Abstract: The disclosed technology is directed towards delivering electronic messages from senders to recipients in an intelligent way, based on the determined likelihood of each recipient acting on a message. Message delivery can be delayed upon delayed message delivery criterion being satisfied, based on user profile data the user establishes for each messaging application. Predicted recipient user availably, predicted recipient user receptivity and/or the identity of the sender, for example, can be used as factors in determining delivery data representing the likelihood of a recipient acting on a message. Delivery of the message is to a recipient's device is delayed when the delivery data satisfies delayed delivery criterion. The delayed delivery time can be determined from the recipient user's predicted availably and/or receptivity data, and/or the identity of the sender. The sender is notified of a delayed message delivery, and can be presented with options as to other actions to take.

Abstract: Systems and methods for threshold authenticated encryption are provided. A collection of cryptographic devices may encrypt or decrypt a message, provided that a threshold number of those devices participate in the encryption process. One cryptographic device may generate a commitment message and transmit it to the other selected devices. Those devices may each perform a partial computation using the commitment message, and transmit the partial computations back to the encrypting or decrypting device. The encrypting or decrypting device may use those partial computations to produce a cryptographic key, which may then be used to encrypt or decrypt the message.

Abstract: The present invention relates to a software-defined radio chip or module suitable for integration on a host device. The software-defined radio chip comprises digital signal processing capability which includes standard digital signal processing hardware and reconfigurable programmable logic, the reconfigurable programmable logic is configured in such a way as to provide secure digital signal processing capability to the software-defined radio, thereby providing a secure software-defined radio.

Abstract: Methods and systems are provided for collecting, storing, and transmitting account information in a matchable form, and for using this information to quickly set up accounts. Account information is maintained and shared between one or more client devices and an intermediate server. Account information can be reconciled locally to determine whether to add or enable an active account or an account proxy to a client device. Account proxies can be quickly enabled by a single user action. The methods and systems allow enabled accounts and account proxies to be removed from a first client device without propagating the deletion to a second client device.

Abstract: An information system is provided that enables stakeholders to define a secure data object that sets permissions, rules, and rights for an asset. The secure data object may be communicated to entities, such as computer hosts or hardware agents, and the entities are enable to act within the permissions, rules, and rights to conduct transactions and gather information as agents of the stakeholders. The secure data object may be received into a hardware agent attached to an asset, and the agent may have sufficient permission to monitor environmental conditions, adjust pricing, consummate a transaction, or communicate a report.

Abstract: Provided is a distributed and associative container platform system which has an advantage of providing flexible movement of services and infinite extension of computing resources by interconnecting regionally distributed multiple container platforms and enhancing security.

Abstract: A method for variable length decoding, the method including: receiving, in a default word length mode, at least one first data word having a default first word length; combining the received at least one first data word as a first portion of data; receiving, after the at least one first data word, a transition word indicative of transitioning to a variable word length mode; receiving, after the transition word, a first word length word indicative of a second word length; receiving, after the first word length word, at least one second data word having the second word length; and combining the received at least one second data word as a second portion of the data.

Abstract: An example method can comprise receiving a first wireless signal from a first device at a boundary device. The boundary device can measure one or more properties of the first wireless signal and can transmit information regarding the one or more measured properties of the first wireless signal to the first device, the information regarding the one or more measured properties of the first wireless signal causing the first device to adjust one or more properties of wireless transmission based on the information.

Abstract: A data transmission method includes each of a plurality of devices determining an IP address of each device based on a hash value calculated from a public key of each device according to a hash function. Each of the devices holds state information reflecting a connection relationship between the devices and transmits a notification message indicating content of the state information to another device. Each of the devices updates the state information held by each device based on the notification message received from the another device. In a group of devices logically defined based on the state information held by each device, a routing table is determined and held between the devices included in the group and is used to search for a device to be a destination of data transmission.

Abstract: This disclosure presents processes and systems that translate policies defined for virtual objects, such as virtual servers, applications, and databases, of a distributed computing system into identity information of services provided by virtual objects to computing devices located outside the distributed computing system. Processes and systems form object graphs of computing device identity information, virtual objects, and virtual object identify information. Processes and systems translate polices for controlling network between the computing devices and the virtual objects into identity information of the computing devices and the virtual objects. The identify information of the virtual objects and the computing devices is used to create rules for controlling network traffic between the virtual objects and the computing devices.

Abstract: This disclosure relates to systems and methods for managing protected electronic content using proxy reencryption techniques. Rights management architectures are described that may, among other things, provide end-to-end protection of content keys from their point of origination at a content creator and/or content service to end user devices. Proxy reencryption techniques consistent with aspects of the disclosed embodiments may enable transformation of a ciphertext under one public key to a ciphertext containing the same plaintext under another public key. Consistent with embodiments disclosed herein, proxy reencryption processes may be implemented using indistinguishability obfuscation and puncturable public-key encryption schemes, functional encryption, and/or white box obfuscation techniques.

Abstract: According to an embodiment, a cryptographic processing device is described comprising a memory configured to store a first operand and a second operand and a cryptographic processor configured to determine, for cryptographically processing the data, the product of the first operand with the second operand by determining, for each result word index in a result word index range, a result data word for the result word index by accumulating products of sums of words of the first operand and the second operand and subtracting excess terms.

Abstract: Secure communication in a geographic incident area is disclosed. Computer-implemented methods are also disclosed, one of which is for restricting access to a resource and includes generating a key and splitting it into N key parts (where N is an integer greater than two). The method also includes encrypting the N key parts. The method also includes transmitting, over a network, to a device: the N encrypted key parts; and identifying information for N secret objects expected to be visible within the area. Each of the N encrypted key parts is decryptable based on at least one video analytics-discernable object attribute for each respective secret object of the N secret objects. The method also includes allowing an additional entity to access the resource only by presentation of a complete key formed from decrypted versions of less than all of the N key parts.

Abstract: In some implementations, a device may provide a data structure storing first data, wherein the first data indirectly identifies second data, and wherein the second data identifies a particular individual. The device may obtain, from the data structure, the first data. The device may generate a cryptographically random value using a secure generator. The device may combine the first data and the cryptographically random value to generate hashing input data. The device may perform, using a hashing algorithm, a hashing operation on the hashing input data to generate de-identified first data, wherein re-identification of the de-identified first data requires knowledge of at least the first data, the cryptographically random value, and the de-identified first data. The device may perform an action using the de-identified first data.

Abstract: Broadly speaking, embodiments of the present technique provide methods, apparatuses and systems for performing a TLS/DTLS handshake process between machines in a manner that reduces the amount of data sent during the handshake process.

Abstract: Techniques for encrypting data using a key generated by a physical unclonable function (PUF) are described. An apparatus according to the present disclosure may include decoder circuitry to decode an instruction and generate a decoded instruction. The decoded instruction includes operands and an opcode. The opcode indicates that execution circuitry is to encrypt data using a key generated by a PUF. The apparatus may further include execution circuitry to execute the decoded instruction according to the opcode to encrypt the data to generate encrypted data using the key generated by the PUF.

Abstract: A mobile network operator (MNO) uses a provisioning server to update or install profile content in a profile or electronic subscriber identity module (eSIM). In an exemplary embodiment, the profile is present on a secure element such as an embedded universal integrated circuit card (eUICC) in a wireless device. One or more MNOs use the provisioning server to perform profile content management on profiles in the eUICC. In some embodiments, an MNO has a trust relationship with the provisioning server. In some other embodiments, the MNO does not have a trust relationship with the provisioning server and protects payload targeted for an MNO-associated profile using an over the air (OTA) key.

Abstract: Apparatus and methods are provided for a smart card which enables users to securely complete online transfers without entering sensitive transaction information into a third-party system. The smart card may include a touch-sensitive screen configured to display selectable transfer options. The smart card may include a microprocessor and wireless interface. The wireless interface may provide wireless communication capabilities and the ability to initiate online transfers based on information captured by the touch-sensitive screen. A card issuer may mint an NFT with data from a past transaction using the smart card. The smart card may display the NFT and an associated score on the touch-sensitive screen. The smart card may communicate with another smart card using near-field communication to share NFT and score data. The smart card may accept or decline a transaction based on one or more NFTs associated with the other card.

Abstract: Systems and methods related to a remote configuration system are disclosed. The system includes a processing resource and a non-transitory machine-readable medium storing instructions executable by the processing resource to send an identification code to a server to initiate a system configuration, receive a payload including a configuration instruction responsive to the sent identification code, configure the system utilizing the payload including the configuration instruction, where the system is permanently configured, and store a receipt including the payload responsive to the configuration of the system.

Abstract: A method of electronic communication via a virtual network function (NFV) implementation of a core network. The method comprises receiving a hypertext transfer protocol (HTTP) content request from a user equipment (UE), wherein the HTTP content request comprises an identification of a content source and determining by an orchestrator service that insufficient NFV processing capacity is available to perform the HTTP content request, where the orchestrator service is an application that executes on a first physical host. The method further comprises dynamically increasing the NFV processing capacity by the orchestrator service, performing the HTTP content request using the increased NFV processing capacity, and returning a HTTP content response to the UE, wherein the HTTP content response does not comprise identification of the content source.

Abstract: Methods and systems disclosed herein related to analyzing the risk of an identity-based transaction and offering the identity-based transaction to a risk exchange. An identity-based transaction may be a transaction that is initiated with a digital identity, and an assertions model manager may provide assertions about the digital identity for completing the identity-based transaction. The assertions model manager may use the assertions and information about the identity-based transaction to analyze transaction risk. A risk score for the identity-based transaction can be calculated, and then the identity-based transaction may be offered on a risk exchange.

Abstract: A method is disclosed for providing secure access to multimedia content to a user of a content service at a first user device configured to enable the user to consume the multimedia content. The method comprises: providing, from a second user device, a user identifier to a service provider of the content service, the second user device being provided with a subscriber identity module enabling the second user device to connect to a cellular communication network, the user identifier comprising an identifier of the subscriber identity module; at the second user device, receiving an access key from the service provider, through the cellular communication network, the access key being associated with the user identifier; providing the access key from the second user device to the first user device through a short-range connection, and at the first user device, using the access key to access the multimedia content.

Abstract: A system is provided for processing offline digital resource transfers using a hardware device based cryptographic application. In particular, the system may comprise a portable hardware device or chip that have a cryptographic application and key stored thereon. The hardware chip may further store information about a digital resource associated with the user. A user may, through a user computing device, initiate a digital resource transfer by retrieving a data record associated with the digital resource transfer from a terminal. The user computing device may then access the cryptographic application stored on the hardware chip, where the cryptographic application may use the cryptographic key to digitally sign the data record. In this way, the system provides a secure and efficient way to process offline digital resource transfers.

Abstract: Techniques in electronic systems, such as in systems including a processing chip and one or more external memory chips, provide improvements in one or more of system security, performance, cost, and efficiency. The processing chip includes immutable hardware enabled to securely boot one or more CPUs of the processing chip to execute code stored in a non-volatile one of the external memory chips, and to update the code. An update to the code is written to a portion of one of the external memory chips that is not accessible to the CPUs, and the immutable hardware copies the update to the non-volatile memory chip. The update is encrypted with a public portion of a key possessed by an entity sending the update, and a private portion of the key, used to decrypt code stored in the non-volatile memory chip, is unique to and solely possessed by the processing chip.

Abstract: The present disclosure relates to methods and systems for contextual data masking and registration. A data masking process may include classifying ingested data, processing the data, and tokenizing the data while maintaining security/privacy of the ingested data. The data masking process may include data configuration that comprises generating anonymized labels of the ingested data, validating an attribute of the ingested data, standardizing the attribute into a standardized format, and processing the data via one or more rules engines. One rules engine can include an address standardization that generates a list of standard addresses that can provide insights into columns of the ingested data without externally transmitting the client data. The masked data can be tokenized as part of the data masking process to securely maintain an impression of the ingested data and generate insights into the ingested data.

Abstract: A system comprising a distributed ledger (BC) configured to store a smart contract (SB) related to a problem statement (Z), the smart contract (SB) enabling a zero-knowledge proof (ZK) concerning the problem statement (Z).

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for managing a phone number list are disclosed. In one aspect, a method includes the actions of receiving, by a computing device, telephone call data that reflects characteristics of telephone calls placed and received by a first user. Based on the telephone call data, the actions further include generating, by the computing device, a first telephone number whitelist for the first user. The actions further include determining, by the computing device, whether to combine the first telephone number whitelist and a second telephone number whitelist for a second user. The actions further include storing, by the computing device, the first telephone number whitelist or the combined telephone number whitelist in association with the first user.

Abstract: Provided are methods and systems for controlling access to a property via one or more electronic locks.

Abstract: Domain-based server-selection computer-implemented processes and machines implement an extension of RAFT consensus for leader selection based on patterns of update data proximity. Accounts involved in payment or other transactions are maintained as “sharded” data across data store instances that are split into shards according to their temporal activity. If the domain attributes for a node exceed a threshold and are greater than the other nodes, the node is designated as a leader node and the others are designated as follower nodes. This provides an additional optimization in network performance by introducing insights in normal operations within a domain in a distributed network. If the domain attributes do not exceed the threshold and/or are not greater than the other nodes, a traditional consensus algorithm is used to select leader and follower nodes.

Abstract: Various aspects pertain to ways to securing a peer-to-peer communication link that serves to relay transmissions to/from a managed mobile network node. A first user equipment may identify a second user equipment that can communicate via a peer-to-peer wireless interface and serve as a relay between the first user equipment and a managed mobile network node. A relay session key material may be obtained from the managed mobile network node. A peer-to-peer communication link between the first user equipment and the second user equipment may be established or modified by, for example, securing the peer-to-peer communication link based on the relay session key material. A protocol data unit session may be established, over the peer-to-peer communication link, between the first user equipment and the managed mobile network node for secured transmissions there between.

Abstract: A size of a cache of a server associated with a network service is modified in view of a number of clients that are connected to the server. A cache invalidation verification operation to store data at the cache is performed in view of the number of clients that are connected to the server. A quality of service function of the server is configured in view of the number of clients that are connected to the server, wherein the quality of service function provides resources of the server to a first client accessing the network service. A module is loaded at the server in view of the number of clients that are connected to the server, wherein the module configures the network service. Access to the network service is provided by a processing device to the first client.

Abstract: A cryptography administration system facilitates secure, user-friendly and auditable cryptography. An administrator may create channels with associated cryptographic keys and algorithms for performing cryptographic operations such as encryption and decryption. The channel may be associated with licenses which may include permissions to perform cryptographic operations. The licenses may be shared with one or more users. A user may perform cryptographic operations using the channel according to the permissions and operations included in the licenses, to which the user has access, associated with the channel. The user does not need a technical understanding of the cryptographic system (e.g., keys and algorithms) to perform the cryptographic operations and does not need access to the keys to perform the operations. The cryptographic operations may be stored in an audit log that can be reviewed by user.

Abstract: A hardware cryptographic engine comprises a direct-memory-access (DMA) input module for receiving input data over a memory bus, and a cryptographic module. The cryptographic module comprises an input register having an input-register length, and circuitry configured to perform a cryptographic operation on data in the input register. The hardware cryptographic engine further comprises an input-alignment buffer having a length that is less than twice said input-register length, and alignment circuitry performing an alignment operation on input data in the input-alignment buffer. The hardware cryptographic engine is configured to pass input data, received by the DMA input module, from the memory bus to the input register of the cryptographic module after buffering an amount of input data no greater than the length of the input-alignment buffer.

Abstract: Methods and apparatus provide communications among respiratory therapy device (“TD”), server and intermediary (e.g., a control device (“CTLD”) for the therapy device) to improve security. More secure communication channel(s) may be established using shared secrets derived with different channels. The communications may include transmitting therapy data from TD to server for authentication. The CTLD may receive the data and a nonce from a server. The CTLD receives from the TD a signing key dependent on the nonce and a secret shared by TD and server. The CTLD generates an authorisation code with received therapy data and the key for authentication of the data by the server upon its receipt of the code and data. The server computes (1) a key from the nonce and the secret known to TD, and (2) another authorisation code from received therapy data and the key. Data authentication may involve comparing received and computed codes.

Abstract: One embodiment provides a method, including: identifying, at an information handling device, a sensitivity level associated with user-created content; detecting editing input provided to the user-created content by a user; determining, using a processor, a type of continuous authentication policy to implement for the user-created content based upon the sensitivity level; and authenticating the user providing the editing input at a frequency dictated by the type of the continuous authentication policy. Other aspects are described and claimed.

Abstract: The invention proposes a novel type of infective countermeasure against fault injection attacks. Instead of determining the injected error before amplifying it, the novel countermeasure applies the same diffusion function to two intermediate ciphers obtained by executing a cryptographic operation on an input. The error is therefore amplified within the same intermediate ciphers, referred to as infective ciphers after diffusion. It is then possible to use diffusion functions which do not map the cipher 0 as an output equal to 0. A cipher recomposed from bits of undiffused ciphers is also generated. These infective and recomposed ciphers are XOR-combined to provide an output cipher. This approach makes it possible to adapt, by simple duplication of the pairs and associated specific diffusion functions, the protection offered by the countermeasure to a desired number of injected faults.

Abstract: Methods, systems, and computer media provide attestation tokens that protect the integrity of communications transmitted from client devices, while at the same time avoiding the use of stable device identifiers that could be used to track client devices or their users. In one approach, client devices can receive anonymous certificates from a device integrity computing system signifying membership in a selected device trustworthiness group, and attestation tokens can be signed anonymously with the anonymous certificates using a group signature scheme. Client devices can include throttlers imposing limits on the quantity of attestation tokens created by the client device.

Abstract: An information processing apparatus has a controller configured to identify a driver of a vehicle on the basis of at least one of the results of first authentication based on a first part of the living body of a user and second authentication based on a user device. The controller gives higher priority to the result of first authentication than the result of second authentication in the processing of identifying the driver of the vehicle. The user device may include a first communication terminal capable of functioning as an electronic key of the vehicle and a second communication terminal incapable of functioning as an electronic key of the vehicle. The controller gives higher priority to the result of authentication of the first communication terminal than the result of authentication of the second communication terminal.

Abstract: Methods and systems for authenticating an Internet of Things device, such as an electronic lock, are disclosed. One method includes generating a first challenge at a server; transmitting the first challenge to the Internet of Things device; receiving a first signed certificate from the Internet of Things device, the first signed certificate being the first random number challenge signed with a private key associated with the internet of things device; and verifying the first signed certificate with the first challenge and a public key associated with the Internet of Things device. Mutual authentication of the server from the Internet of Things device is also provided.

Abstract: An access control system stores information defining conditions under which each user is allowed to perform resource access. The access control system acquires a first access request indicating an operation for a first resource in a target system by a first user, determines based on the information whether or not the first access request is permitted, acquires a result of an additional permission/disapproval determination of the first access request in response to the disapproval determination of the first access request, and grants execution authority of the first access request by the first user according to the result of the additional permission/disapproval determination indicating permission.

Abstract: Apparatuses, systems, and techniques for handling faults by a direct memory access (DMA) engine. When a DMA engine detects an error associated with an encryption or decryption operation, the DMA engine reports the error to a CPU, which may be executing an untrusted software directing a DMA operation, and the secure processor. The DMA engine waits for clearance from the secure processor before responding to further directions from the potentially untrusted software.

Abstract: A method, a device, and a non-transitory storage medium are described in which an pre-authentication service is provided. The service may support a transport layer security handshake and determine authentication based on the initial message. The service may provide for the generation of a message that initiates a handshake between devices in which the message includes an authentication string used for authentication. The service may provide for the generation of another authentication string for comparison. The service may also support authorization of a device. The service may minimize potential malicious attacks and activities between the devices.

Abstract: A computer-implemented method, and system, for detecting modification of a semiconductor device includes generating and applying an exhaustive first set of patterns to a netlist golden model of a golden device. The exhaustive first set of patterns is developed by a pseudorandom number generator. Applying the patterns to stimulate the device produces a first response serial bit stream in relation to logical composition of the golden model. A signature analyzer compresses the total output to provide a first cyclic redundancy code or answer. The same exhaustive set of patterns can be provided to stimulate the model of an unknown device. The unknown device is shown to be identical to the golden device if its answer matches that of the golden device and modified if its answer does not match that of the golden device.

Abstract: A system, method, and computer-readable medium for performing a data center connectivity management operation. The connectivity management operation includes: providing a data center asset with a data center asset client module; establishing a connection between a mobile device application and a connectivity management system; submitting a request to the connectivity management system via the mobile device application to establish connectivity with the data center asset client module; establishing a connection between the data center asset client module and the connectivity management system based upon the request; and, exchanging information between the data center asset client module and the data connectivity management system via the secure communication channel between the data center asset client module and the connectivity management system.

Abstract: A system in one embodiment comprises a first endpoint device that is configured to communicate with a second endpoint device using a given communication protocol. The first endpoint device is configured to monitor a communication session under the given communication protocol and to generate monitoring data associated with the communication session. The first endpoint device is configured to determine that a designated network condition has occurred based at least in part on the monitoring data. The first endpoint device is configured to activate a performance monitoring component based at least in part on the determination that the designated network condition has occurred and to generate performance data utilizing the activated performance monitoring component. The first endpoint device is configured to anonymize and store the performance data.

Abstract: A method for providing a personal data storage service between a first user who is a data provider and a second user who is a data requester by using a smart contract based on a first layer and a privacy layer and a storage layer based on a second layer is provided. The method has an effect of generating encoded subject data made by encoding subject data by using a random key as an encryption key generated through a data provider terminal, to thereby prevent the personal storage service provider from decoding the subject data. Further, the method has another effect of saving the storage for use in PDS service, since there is no need to generate each of encoded encryption key and encoded subject data in line with each of data requester even if the number of data requesters increase by implementing using a proxy re-encryption technology.

Abstract: Various embodiments relate to a method performed by a processor of a computing system. An example method includes generating a symmetric content encryption key. Content is encrypted using the content encryption key to generate cipher text. A hash of the cipher text is generated. Each of the hash and the content encryption key is signcrypted using each of a signcrypting party public key, a signcrypting party private key and a recipient public key to generate a signcrypted envelope message. The cipher text is embedded in a component of the signcrypted envelope message. The signcrypted envelope message is transmitted to a recipient. The recipient can unsigncrypt the signcrypted envelope message using each of the recipient public key, a recipient private key, and the signcrypting party public key to retrieve the content encryption key and hash of the cipher text. The recipient can decrypt the cipher text using the content encryption key.

Abstract: Anonymizing systems and methods comprising a native configurations database including a set of configurations, a key management database including a plurality of private keys, a processor in communication with the native configurations database and the key management database, and a memory coupled to the processor. The set of configurations includes one or more textual descriptions and one or more ranges, wherein each range includes a contiguous sequence comprised of IP addresses, port numbers, or IP addresses and port numbers. The processor is configured to retrieve the set of configurations from the native configurations database, wherein the set of configurations includes a plurality of objects; retrieve a private key from the key management database; assign a unique cryptographically secure identity to each object; and anonymize the plurality of objects based on the cryptographically secure identities and the private key.

Abstract: This invention relates generally to methods and apparatus for providing secure services using a mobile device, and in particular for securely making transactions, such as payments, using mobile phones and smartphones.

Abstract: A secure authentication method includes: deriving a distributed LSH value using secret LSH, taking a first distributed feature amount which is a feature amount of user information distributed through a secret distribution method and encrypted LSH parameters as inputs; deriving a distributed hash value using a secret unidirectional function, taking the distributed LSH value and a distributed key as inputs; decoding the hash value by reversing distribution of the distributed hash value; selecting, from a secret hash table storing sets of a hash value as an index and a distributed feature amount as a data string, a set including a hash value matching the decoded hash value; computing, in secret, similarity between the distributed feature amount in the set and the first distributed feature amount; deriving, in secret, a user authentication result based on the similarity computed; and outputting the derived authentication result.