, and sending a response with a network layer address or service location address with a web address configured to mimic the website related to the requested resource.

Abstract: Memory devices, systems including memory devices, and methods of operating memory devices are described, in which memory devices are configured to provide row clear features. In some embodiments, the memory device may receive a command from a host device directed to a row of a memory array included in the memory device. The memory device may determine that the command is directed to two or more columns associated with the row, where each column is coupled with a group of memory cells. The memory device may activate the row to write the two or more columns using a set of predetermined data stored in a register of the memory device. Subsequently, the memory device may deactivate the word line based on writing the set of predetermined data to the two or more columns.

Abstract: Various embodiments enable broadcast communications security. Various embodiments enable the authentication of broadcast communications. Various embodiments may enable asymmetric authentication and integrity protection of small size messages, such as one or more signed messages totaling a length of 250 bytes or less. Various embodiments may support cryptographic signing of beacon type messages using certificates. Various embodiments may include generating a beacon type message, cryptographically signing the beacon type message at least in part using a certificate to generate a signed beacon message, and sending the signed beacon type message in one or more broadcast transmissions in conjunction with, or independently of, certificate information used to verify the signed beacon message.

Abstract: Various embodiments of the present technology generally relate to authentication. More specifically, some embodiments relate to systems and methods for mobile application infrastructure and framework for application authentication. Currently, methods and systems for authentication are not flexible or dynamic and over-authentication has become a solution because it is cheap and easy. In contrast, in accordance with some embodiments of this application, the methods and systems can analyze authentication challenges and non-authentication challenges received from a server over a network in a client side infrastructure. The client side infrastructure can determine a customized, flexible, and dynamic plan for responding to authentication challenges in manner that avoids over-authentication on the client side.

Abstract: A verifier peer system transmits a request to an application of another peer system to obtain integrity data of the application. In response to the request, the verifier peer system obtains a response that includes kernel secure boot metrics of the other peer system and integrity data of the application and of any application dependencies. If the verifier peer system determines that the response is valid, the verifier peer system evaluates the integrity data and the kernel secure boot metrics against a set of Known Good Values to determine whether the integrity data and the kernel secure boot metrics are valid. If the integrity data and the kernel secure boot metrics are valid, the verifier peer system determines that the other peer system is trustworthy.

Abstract: A computer-implemented method is disclosed.

Abstract: Improved tools and techniques for generating stateful rules for behavior-based threat detection enable threat analysts, who do not have advanced computer programming skills, to quickly and easily generate high-level representations of stateful behavioral rules, which are then compiled into a format suitable for execution by a stateful rule processing engine. In some examples, the high-level representations of stateful rules are coded in a high-level, domain specific language (DSL). The DSL may provide high-level primitives suitable for (1) expressing sequences of attack behaviors, (2) tagging computational entities (e.g., threads, processes, applications, systems, users, etc.) with states (e.g., user-defined states), and/or (3) performing operations on endpoint nodes (e.g., reporting activity, blocking activity, terminating processes, etc.).

Abstract: A computer system controls access to data. A secure container that is based on an image file is instantiated at an endpoint device of a user, wherein the secure container includes encrypted data corresponding to the user. An access request to the secure container is authenticated by verifying credentials of the user. In response to verifying the credentials of the user, access to the data is granted. Access to the data is controlled by decrypting and enabling access to a portion of the data, wherein additional portions of the data are decrypted and made accessible based on user behavior.

Abstract: An information obtaining method and an apparatus are disclosed. The method includes: sending a first initial NAS message including a non-cleartext information element protected using a first root key from a terminal to a source mobility management network element; receiving a second root key and first indication information from the source mobility management network element, where the first indication information indicates that the second root key is an updated key; sending second indication information and third indication information to the terminal based on the first indication information, where the second indication information indicates the terminal to update the first root key stored by the terminal to obtain the second root key, and the third indication information indicates the terminal to resend the initial NAS message; and receiving a second initial NAS message including the non-cleartext information element protected using the second root key from the terminal.

Abstract: Machine learning in an artificial pancreas is described. An artificial pancreas system may include a wearable glucose monitoring device, an insulin delivery system, and a computing device. Broadly speaking, the wearable glucose monitoring device provides glucose measurements of a person continuously. The artificial pancreas algorithm, which may be implemented at the computing device, determines doses of insulin to deliver to the person based on a variety of aspects for the purpose of maintaining the person's glucose within a target range, as indicated by those glucose measurements. The insulin delivery system then delivers those determined doses to the person. As the artificial pancreas algorithm determines insulin doses for the person over time and effectiveness of the insulin doses to maintain the person's glucose level in the target range is observed, an underlying model of the artificial pancreas algorithm may be updated to better determine insulin doses.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: Systems arid methods for implementing client-side load balancing for remote application servers. An example method comprises receiving, by a publishing server, an application server status information reflecting computing resource utilization by each application server of a plurality of application servers; receiving a request initiated by a client computing device to access a published application executable by at least a subset of the plurality of application servers; and responsive to determining that a load metric reflecting performance of the publishing server exceeds a threshold value, transmitting an instruction to the client computing device to perform client-side load balancing using a snapshot of the application server status information to select an application server of the subset of the plurality of application servers.

Abstract: A system may receive first level authentication data from a first user, authorize first level access to a secure device, and transmit a push notification including a second factor authentication key to a first user device responsive to first factor authentication data matching stored authentication data for the first user. The system may receive a wireless communication from the first user device attenuated by one or more beam attenuating materials to form a first attenuated beam profile. In response to a match of the first attenuated beam profile to a stored beam profile beyond a predetermined threshold, the system may associate the second factor authentication key as an authorized login credential for the first user. The system may receive the second factor authentication key from the first user and authorize the second factor authentication data to grant the first user second level access to the secure device.

Abstract: The present disclosure includes methods, devises and systems for preparing and installing one or more application keys owned by application owners in a remote device. The present disclosure further proposes methods, devices and systems for secure installation of subsequent application keys on a device utilising corresponding key derivation functions to associate an application with a respective policy and identifier using significantly Imv bandwidth for transfer of keys for execution of the respective application on the device.

Abstract: In an embodiment, a communication method, using OFDM (Orthogonal Frequency Division Multiplexing), comprises transmitting and receiving packets between a first node and at least one second node, where each packet comprises a preamble and payload data. The method, performed by the first node, may comprise receiving packets from the at least one second node, and authenticating the at least one second node based on physical layer characteristics, i.e., on CSI (Channel State Information). The authenticating may be based on a plurality of preambles, which are extracted from a group of consecutively received packets.

Abstract: Provided is a method for automatically registering a user on a field device for the purpose of administering the field device, including a) providing user information on the basis of an identity of the user and an identity of the field device by a security device; b) transmitting the provided user information to a mobile device of the user; c) generating field-device-specific registration information on the basis of the transmitted user information by the mobile device; and d) registering the user on the field device by the generated registration information. This method has the particular advantage that a highly secure infrastructure can be used for administering access information for administering the field devices without problems arising during the registration process.

Abstract: Row-level security (RLS) may provide fine-grained access control based on flexible, user-defined access policies to databases, tables, objects, and other data structures. A RLS policy may be an entity or object that defines rules for row access. A RLS policy may be decoupled or independent from any specific table. This allows more robust and flexible control. A RLS policy may then be attached to one or more tables. The RLS policy may include a Boolean-valued expression.

Abstract: Selective virtualization of resources is provided, where the resources may be intercepted and services or the resources may be intercepted and redirected. Virtualization logic monitors for one or more activities that are performed in connection with one or more resources and conducted during processing of an object within the virtual machine. The first virtualization logic further selectively virtualizes resources associated with the one or more activities that are initiated during the processing of the object within the virtual machine by at least redirecting a first request of a plurality of requests to a different resource than requesting by a monitored activity of the one or more activities.

Abstract: A method for providing a user identity based on zero-knowledge proof over a blockchain network by using a user certificate is provided. The method includes steps of: an address abstraction smart contract (a) instructing the user terminal which made a user identity generating request to generate the user identity corresponding to the user certificate issued from a certification authority and generate a user identity proof by using user identity verifying parameters, the user identity, the user certificate and a certification authority public key, to thereby prove that the user identity is generated from the user certificate issued by the certification authority; and (b) upon receiving a user identity registering request from the user terminal, (i) verifying the user identity proof by using the user identity verifying parameters, the user identity, the certification authority public key and the user identity proof and (ii) registering the user identity upon successful verification.

Abstract: An input unit receives an input of data, as learning purpose data and determination target data, in which requests made to a server by a user are represented in a time series. Then, a shaping unit shapes the received data. A classifying unit classifies the shaped data for each user who made the requests. Then, a learning unit extracts, from the classified learning purpose data, consecutive n requests as feature values of the learning purpose data, performs learning by using the feature values of the learning purpose data, and creates a profile for each user. A determination unit extracts, from the classified determination target data, consecutive n requests as feature values of the determination target data and performs determination of the determination target data based on the feature values of the determination target data and based on the profiles created by the learning unit.

Abstract: In one embodiment, distributed data storage systems and methods integrate a change tracking manager with scalable databases. According to one embodiment, a computer implemented method comprises integrating change tracking of storage objects into the distributed object storage database that includes a first database of a first type and one or more chapter databases of a second type with the distributed object storage database supporting a primary lookup index and a secondary lookup index in order to locate a storage object. The method includes recording in a header of a chapter database a network topology for connecting a bucket having the chapter database to a first peer bucket when a new mirror to the first peer bucket is being established, and recording a first directive into the header of the chapter database to express a type of content to be mirrored from the bucket to the first peer bucket.

Abstract: Systems and methods for application identification in accordance with embodiments of the invention are disclosed. In one embodiment, a user device includes a processor and memory configured to store an application, a session manager, an application identifier, and at least one shared library, and the processor is configured by the session manager to communicate the application identifier and the application identifier data to an authentication server and permit the execution of the application in response to authentication of the application by the authentication server.

Abstract: A computer-implemented method of generating a share of a digital signature of a message, wherein a threshold number of different signature shares from respective participants of a group of participants are required to generate the digital signature, wherein each participant has a respective private key share, the method being performed by a first one of the participants and comprising: generating a first message-independent component and a first message-dependent component, wherein the message-independent component is generated based on a first private key share and wherein the message-dependent component is generated based on the message; causing the first message-independent component to be made available to a coordinator; and causing a first signature share to be made available to the coordinator for generating the signature based on at least the threshold number of signature shares, wherein the first signature share comprises at least the message-dependent component.

Abstract: A system and a method for secure communications over a network, the method comprising: receiving a data packet from a first device, the data packet comprising an encrypted data part and a metadata part, the metadata part comprising a cleartext part and removable metadata, the removable metadata comprising a network access code that is authenticatable by means of a network access key; validating the data packet, wherein validating the data packet comprises authenticating the network access code using the network access key; removing the removable metadata from the data packet after validating the data packet, thereby altering the data packet; and transmitting the altered data packet to a second device. The system comprises a first, a second, and a third device. The third device may comprise a receiver and a transmitter, and a validator that comprises a processor and a memory.

Abstract: A method includes determining a first node set and a second node set that are in a distributed database and that are separately associated with a first data table, where data in the first data table is stored in the first node set, migrating the data from the first node set to the second node set, receiving, in a process of migrating the data, a target service request for the first data table, determining, in response to the target service request, a third node set in the first node set and the second node set that is configured to respond to the target service request, and sending the target service request to a first data node in the third node set.

Abstract: Embodiments of the present systems and methods may provide techniques that provide dynamic groups and attribute-based access control (ABAC) model (referred as CV-ABACG) to secure communication, data exchange and resource access in smart vehicles ecosystems. In embodiments, the model not only considers system wide attributes-based security policies, but also takes into account individual user privacy preferences for allowing or denying service notifications, alerts, and operations to on-board resources. Embodiments of the present systems and methods may provide groups in vehicular IoT, which may be dynamically assigned to moving entities like connected cars, based on their current GPS coordinates, speed or other attributes, to ensure relevance of location and time sensitive notification services, to provide administrative benefits to manage large numbers of entities, and to enable attributes inheritance for fine-grained authorization policies.

Abstract: A system and method are provided for enhanced multi-way time transfer for time synchronization between at least one slave node and one master node. A slave node sends a first message to the master node to launch a time synchronization between the slave node and the master node. Upon receiving the first message, the master node adds a receiving time on a master clock to the first message to form a second message. The master node sends the second message back to the slave node and the slave node adds a receiving time on the slave clock to the second message to form an updated message. The slave node performs a time adjustment to the slave clock based on the updated message, thereby synchronizing time between the slave node and the master node.

Abstract: A cryptographic accelerator (processor) retrieves data blocks for processing from a memory. These data blocks arrive and are stored in an input buffer in the order they were stored in memory (or other known order)—typically sequentially according to memory address (i.e., in-order.) The processor waits until a certain number of data blocks are available in the input buffer and then randomly selects blocks from the input buffer for processing. This randomizes the processing order of the data blocks. The processing order of data blocks may be randomized within sets of data blocks associated with a single read transaction, or across sets of data blocks associated with multiple read transactions.

Abstract: A digital certificate processing method includes: receiving a distribution request for a digital certificate, wherein the digital certificate does not contain validity period information; acquiring a verification result for the digital certificate; and according to the verification result, recording the digital certificate which has passed verification to a blockchain.