Abstract: Aspects create a tree data structure that indexes a collection of documents present in a data repository at a point in time. The tree data structure includes a plurality of nodes. For each such node, a respective root hash value of that node is determined. The root hash value of a leaf node is determined from hash value(s) for element(s) of that node that are keyed to documents in the collection. The root hash value of a parent node is determined from a root hash value for each of its child nodes. For a given document that is purported to be a target document present in the data repository at the point in time, processing is performed that uses the tree data structure in facilitating verification that the given document is the target document. This includes providing a cryptographic proof to demonstrate whether the given document is the target document.

Abstract: A method for protecting the integrity of log data. The log data includes a sequence of log data elements associated with an operation of a first logic circuit. The method includes receiving, at a second logic circuit remote from the first logic circuit, a log data element of the sequence of log data elements. Based on the log data element and secret information unknown to the first logic circuit, a protected log data element is generated at the second logic circuit is provided.

Abstract: A computing device may perform a method that includes determining whether internal time reference data is available while booting the computing device. When the internal time reference data is unavailable, the device clock is set to a default time setting. However, when the internal time reference data is available while booting the computing device, the method includes searching the internal time reference data for a most recent time reference, and setting the device clock to a current time setting based on the most recent time reference.

Abstract: A system for secured logging of a second event. The system includes a logging device and a triggering device The triggering device receives an input related to the second event, creates second event message based on received input related to the second event, and receives the first set of data related to first logged event from the logging device. The triggering device further creates a first position-lock data from the first set of data, creates a second append request, and provides the second append request to the logging device. The logging device is configured to verify the second append request. Based on positive verification, the logging device creates a logging device signature over a second log-append-approval, and combines the created logging device signature with the provided second append request to form a second logged event.

Abstract: An example operation may include one or more of receiving, by an orderer, a split transaction that contains configuration transactions for new channels, generating, by the orderer, a split block that includes a split transaction payload and a block header, and sending, by the orderer, the split block to participant nodes to form new channels based on a content of the split block.

Abstract: A device includes a memory and a processor. The processor is to execute the instruction to: receive, from a user device, a username of a user and a string; retrieve a first Message Authentication Code (MAC) and a salt from a database in response to receiving the username and the string; send the first MAC, the salt, and one or more parameters to a Hardware Security Module (HSM); receive, from the HSM, a message indicating whether the first MAC matches a second MAC that the HSM generates based on the one or more parameters and the salt. In addition, the processor to perform one of: authenticate the user when the message indicates that the first MAC matches the second MAC; or not authenticate the user when the message indicates that the first MAC does not match the second MAC.

Abstract: Methods and systems for consistent reads in a distributed transaction protocol are disclosed. A method includes: receiving, by a computing device, a request to write a revision of a data object in a dispersed storage network (DSN); sending, by the computing device, a proposal with the revision of the data object to a plurality of storage units; receiving, by the computing device, a response to the proposal from each of the plurality of storage units, the response including a proposed minimum timestamp corresponding to the data object; determining, by the computing device, a minimum timestamp for the data object based on the proposed minimum timestamps received from the plurality of storage units; and determining, by the computing device, a version of the data object written in the DSN based on the minimum timestamp.

Abstract: One embodiment provides a method, including: identifying, using a tamper detection switch of an information handling device, a tampering event; determining, using a processor, contextual data associated with the tampering event; constructing, based on the determining, a signal comprising the contextual data; and broadcasting, using a radio transmission beacon, the signal. Other aspects are described and claimed.

Abstract: An embodiment of a system for securing media content includes a digital media device comprising a memory associated with a secure element. The memory contains a private key and storage for at least one group key. The private key is used to decrypt transmissions from a remote access control system that are encrypted by a corresponding public key. The digital media device further comprises logic configured to respond to a first message received from the remote access control system encrypted by the public key and including a first group key, the logic responding to the first message by decrypting the first group key and storing the first group key in the memory of the secure element. The digital media device further comprises logic configured to decrypt a content key with the first group key. The content key is used to encrypt media content stored on a medium accessible by the digital media device.

Abstract: In implementations of the subject matter described herein, a new approach for controlling and tracing an object across a plurality of parties is proposed. A rule set may be enabled by the confirmation of a plurality of parties. The rule set may define constraints on operations related to the object. Upon receipt of a request for an operation related to the object, the requested operation may be verified based on the rule set agreed by the plurality of parties. In response to verifying that requested operation is valid, the requested operation may be performed, and a record for the operation may be created and stored in a blockchain database accessible to the plurality of parties.

Abstract: A method for encrypting database data includes generating an encryption key for a first file stored in a data store, wherein a table in a database comprises an entry pointing to the first file. The method includes generating a second file by encrypting the data the first file in the data store using the encryption key without modifying the first file. The method includes, in response to generating the second file, modifying the entry in the table to point to the second file, wherein the modification of the entry is performed atomically. A process for rekeying from the first file to the second file may happen in the background without blocking, interfering, or otherwise obstructing user interaction with a database system.

Abstract: Aspects of the present disclosure address systems, methods, and devices for enabling secure communication between electronic control units (ECUs) in a vehicle. The system may include a first and second ECU from a plurality of ECUs in the vehicle. The first ECU is to enable secure communication between the plurality of ECUs by performing operations that include provisioning the second ECU with authentication data for authenticating messages exchanged with a third ECU and provisioning the third ECU with a set of security keys to enable the third ECU to securely exchange messages with the second ECU. The second ECU receives, from the third ECU, a secure message that is cryptographically signed using a security key from the set of security keys provisioned to the third ECU, and the second ECU authenticates the secure message by comparing the authentication data with an authentication signal.

Abstract: A system performs digital notarization using a biometric identification service. A signature requesting service receives a request to validate a digital item with a signature for a person. The signature requesting service provides a payload that identifies the digital item and/or the person to an identity service. The identity service obtains one or more digital representations of biometrics for the person, determines an identity for the person, and returns a data structure including the payload and one or more identity attestations regarding the determined identity. The identity service encrypts at least a portion of the data structure using a private encryption key. A public encryption key for the identity service can then be used to decrypt the portion to verify that the data structure was generated by the identity service after determining the identity. In this way, validation can be verified to the full trust level of the identification service.

Abstract: This disclosure describes dynamic access control using capabilities (via dynamic access control interface (150)) on a blockchain system (180). The blockchain data structure is a time-stamped list of blocks, chained together cryptographically. In this disclosure, capabilities can be recorded on a blockchain system (via capabilities storage (170)) and thus access propagation is known. This makes revocation of access achievable by recording a new transaction, which in effect removes the previous authorization. There will be no change to transaction history and instead a new transaction records (170) the current status of the capability. An example implementation on a blockchain system (180) is given in Ethereum, which allows programs called “smart contracts” to run as transactions.

Abstract: Some embodiments are directed to a blockchain verification method for a secondary blockchain, the blockchain verification method including sending an activation transaction to a primary blockchain management device which is configured to manage the primary blockchain. The primary blockchain management device is configured to execute a smart contract based on input in the activation transaction generating a result, and publish the result on the primary blockchain.

Abstract: Systems, methods, apparatus, and articles of manufacture to improve timestamp transition resolution of watermarks are disclosed.

Abstract: A computer implemented method, system, and program product comprising examining points in time in each journal of each of the replication sites, determining certain points of time in each journal of each of the replication sites to be deleted based on a policy, and deleting the certain points of time in each journal of each of the replication sites.

Abstract: A host system may initiate a multiple node exchange of selected values to generate a random selection. The structure of the exchange may allow later verification that no single node had control of the generation of the random selection. Accordingly, the random selection may be unknown prior to the exchange. The host system may then provide the random selection to the device for integration of the random selection during the capture of video. The video may be recorded to a blockchain. Because of the integration with the random selection, the video may be date verifiable, such that the video can be verified to be created after the random selection and before recordation to the blockchain.

Abstract: Systems, methods, apparatus, and articles of manufacture to improve timestamp transition resolution of watermarks are disclosed.

Abstract: An example operation may include one or more of connecting, by a data aggregation node, to a blockchain configured to store data, configuring, by the data aggregation node, a transformation of the data, instantiating, by the data aggregation node, at least one rollup blockchain, transforming, by the data aggregation node, the data based on the configuration, executing, by the data aggregation node, a smart contract to populate the transformed data into the at least one rollup blockchain, and archiving the data on a data store outside of the blockchain.

Abstract: Systems and methods for providing automatic fork protection including determining that a transaction having fork protection was included in a first block that was appended to a blockchain, that a hash of the first block was validated, that a consensus decision was made by validator nodes approving the first block for addition to the blockchain, that a second block was appended to the blockchain after the first block, that the second block comprises a hash that is not based on the first block, that the first block was on a first fork and the second block was on a second fork, that the blockchain was resolved in favor of the second fork, and that the transaction failed as a result of the blockchain being resolved in favor of the second fork. The method including compensating a party that submitted the failed transaction based on the fork protection.

Abstract: A verifiable, redactable log, which, in some embodiments, may contain multiple hash values per entry in order to sever confidentiality of a log from verifiability. Logs may be verified using recalculation of hashes and verification of trusted digital signatures. In some embodiments, the log may be divided into segments, each signed by a time server or self-signed using a system of ephemeral keys. In some embodiments, log messages regarding specific objects or events may be nested within the log to prevent reporting omission. The logging system may receive events or messages to enter into the log.

Abstract: Methods, apparatus, systems and articles of manufacture (e.g., physical storage media) to extend a time range supported by a watermark are disclosed. Example watermark encoding apparatus disclosed herein include a timestamp cycle evaluator to determine which one of a plurality of timestamp cycles is to be represented by a timestamp of a watermark. Disclosed example watermark encoding apparatus also include a symbol swapper to swap at least two symbols of the watermark when the timestamp is to represent a second one of the timestamp cycles but not to swap the at least two symbols of the watermark when the timestamp is to represent a first one of the timestamp cycles. Disclosed example watermark encoding apparatus further include a watermark embedder to embed the watermark in a first piece of media.

Abstract: Methods, apparatus, systems and articles of manufacture (e.g., physical storage media) to extend a time range supported by a watermark are disclosed. Example watermark encoding apparatus disclosed herein include a timestamp cycle evaluator to determine which one of a plurality of timestamp cycles is to be represented by a timestamp of a watermark, the timestamp including a set of timestamp symbols. Disclosed example watermark encoding apparatus also include a symbol modifier to modify a subset of data symbols of the watermark based on a further timestamp symbol not included in the set of timestamp symbols of the timestamp, the further timestamp symbol identifying the one of the timestamp cycles to be represented by the timestamp of the watermark. Disclosed example watermark encoding apparatus further include a watermark embedder to embed the watermark in a first piece of media.

Abstract: Techniques for backend-specific cursor tracking are described. In one embodiment, an apparatus may comprise a local database synchronization component operative to initiate a client update at a messaging client on a client device, the client update associated with a specific backend service for a messaging system; retrieve an opaque backend-specific update cursor for the specific backend service; and store an updated opaque backend-specific update cursor for the messaging client; and a local network component operative to send the opaque backend-specific update cursor to the messaging system in association with a client update request; and receive an update package at the messaging client on the client device, the update package comprising the updated opaque backend-specific update cursor. Other embodiments are described and claimed.

Abstract: Systems, methods, and apparatuses for generating a trusted chain code (“TCC”) message. The method includes receiving, by a computing system, an agreement message between a first entity and a second entity. The agreement message may be formatted as a smart contract whose execution causes a transfer of value in response to at least one of an occurrence of an event or a fulfillment of a condition. The smart contract includes chain code that corresponds to computer language to execute and corresponds to at least one of the occurrence of the event or the fulfillment of the condition. A chain code manifest is generated. The chain code manifest includes a hash of the chain code of the smart contract. A TCC message is generated including at least the smart contract and a digital signature on at least the chain code manifest. The TCC message is posted to a distributed ledger.

Abstract: An augmented reality user device includes a display, a physical identification verification engine, a gesture confirmation engine, and in interface. The display overlays a virtual file document onto a tangible object. The physical identification verification engine receives biometric data for a witness and confirms the witness's identity. The display displays a gesture motion from the signor. The gesture capture engine captures a gesture motion from the witness. The gesture capture engine generates a witness digital signature based on the captured gesture motion from the witness. The gesture capture engine generates a witness transfer token, the witness transfer token comprising the witness digital signature based on the captured gesture from the witness and the witness identity confirmation token. The interface communicates the witness transfer token to a server.

Abstract: One embodiment facilities user access to a standalone computing device. During operation, the system receives, by the standalone computing device from a mobile computing device associated with a user, a first command to access capabilities of the standalone computing device, wherein the first command includes an ephemeral user identifier which includes an ephemeral key and indicates user-specific metadata, wherein the ephemeral key is generated by a network service, wherein the ephemeral user identifier is digitally signed with a private key of the network service, and wherein the standalone computing device is not directly accessible by the network service. The system verifies, by the standalone computing device using a public key of the network service, that the ephemeral user identifier was generated by the network service. The system executes, by the standalone computing device, the first command based on the user-specific metadata.

Abstract: An entity can disseminate nonces by introducing them into various aspects of network traffic, and then listening for them, thereby detecting eavesdroppers on the Internet. A nonce may be numeric, alphanumeric, or otherwise; nonces are contextually appropriate to how they are disseminated. Preferably, a nonce is disseminated by incorporating it into some aspect of network traffic. For example, a nonce can be placed in a network identifier such as an IP address or domain name label. Correlating the circumstances under which the nonce was disseminated and under which it was observed to “propagate”, intelligence about who is eavesdropping on what portions of the Internet can be derived. Such intelligence can be put to many uses, including reporting on eavesdroppers, routing traffic around eavesdroppers, developing reputation scores, and adopting enhanced obfuscation/privacy/security techniques.

Abstract: Systems and methods for ensuring data security. A MAC is computed sequentially for each selected message from a data log that contains at least two messages. To build a data block, a preset encryption key is used for a first message and an encryption key for the previous message is used for subsequent messages. A determination that the data log is compromised can be made based on MAC data block data and an independent calculation of a MAC.

Abstract: A method for generating a blockchain configured for fast navigation includes: storing a blockchain comprised of a plurality of blocks, each block including a header comprised of a fast track flag, fast track reference, timestamp, and hash value, where the plurality of blocks includes standard blocks having a deactivated fast track flag and fast track blocks having an activated fast track flag; identifying a most recent fast track block based on the timestamp in the fast track blocks; identifying a most recent overall block based on the timestamp included in the plurality of blocks; generating a fast track hash value via hashing the most recent fast track block; generating a chain hash value via hashing the most recent overall block; and writing a new block to the blockchain including a block header comprised of a timestamp, activated fast track flag, the fast track hash value, and the chain hash value.

Abstract: At least one contemporaneous signature image is captured while a user generates an electronic signature for a document. When one or more contemporaneous signature images maps to a verification image, signature data representative of an electronic signature is associated with the document.

Abstract: A system includes a processor configured to approve an application vehicular-system-access request based on a temporary key and device ID transmitted with the access request matching a stored temporary key and device ID pair previously stored by the processor. This can assist in ensuring that only validated devices and/or applications are requesting access to a vehicle system.

Abstract: A system and method of recording data from a number of devices in a distributed network system in a manner adaptable for auditing the device output. The devices may include one or more control, sensor, edge, or peripheral computing devices physically separate in the distributed network system and in communication with a control server. Such distributed networks systems are common in SCADA or IoT applications. The content stream of data records output from the devices are recorded; a payload stripped stream of data records which are stripped of the payload are recorded and preferably retained by an escrow service. The metadata of the data records includes the hash value of one or more predecessor data records. The hash values are calculated based on the payload and a linkage function, preferably a cryptographic function. A comparison of hash values of the payload stripped stream and the content stream provides the audit ability.

Abstract: Example implementations relate to hiding sensitive data. For example, a device according to the present disclosure may include a scanning portion to receive a scan of a document, and a graphical user interface to receive a command with respect to the sensitive data. The device may also include a processor to analyze the scan of the document, process the command via the graphical user interface, determine the document contains sensitive data in response to the command, and perform an action to hide the sensitive data.

Abstract: Systems, methods, apparatus, and articles of manufacture to improve timestamp transition resolution of watermarks are disclosed. An example system includes a watermark detector to detect watermarks in media and a decoder to decode timestamps from respective ones of the watermarks.

Abstract: A client device is tracked over a period of time using “refresh tokens” that are exchanged in conjunction with routine client-server communications. Each communication cycle between client and server includes a refresh token that is recorded at the server. The recorded refresh tokens are mapped to both server- and client-generated device identifiers. As communications between client and server occur, a chain of tokens, one for each communication cycle, is progressively recorded at the server. If the server receives a token that is outdated with respect to that which is otherwise expected based on the progression of the recorded chain, this suggests that the received communication was transmitted from a device that is a clone of another client device. A more robust device identification framework is therefore achieved by using a combination of device identifiers and tokens exchanged between client and server.

Abstract: A fork in a block chain data structure is identified, the block chain data structure including a first set of blocks each describing a respective transaction. The fork includes a first branch beginning with a first block and a second branch beginning with a different second block. The first branch includes a first set of blocks comprising at least the first block, and the second branch includes a second set of blocks including at least the second block. A determination is made, based on a consensus protocol, that the second branch is to be discarded. Accordingly, a meta block is generated to identify and describe the second branch. The meta block is to be included in a meta block chain data structure. The meta block chain data structure is separate from the block chain data structure and comprises meta blocks to record orphan branches of the block chain data structure.

Abstract: A software system and service for facilitating organizational testing of employees in order to determine their potential susceptibility to phishing scams is disclosed to evaluate their susceptibility to e-mail and Internet cybercrimes such as phishing. The e-mail addresses of a client organization's employees are provided to the system, a phishing e-mail is created and customized, and a phishing e-mail campaign in which the phishing e-mail message is sent and the responses to the phishing e-mail is monitored, and the results of the e-mail campaign are provided for evaluation. The phishing e-mail may optionally contain attachments and various types of probes and “call home” mechanisms.

Abstract: A method and an apparatus for processing laser point cloud data includes obtaining laser point data to be used by a data receiver comprising an acquisition time; determining a timestamp for representing the acquisition time, and splitting the timestamp into a base timestamp and an offset timestamp; and storing the base timestamp and compressed laser point cloud data. Laser point cloud data output by a laser radar is compressed and comprises only offset timestamps corresponding to respective laser points. The base timestamp and the offset timestamp may be added to obtain the required synchronization precision timestamp, and the data is synchronized. The processing speed of a CPU or GPU for the laser point cloud data is improved while the timestamp precision reaches the precision required by synchronization of the laser point cloud data, and storage space is saved.

Abstract: Tamper-respondent assemblies are provided which include an enclosure assembly mounted to a circuit board and enclosing an electronic component(s) within a secure volume. The enclosure assembly includes an enclosure with an edge surface coupled to the circuit board, and a tamper-respondent sensor. The tamper-respondent sensor covers the edge surface and an inner surface of the enclosure. The sensor includes multiple layers, and at least one tamper-detect circuit. The tamper-detect circuit(s) includes a conductive trace(s) in a tamper-detect pattern covered, at least in part, by at least one layer of the multiple layers. The at least one layer is partially removed to provide exposed regions and unexposed regions of the conductive trace(s) at the edge surface of the enclosure. The conductive trace(s) is contacted where exposed by an adhesive securing the sensor to the circuit board. A monitor circuit monitors the tamper-detect circuit(s) for a tamper event.

Abstract: A method includes in response to receiving an I/O request for the storage system, determining information associated with the I/O request; generating a timestamp associated with the I/O request; and recording the information and the timestamp to reproduce an operation associated with the I/O request. A method comprises: in response to a request for reproducing an I/O operation of the storage system, obtaining information associated with at least one I/O request for the storage system, the information being recorded in response to reception of the at least one I/O request; obtaining at least one timestamp corresponding to the at least one I/O request; and reproducing the operation of the at least one I/O request on the storage system based on the information and the at least one timestamp.

Abstract: An augmented reality user device includes a display, a physical identification verification engine, a gesture confirmation engine, and in interface. The display overlays a virtual file document onto a tangible object. The physical identification verification engine receives biometric data for a witness and confirms the witness's identity. The display displays a gesture motion from the signor. The gesture capture engine captures a gesture motion from the witness. The gesture capture engine generates a witness digital signature based on the captured gesture motion from the witness. The gesture capture engine generates a witness transfer token, the witness transfer token comprising the witness digital signature based on the captured gesture from the witness and the witness identity confirmation token. The interface communicates the witness transfer token to a server.

Abstract: A method for communicating between devices is presented. The method includes dividing a first public key of a first device into at least two partial keys, transmitting the at least two partial keys through at least two communication channels having different physical characteristics, receiving a second public key of a second device through at least one of the at least two communication channels, authenticating the second device based on the received second public key, and performing secure communication with the second device using a public key generated based on the received second public key.

Abstract: At least one contemporaneous signature image is captured while a user generates an electronic signature for a document. When one or more contemporaneous signature images maps to a verification image, signature data representative of an electronic signature is associated with the document.

Abstract: Systems, computer products, and methods are described herein for an improved secure certificate system that utilizes multiple digital signatures, and in some cases multiple public keys within one or more certificates. The improved secure certificate systems allows for additional security by having multiple certification authorities validate the organization as the owner of the organization application (e.g., website, dedicated application, or the like), as well as allowing for the use of the multiple digital signatures and/or certificates to provide seamless verification of the organization application should one or more of the digital signatures and/or certificates become compromised. Moreover, security may be improved by utilizing multiple public keys to encrypt a session key for use in sending and receiving data.

Abstract: A new approach is proposed to support monitoring Perfect Forward Secrecy (PFS) network traffic by utilizing a hardware security module (HSM) appliance. Here, the HSM appliance is a high-performance, Federal Information Processing Standards (FIPS) 140-compliant security hardware with embedded firmware, which can be used for management and sharing of ephemeral keys used in a secured PFS communication session between two parties. Specifically, the HSM allows a server to share one or more of its ephemeral keys and/or parameters used in PFS traffic during the session with a third party under specified access rights and/or authorization, wherein the third party can be but is not limited to a traffic monitoring module. The HSM allows the third party to access the ephemeral keys stored on the HSM under the specified access rights and/or authorization so that the third party may decrypt and run analytics on the PFS traffic captured during the session.

Abstract: Systems, computer products, and methods are described herein for an improved secure certificate system for identifying potential authorized and unauthorized interactions between a web browser and a website. The certificate system utilizes stored certification requirements (e.g., pinned certification requirements, third-party certification requirement system, or the like), and compares the stored certification requirements with received certification requirements. The system may notify the user or prevent the interaction between the web browser and website when the stored certification requirements do not meet the received certification requirements (e.g., a threshold requirement of certificates to validate, validated certificates, or the like). The certificate system allows the interaction between the web browser and website when the stored certification requirements meet the received certification requirements and the website is verified based on the certification requirements.

Abstract: A user identifying system includes a user terminal and a server for communicating with the terminal. The terminal includes a detecting means that detects an event of a failure in accessing a service provided by the server, a recording means that records a timestamp indicating time of a failure in accessing the service when the event is detected, and a transmitting means that transmits, to the server, the timestamp and identification information allowing the server to identify the user of the terminal. The server includes a receiving means that receives the identification information and the timestamp transmitted from the transmitting means, and a specifying means that specifies a user identified by the identification information received by the receiving means when access by the terminal related to the timestamp has been made during an inaccessibility period wherein access to a service provided by the server has been unacceptable.

Abstract: There is provided an information processing apparatus. An acquisition unit acquires feature information of a latest block in a block chain when target data is generated. A registration unit registers proof information indicating that the generated target data is correlated with the feature information acquired by the acquisition unit when the target data is generated to a time proof service.