Abstract: First data is received which encapsulates second data in a hidden compartment. Thereafter, a password is received by a password encoder which uses such password to generate a key. The first data and the key are combined to generate the second data (i.e., the hidden data). The second data is then provided to a consuming application or process. Related apparatus, systems, techniques and articles are also described.

Abstract: A Transport Layer Security (TLS) handshake can be terminated early—i.e., before certificate validation—to reduce server-side demand, which can be particularly advantageous in counteracting Denial-of-Service (DOS) attacks and the like. To this end, an endpoint may provide a one-time password (OTP) in the client hello message during the initial steps of a TLS handshake or similar connection protocol. A gateway, upon receiving the client hello message, may generate its own OTP for comparison with the OTP in the client hello message. The endpoint and gateway may advantageously generate the OTP based on a secret provided by a threat management facility with a preexisting secure connection to the two entities. If the OTP provided in the client hello message and the OTP generated on the gateway are the same, then the TLS handshake may continue; otherwise, the Transmission Control Protocol (TCP) connection will be terminated by the gateway.

Abstract: Systems and methods for generating a series of connected secure, unique glyph carriers configured to interface with customizable finite state machines are described herein. In some embodiments, the present disclosure relates to systems and methods for scanning the secure, unique glyph carriers disclosed herein. The systems and methods may include a database in communication with a finite state machine. In various configurations, the systems and methods may be used to detect a forgery of the secure, unique glyphs described herein.

Abstract: Systems and methods for sending and receiving communications securely between a human interface keyboard and a computer terminal are described. In some embodiments, the keyboard includes a human interface display and a processor to encrypt keystrokes entered by a user. Synchronization between the keyboard and the computer terminal is maintained by the devices, by encrypting and decrypting a signal according to the same randomized negotiated ASCII CharSet, which is generated by the computer terminal.

Abstract: Method for authenticating at least one ventilator with at least one remote station, wherein the ventilator can connect itself via at least one interface to the remote station, at least one authentication file is stored on the ventilator, the authentication file contains at least one signature code of a signing authority, and a public keycode of the signing authority is known to the remote station, the ventilator sends the authentication file to the remote station when establishing the connection to the remote station, the remote station checks the signature code of the authentication file using the public keycode as to whether the signature code originates from the signing point and the ventilator is authenticated when the remote station recognizes the signature code as originating from the signing authority.

Abstract: First data is received which encapsulates second data in a hidden compartment. Thereafter, a password is received by a password encoder which uses such password to generate a key. The first data and the key are combined to generate the second data (i.e., the hidden data). The second data is then provided to a consuming application or process. Related apparatus, systems, techniques and articles are also described.

Abstract: An electronic device is provided. A computing system includes a host and a storage device. The host generates a host authentication code. The storage device receives a first request among a series of first to third requests regarding security write and write data from the host, generates a device authentication code based on the write data, receives the second request and the host authentication code from the host, and performs a program operation on the write data based on a result of comparing the host authentication code with the device authentication code.

Abstract: The present disclosure relates to an implementation for a trusted computing system. According to the embodiments of the present disclosure, a master controller in an SSD, which is necessarily configured in the system, is used to provide all necessary security functionality of the system's RoT. The system does not need to contain any special RoT chip or module, does not need any modifications in the system design, is easy to adopt, and can be implemented by any system comprising a hard drive. All necessary security functions are completed by the master controller of the system's hard drive. Thus, not only can the cost of the security module be reduced, but more importantly, the mechanism directly protects information and resources (e.g., operating system, user programs, user data, etc.) that actually need to be protected in the system, and once the mechanism is enabled, the protection function cannot be bypassed.

Abstract: A system and method uses different authentication techniques, including weak passive authentication techniques, to authenticate users by generating a score and comparing it to a threshold selected according to the feature the user is requesting.

Abstract: The present invention relates to a method for avoiding side-channel attacks by providing variable amount of computation using permutation puzzles. The side-channel attacks depend on the implementation of the encryption algorithms rather than their execution. The method provided in the present invention protects an already existing encryption system or any arbitrary electronic device from side channel attacks by providing a random amount of execution time, random amount of power consumption and/or random electromagnetic emissions for different iterations of the corresponding operation.

Abstract: A module with an embedded universal integrated circuit card (eUICC) can include a received eUICC profile and a set of cryptographic algorithms. The received eUICC profile can include an initial shared secret key for authentication with a wireless network. The module can receive a key K network token and send a key K module token to the wireless network. The module can use the key K network token, a derived module private key, and a key derivation function to derive a secret shared network key K that supports communication with the wireless network. The wireless network can use the received key K module token, a network private key, and the key derivation function in order to derive the same secret shared network key K derived by the module. The module and the wireless network can subsequently use the mutually derived key K to communicate using traditional wireless network standards.

Abstract: The present invention provides a technology capable of performing control such that ranging is performed more reliably in a mobile object and a portable device which is a regular communication partner. Provided is a communication device mounted on a mobile object including an acquisition unit configured to acquire a ranging trigger signal for starting measurement of a distance between the communication device and a portable device carried by a person and a communication control unit configured not to start ranging communication for measurement of the distance based on a fact that first specific information defined in advance and necessary for determination of the mobile object does not match second specific information included in the acquired ranging trigger signal and necessary for determination of the mobile object.

Abstract: Enabling a web browser extension to perform an asynchronous blocking operation by configuring the web browser to receive from a web browser extension an extension-provided callback function and an indicator, where the extension-provided callback function is configured to perform an asynchronous blocking operation, where the indicator indicates that the extension callback function relates to an asynchronous blocking operation, where the extension-provided callback function is configured to receive a web-browser-provided callback function as a parameter of the extension-provided callback function, and where the extension-provided callback function is configured to call the web-browser-provided callback function after performing the asynchronous blocking operation, and configuring the web browser to call the extension-provided callback function with the web-browser-provided callback function as a parameter of the extension-provided callback function call if the indicator indicates that the extension callback fun

Abstract: A method performed by a wireless device (12) for use in a wireless communication system (10). The method comprises: receiving (W2100) signaling (22) indicating how the wireless device (12) is to generate a message authentication code, MAC, (20) for integrity protecting a Radio Resource Control, RRC, message (18) that 5 requests resumption of an RRC connection; generating (W2110) the MAC according to the signaling; and transmitting (W2120) the RRC message and the generated MAC. Further methods, a wireless devices, network nodes, computer programs, carriers and a communication system are also disclosed.

Abstract: The present disclosure provides generally for systems and methods of authenticating one or more aspects of electronic communication. According to the present disclosure, authenticable communications may allow for authentication of at least a portion of the content of the electronic communication, which may limit potential damage caused by fraudulent communications. In some aspects, an authenticable communication may allow a recipient to confirm that the indicated source is the actual source of the authenticable communication. In some embodiments, the authentication may not require an exchange of encrypted communications or an exchange of communications solely within the same communication system. Authenticable communications may provide a separate layer of security that may allow a recipient to review the contents with confidence that the communication is not fraudulent. Further, authenticable communications may provide the additional security without requiring specialized software.

Abstract: A method and an electronic device for managing network resources among application traffic are provided. The method comprises identifying a real time application that is running on the electronic device and consuming network resources, determining whether the real time application belongs to a prioritized class, based on the real time application belonging to the prioritized class, determining a User Identifier (UID) of the real time application, and prioritizing the network resources for the real time application based on the UID.

Abstract: A computer implemented method for validating software is provided. The method includes generating a first check value, by a remote computing device, based on a unique value and software of the remote computing device, outputting the first check value and the unique value from the remote computing device to a secure data repository, obtaining, by a secure computing device, an authentic copy of the software of the remote computing device, obtaining, by the secure computing device, the unique value and the first check value from the secure data repository, computing, by the secure computing device, a second check value based on the authentic copy of the software for the remote computing device and the unique value, and determining, by the secure computing device, whether the remote computing device has authentic software based on a comparison of the obtained first check value and the second check value.

Abstract: Data is handled in a distributed computing environment comprising at least one server and a plurality of clients comprising at least a first client and a second client. The first client sends a first request for data to the second client, receives a first response from the second client as a response to the first quest, determines a probability of validity of the data requested based on a validity indication included in the first response indicating a probability that the data requested from the second client is invalid. The first client determines that the data requested by the first request and available from the second client is likely invalid, sends a second request to the server to obtain the data from the server and receives the data from the server.

Abstract: A method for a system includes receiving with a first transceiver of a first smart device, an advertisement signal from a stationary beacon, outputting with the first transceiver of the first smart device, a first ephemeral ID that is not permanently associated with the first smart device, to the stationary beacon, receiving with the first transceiver of the first smart device, a beacon identifier from a stationary beacon, outputting with a second transceiver of the first smart device, the first ephemeral ID, a first user identifier and the beacon identifier to an authentication service, storing in an association log in the authentication service, the first ephemeral ID, the first user identifier and the beacon identifier, and storing in a beacon log in the authentication service, a log of the stationary beacon including the first ephemeral ID.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for processing confidential data and confidential programs while providing mutual security to the data and programs. A method includes receiving, from a first system, customer energy data, including data representing energy consumption by a customer; receiving, from a second system, program data representing one or more programs for processing the customer energy data; executing the programs with the customer energy data as input to produce output that includes estimated energy consumption data, while providing security for the program data from access by the first system and any third party and while providing security for the customer energy data and the estimated energy consumption data from access by the second system and any third party; and providing the estimated energy consumption data as output (i) to the first system or (ii) to the customer or (iii) both.

Abstract: Various embodiments provide a tracing system or a tracing method that enables an installed software application to be launched with relevant data regarding a user's activity on the client device before installation of the software application. A tracing system of an embodiment may comprise one or more of a server including a database, a web page module configured to be integrated in a website, and an application module configured to be integrated in a software application.

Abstract: Provided is a method for securely diversifying a generic application stored in a secure processor of a terminal, said method comprising: Generating at the request of a manager application hosted in an application processor of said terminal, at the level of a distant server, a server challenge; Sending said server challenge to said application; Generating a first message at said application, said first message being function of said server challenge, an application challenge and an unique identifier of said application; Sending said first message to a Root-Of-Trust service hosted in a secure processor of said terminal, said Root-of-Trust service generating an attestation of said first message, said attestation guaranteeing that said first message has not been modified and originates from said secure processor; and Transmitting said attestation of said first message to said distant server in an enablement request message.

Abstract: Various systems and methods for establishing security profiles for Internet of Things (IoT) devices and trusted platforms, including in OCF specification device deployments, are discussed herein. In an example, a technique for onboarding a subject device for use with a security profile, includes: receiving a request to perform an owner transfer method of a device associated with a device platform; verifying attestation evidence associated with the subject device, the attestation evidence being signed by a certificate produced using a manufacturer-embedded key, with the key provided from a trusted hardware component of the device platform; and performing device provisioning of the subject device, based on the attestation evidence, as the device provisioning causes the subject device to use a security profile tied to manufacturer-embedded keys.

Abstract: The disclosed embodiments provide systems and methods for managing a loan application. In one embodiment, a method is disclosed that may include identifying one or more unfulfilled conditions associated with a loan application of a customer and sending, to a customer device, a request for a loan application document based on the identified one or more unfulfilled conditions. The method may also include receiving, from the customer device, a responsive loan application document. The method may also include identifying a document type for the responsive loan application document and confirming that the responsive loan application document is a valid document. Finally, the method may also include sending loan application status information to the customer device based on the confirmation.

Abstract: In general, embodiments of the present disclosure provide methods, apparatus, systems, computer program products, computing devices, and computing entities for modifying a design of a hardware IP. According to one embodiment, a method is provided, the method including generating a control and data flow graph (CDFG) representation for portions of the design. The method further includes partitioning the CDFG representation into a set of partitioned sub-graphs. The method further includes, for each partitioned sub-graph, generating a merged sub-graph to form a set of merged sub-graphs. Generating the merged sub-graph for each partitioned sub-graph involves generating a container sub-graph and merging the container sub-graph with the partitioned sub-graph to form the merged sub-graph. The container sub-graph may be a modification of the partitioned sub-graph with respect to an identified feature, in some examples.

Abstract: Systems and methods to implement virtual contactless traffic stops. The systems and methods utilize mobile devices or other computer technology commonly carried by law enforcement officers and civilians for other purposes, and use the imaging and communication capabilities of these devices to authenticate digital copies a legal documents pertaining to the civilian, connect a civilian device and a law enforcement officer device during a traffic stop to facilitate digital document exchange, and to provide for remote interaction during the traffic stop, such as by use of video or text chat.

Abstract: An electronic messaging system and method with reduced traceability by separation of display of a media component of message content and header information. An electronic message having an identifier of a recipient and a message content including an image media component is received at a server from a sending user device at which a display for associating the media component with the electronic message is provided without displaying the identifier of a recipient with the media component such that a single screen capture of the identifier of a recipient and the media component is prevented. The electronic message including an identifier of a sending user is transmitted to a recipient user device at which a display presenting the media component is provided without displaying the identifier of a sending user such that a single screen capture of both the identifier of a sending user and the media component is prevented.

Abstract: The invention comprises a solution for securing an output (UTXO) in a single blockchain (e.g. Bitcoin) transaction (TX) so that it can only be unlocked by an authorised party at an allowed time, and in accordance with external data supplied to the transaction's locking script. The invention may comprise two steps which are implemented within a redeem script provided within the UTXO's locking script: 1) Calculation of a time-related value (which we will call Tsupplied) using the external data provided; and 2) use of the calculated Tsupplied value in a time lock technique to ensure that unlocking occurs at a time pre-determined time. The invention allows external data to be introduced into the time lock control of a transaction on the blockchain. It also includes a technique for combining absolute and relative time locks (e.g. CLTV and CSV as known in the Bitcoin protocol).

Abstract: An encryption key management method includes: receiving a data registration request from a supplier terminal, determining a data identifier associated with the content data, encrypting a master key with a public key of the supplier terminal, and providing the supplier terminal with the master key encrypted with the public key of the supplier terminal, the data identifier, and a key update count value; receiving a subscription application related to the data identifier from a first subscriber terminal, encrypting the master key with a public key of the first subscriber terminal, and providing the first subscriber terminal with the master key encrypted with the public key of the first subscriber terminal and the key update count value; receiving encrypted content data encrypted with the symmetric key and a hash for the content data from the supplier terminal; and transmitting the encrypted content data and the hash to the first subscriber terminal.

Abstract: The disclosure is directed towards the detection of supply chain-related security threats to software applications. One method includes identifying differences between updated source code and previous source. The updated source code corresponds to an updated version of an application. The previous source code corresponds to a previous version of the application. A risk score is determined for the updated version. The risk score is based on a machine learning (ML) risk model. The ML risk model analyzes the differences between the updated source code and the previous source code. A value of the risk score corresponds to potential security threats that are associated with the updated version. The potential security threats are not associated with the previous version of the application. The risk score is provided to interested parties.

Abstract: Access to blockchain data may be removed by deleting an encryption key held in a remote server. Incoming data is stored in the blockchain after being encrypted at the key server. An ordinary blockchain user gains access to the data, after forwarding the encrypted data to the remote key server for decryption. Upon receipt of an input (e.g., time stamp), the key server deletes the key. Thereafter, the encrypted data on the blockchain is rendered inaccessible to the ordinary blockchain data user. At no point, does the ordinary data user have access to the key stored in the remote server. Embodiments may find particular use in removing access to personal data stored in a blockchain following the elapse of a predetermined amount of time, as may be required by privacy laws. Granular control over data access can may be afforded through the use of composite keys and/or key hierarchies.

Abstract: Methods and systems for providing merchant in-context checkout are described. A user is authenticated based on credentials received from a first application running on a computing device. An authentication code is provided to the first application. A signed verifier and the authentication code is then received from a second application running on the computing device. The authentication code and the signed verifier received from the second application are then validated, and a device token is provided to the second application upon validation. The device token is exchangeable by the second application for an access token that is usable for making payment calls from the second application.

Abstract: A base key that is stored at a device may be received. A network identification may further be received. A device identification key may be generated based on a combination of the network identification and the base key. Furthermore, the device identification key may be used to authenticate the device with a network that corresponds to the network identification.

Abstract: An interface element connected to a device and a security die-chip are fabricated in a single package. The security die-chip may provide a security authentication function to the interface element that does not have the security authentication function. The security die-chip may include a physically unclonable function (PUF) to provide a private key, and a hardware security module to perform encryption and decryption using the private key.

Abstract: A TPM with programmable fuses in an SOC includes an on-die RAM storing a blown-fuse count and a TPM state including a PIN-attempt-failure count and a fuse count, read from off-die NV memory. During initialization, if the blown-fuse count is greater than TPM state fuse count, TPM state PIN-attempt-failure count is incremented, thereby thwarting a replay attack. A PIN is received for access, and if the TPM state PIN-attempt-failure count satisfies a policy, a fuse is blown and the blown-fuse count incremented. If the fuse blow fails, TPM activity is halted. If the fuse blow succeeds and the PIN is correct, the TPM state PIN-attempt-failure count is cleared, but if the PIN is incorrect the TPM state PIN-attempt-failure count is incremented. TPM state fuse count is set equal to the blown-fuse count, and the TPM state is saved to off-die NV memory.

Abstract: Examples disclosed herein relate to using an integrity manifest certificate to verify the state of a platform. A device identity of a device that has the device identity provisioned and stored in a security co-processor to retrieve an integrity proof from the security co-processor. The device includes at least one processing element, at least one memory device, and a bus including at least one bus device, and wherein the device identity is associated with a device identity certificate signed by a first authority. The integrity proof includes a representation of each of a plurality of hardware components including the at least one processing element, the at least one memory device, the at least one bus device, and a system board and a representation of plurality of firmware components included in the device. The integrity proof is provided to a certification station.

Abstract: There is disclosed in one example a hardware computing platform, including: a processor; a memory; a network interface; and a security module, including instructions to cause the processor to: receive a request to download a file via the network interface; download a first portion of the file into a buffer of the memory; analyze the first portion for malware characteristics; assign a security classification to the file according to the analysis of the first portion; and act on the security classification.

Abstract: A method to participate in a blockchain-implemented token distribution process is disclosed. The token distribution process divides an initial quantity of tokens at an input address associated with an input node into a plurality of sub-quantities and uses a mixer node to distribute the sub-quantities to multiple output addresses associated with respective output nodes using a blockchain. The token distribution process utilizes a hierarchical token distribution scheme to recruit the mixer node. The hierarchical token distribution scheme involves a first commitment channel (Ui ? Uij) for a first transaction between the upstream node and a recruited mixer node (Uij), and for each of the plurality of downstream nodes, a second commitment channel (Uij ? Uijk) for a second transaction between the mixer node and a selected downstream node, wherein an unlocking script for the first transaction is derived from an unlocking script for any one of the second transactions.

Abstract: Data is handled in a distributed computing environment comprising at least one server and a plurality of clients comprising at least a first client and a second client. The first client sends a first request for data to the second client, receives a first response from the second client as a response to the first quest, determines a probability of validity of the data requested based on a validity indication included in the first response indicating a probability that the data requested from the second client is invalid. The first client determines that the data requested by the first request and available from the second client is likely invalid, sends a second request to the server to obtain the data from the server and receives the data from the server.

Abstract: A device includes a first memory circuit and a processing circuit. The first memory circuit is configured to store first hash data. The processing circuit is coupled to the first memory circuit. The processing circuit is configured to: at least based on a volume of the device, define a size of a distinguishable identification (ID) and a size of second hash data; based on a combination of at least one bit of each of the distinguishable ID and IDs of the device, generate the second hash data; and compare the first hash data with the second hash data, in order to identify whether the device is tampered. A method is also discloses herein.

Abstract: In a computing system, data is ingested into a primary row of shards in a stamp data structure. The stamp data structure includes a primary row of data shards and a set of replica rows of data shards so the data shards are arranged in rows and columns in the stamp structure. The ingested data is replicated from the primary row into the replica rows of data shards. Each of the data shards, in each row, is evaluated to identify a particular data shard in each column of shards to generate a logical row of data shards. Queries against the data shards are serviced from the logical row of data shards. The system dynamically controls expansion and contraction of the number of data shards in a row and of the number of replica rows.

Abstract: A computer implemented method for validating software is provided. The method includes generating a first check value, by a remote computing device, based on a unique value and software of the remote computing device, outputting the first check value and the unique value from the remote computing device to a secure data repository, obtaining, by a secure computing device, an authentic copy of the software of the remote computing device, obtaining, by the secure computing device, the unique value and the first check value from the secure data repository, computing, by the secure computing device, a second check value based on the authentic copy of the software for the remote computing device and the unique value, and determining, by the secure computing device, whether the remote computing device has authentic software based on a comparison of the obtained first check value and the second check value.

Abstract: Systems and methods for providing access to online content while also securing user confidential information are presented. User confidential information (e.g., user phone number or e-mail address) may be used to authenticate and authorize a client device to access online resources, such as microservices exposed via application programming interfaces (APIs). With the techniques described herein, such user confidential information is protected both in transit over a network connection and while at rest in storage on the client device. This is achieved through the use of an encrypted access token (e.g., a JSON Web Encryption (JWE) token) including the user confidential information in an encrypted form. The client device receives such encrypted access token from an identity provider (IDP) and passes it to a resource server API to access the microservices associated with the API, without the client device decrypting the user confidential information contained therein.

Abstract: Systems and methods for improved distributed symmetric cryptography are disclosed. A client computer may communicate with a number of cryptographic devices in order to encrypt or decrypt data. Each cryptographic device may possess a secret share and a verification share, which may be used in the process of encrypting or decrypting data. The client computer may generate a commitment and transmit the commitment to the cryptographic devices. Each cryptographic device may generate a partial computation based on the commitment and their respective secret share, and likewise generate a partial signature based on the commitment and their respective verification share. The partial computations and partial signatures may be transmitted to the client computer. The client computer may use the partial computations and partial signatures to generate a cryptographic key and verification signature respectively. The client computer may use the cryptographic key to encrypt or decrypt a message.

Abstract: In one embodiment, an apparatus includes a storage element, and a processing element configured to verify an asymmetric digital signature in order to authenticate a data item signed with the asymmetric digital signature, upon successful verification of the asymmetric digital signature, generate a symmetric MAC of the data item and store the symmetric digital in the storage element, and retrieve and verify the symmetric MAC in order to authenticate the data item.

Abstract: This application discloses a Docker container based application licensing method, apparatus, device and medium, wherein the method includes identifying a Docker container which is in a startup state, obtaining an image file of the Docker container and obtaining a license file of the Docker container from the image file, and determining whether the Docker container is authorized to be licensed according to the license file. Thus, a problem is solved that a controllable protection cannot be done for a software provider due to replication and abuse of authorization.

Abstract: An apparatus (4) comprises memory access circuitry (12) to control access to data stored in a memory; and memory integrity checking circuitry (20) to verify integrity of data stored in the memory, using an integrity tree (26) in which the association between parent and child nodes is provided by a pointer. This helps to reduce the memory footprint of the tree.

Abstract: A module with an embedded universal integrated circuit card (eUICC) can include a received eUICC profile and a set of cryptographic algorithms. The received eUICC profile can include an initial shared secret key for authentication with a wireless network. The module can receive a key K network token and send a key K module token to the wireless network. The module can use the key K network token, a derived module private key, and a key derivation function to derive a secret shared network key K that supports communication with the wireless network. The wireless network can use the received key K module token, a network private key, and the key derivation function in order to derive the same secret shared network key K derived by the module. The module and the wireless network can subsequently use the mutually derived key K to communicate using traditional wireless network standards.

Abstract: A system converts the data of data objects stored in a DDOS from one data format to another while the system is live and available to process requests for access to the data objects being converted. This process does not require taking the DDOS offline and also does not require locking a data object for the entire conversion of the data object.

Abstract: Various embodiments discussed herein enable the detection of malicious content. Some embodiments do this by determining a similarity score between content, computer objects, or indications (e.g., vectors, file hashes, file signatures, code, etc.) known to be malicious and other content (e.g., unknown files) or indications based on feature weighting. Over various training stages, certain feature characteristics for each labeled malicious content or indication can be learned. For example, for a first malware family of computer objects, the most prominent feature may be a particular URL, whereas other features change considerably for different iterations of the first malware family of computer objects. Consequently, the particular URL can be weighted to determine a particular output classification corresponding to malicious behavior.