Abstract: A data center operator is authenticated to obtain requested access to a data center by an approval mechanism on the data center that receives an access request that includes authentication information. The authentication information includes a smart card thumb print which comprises a value that uniquely identifies the smart card based on a private key generated within the smart card. The approval mechanism identifies access policies corresponding to the unique smart card identifier.

Abstract: Disclosed are a carrier configuration processing method, device and system, and computer storage medium. The method comprises: acquiring, by an embedded universal integrated circuit card (eUICC), a carrier configuration transmitted by a subscription management platform; and assembling, by the eUICC and in an allocated storage space, an executable application and file system according to the acquired carrier configuration.

Abstract: Systems and methods are included for causing a computing device to implement a management policy prior to a user logging into an operating system on initial boot. As part of initial boot, the computing device contacts a management server for enrollment. Installation of the operating system is paused while the management server synchronizes the software and policies on the computing device. To do this prior to login, the management server can create a temporary user account to associate with the computing device and apply a default management policy. After the installation is complete, an installed management agent can gather user inputs made during login. The management agent can send these inputs to the management server for use in creating an actual user account to associate with the computing device.

Abstract: Systems and methods are disclosed for secure transmission of computer server event notifications, including receiving a topic subscription request from a partner, registering the partner topic subscription request, obtaining a new computer server event to report, determining a subscribed partner subscribed to computer server events of a same type as the new computer server event, transmitting an event notification to the subscribed partner, and registering the event notification.

Abstract: Updating boot components in compliance with a chain of trust by loading a boot component update forming part of the chain of trust during a boot process in an execution environment. Boot component measurements are detected and stored as a revised set of attestation values for retrieval by an attestation system. Performing the boot component update upon determining a pass indication for the chain of trust including the boot component update.

Abstract: A method for execution by one or more processing modules of one or more computing devices of a dispersed storage network (DSN). The method begins by receiving a portion of a data stream from a requesting entity for storage in a plurality of storage vaults. The method continues by encoding the portion of the data stream in accordance with dispersal parameters of the storage vault to produce a corresponding plurality of sets of encoded data slices. The method continues by facilitating storage of the corresponding plurality of sets of encoded data slices in the storage vault. The method continues by determining an ingestion rate capability level for the plurality of storage vaults and issuing stream pacing information to the requesting entity based on the ingestion rate capability level.

Abstract: A processor device has an executable implementation of the cryptographic algorithm DES implemented with an XOR linkage operation at the round exit and an implemented computation step S arranged to map expanded right input values r? as computation step entry values x=r? onto exit values s=S[x]. The computation step S is implemented as a key-dependent computation step further comprises a key linkage operation for linking input values of the round with key values of the round derived directly or indirectly from the key. The computation step S is implemented as a combined key-dependent computation step T which further comprises: a permutation operation P associated with the round, arranged to be applied to exit values s of the computation step S and to supply the exit values s of the computation step in permutated form to the XOR linkage operation at the round exit.

Abstract: For remediation of security incidents occurring in a network, forensic data which is collected from devices connected to a network is analyzed. A security incident is detected based on the analysis of the forensic data. Based on detecting the security incident, a source which is affected by the security data is identified based, at least in part, on attributes of the forensic data. The affected source is isolated from the network. Information about the affected source in association with an indication of the security incident and an indication of the isolating is stored.

Abstract: A encrypted text wildcard search method enables wildcard search of encrypted text by using a permuterm index storing permuted keyword strings that are encrypted using an order preserving encryption algorithm. The permuted keyword strings are encrypted using an order preserving encryption algorithm or a modular order preserving encryption algorithm and stored in the permuterm index. In response to a search query containing a wildcard search term, the encrypted text wildcard search method transforms the wildcard search term to a permuted search term having a prefix search format. The permuted search term having the prefix search format is then used to perform a range query of the permuterm index to retrieve permuted keyword strings having ciphertext values that fall within the range query. In some embodiments, the encrypted text wildcard search method enables prefix search, suffix search, inner-wildcard search, substring search and multiple wildcard search of encrypted text.

Abstract: A subscription request initiated by a blockchain node associated with a first blockchain is received by a cross-blockchain interaction end, where the subscription request includes a subscription condition. A message that satisfies the subscription condition is obtained by the cross-blockchain interaction end and from a publishing client that corresponds to a second blockchain. The message is sent to a subscribing client that corresponds to the blockchain node a from the cross-blockchain interaction end, where the blockchain node calls a first smart contract associated with the first blockchain to trigger a corresponding contract operation based on the message.

Abstract: Recent location and control information received from “lead” vehicles that traveled over a segment of land, sea, or air is captured to inform, via aggregated data, subsequent “trailing” vehicles that travel over that same segment of land, sea, or air. The aggregated data may provide the trailing vehicles with annotated road information that identifies obstacles. In some embodiments, at least some sensor control data may be provided to the subsequent vehicles to assist those vehicles in identifying the obstacles and/or performing other tasks. Besides, obstacles, the location and control information may enable determining areas traveled by vehicles that are not included in conventional maps, as well as vehicle actions associated with particular locations, such as places where vehicles park or make other maneuvers.

Abstract: An approach is provided for generating a customized, cloud-based data collection tool for collecting data from computer resources of a target system. In an embodiment, the method comprises: receiving a request to perform a data collection from one or more target computer resources; wherein the request includes one or more requirements that are specific to the data collection; based on, at least in part, the requirements, generating a customization specification for generating a customized collector that is specific to the data collection to be performed on the target computer resources; and transmitting the customization specification to a deployment engine to cause the deployment engine to: based on, at least in part, the customization specification, generate the customized collector that is specific to the data collection to be performed on the target computer resources; and transmit the customized collector, for generating the customized collector, to a cloud storage for storing.

Abstract: A cryptographic hardware accelerator identifies a mapped input bit sequence by applying a mapping transformation to an input bit sequence retrieved from memory and represented by a first element of a finite-prime field. The mapped input bit sequence is represented by a first element of a composite field. The accelerator identifies a mapped first key by applying the mapping transformation to an input key represented by a second element of the finite-prime field. The mapped first key is represented by the second element. The accelerator performs, within the composite field, a cryptographic round on the mapped input bit sequence using the mapped first key during a first round of the at least one cryptographic round, to generate a processed bit sequence. The accelerator identifies an output bit sequence to be stored back in the finite-prime field by applying an inverse mapping transformation to the processed bit sequence.

Abstract: Systems, devices, apparatuses, and methods for providing tokenization as a service are provided. Embodiments of the invention involve decoupling “tokenization service” from other services offered by a merchant service provider, and offering the tokenization service as a stand alone service. In accordance with an embodiment, a merchant service provider can receive payment data associated with a transaction between a consumer and a first entity. The merchant service provider can generate a payment token that represents the payment data and transmit a copy of the payment token to the first entity. The first entity can then transmit the payment token and order information to a second entity specified in the transaction. The merchant service provider can subsequently receive a request to complete the transaction from the second entity. The request can include the copy of the payment token from the second entity.

Abstract: Methods, devices and systems are disclosed for inter-app communications between software applications on a mobile communications device. In one aspect, a computer-readable medium on a mobile computing device comprising an inter-application communication data structure to facilitate transitioning and distributing data between software applications in a shared app group for an operating system of the mobile computing device includes a scheme field of the data structure providing a scheme id associated with a target software app to transition to from a source software app, wherein the scheme id is listed on a scheme list stored with the source software app; and a payload field of the data structure providing data and/or an identification where to access data in a shared file system accessible to the software applications in the shared app group, wherein the payload field is encrypted.

Abstract: A distributed security method is implemented in a processing node of a distributed security system comprising one or more processing nodes and one or more authority nodes, wherein the distributed security system is located external to a network edge of an enterprise and external from one of a computer device and a mobile device associated with a user. The distributed security method includes obtaining security policy data associated with the user and the enterprise from an authority node; monitoring data communications between the user, the enterprise, and the Internet in a processing node; and controlling the data communications between the user, the enterprise, and the Internet based on the monitoring to provide security measures between the user, the enterprise, and the Internet.

Abstract: Systems and methods are provided for automatic operation detection on protected fields. A data model configuration can be used to specify which attributes of a data model used by a cloud-based application are protected by a data security provider monitoring communications between the application and a client device. A determination can be made automatically which operations of the cloud-based application are supported for protected fields. The cloud-based application can be configured to enable/disable certain features, such as validators, auto complete, search operators, etc. according to whether the attributes are protected fields.

Abstract: The disclosure relates to systems and methods for defining a processor safety privilege level for controlling a distributed memory access protection system. More specifically, a safety hypervisor function for accessing a bus in a computer processing system includes a module, such as a Computer Processing Unit (CPU) or a Direct Memory Access (DMA) for accessing a system memory and a memory unit for storing a safety code, such as a Processor Status Word (PSW) or a configuration register (DMA (REG)). The module allocates the safety code to a processing transaction and the safety code is visible upon access of the bus by the module.

Abstract: Methods, computer systems, and computer storage media are provided for providing a third-party user HIPAA-compliant access to an electronic medical record system at a clinical site. A request for a clinical study participant list is received from the third-party user, and it is determined that the third-party user has viewing and access rights with respect to the clinical study participant list. The third-party user can select a participant on the clinical study participant list and access the participant's electronic medical record within the electronic medical record system. The electronic medical record is presented to the third-party user in a read-only view, and the third-party user is prevented from searching the EMR system for other electronic medical records.

Abstract: A secure programming system and method for provisioning and programming a target payload into a programmable device mounted in a programmer. The programmable device can be authenticated before programming to verify the device is a valid device produced by a silicon vendor. The target payload can be programmed into the programmable device and linked with an authorized manufacturer. The programmable device can be verified after programming the target payload by verifying the silicon vendor and the authorized manufacturer.

Abstract: A method of erasing a cloud host in a cloud-computing environment includes: receiving a cloud host secure erasing request; generating an erase instruction according to the request; and sending the erase instruction to a secure erasing server, such that the secure erasing server calls a secure erasing daemon process on the corresponding host machine according to the erase instruction, and erases the cloud host to be erased on the host machine via the secure erasing daemon process.

Abstract: A data storage device utilized for confirming firmware data includes a flash memory and a controller. The controller is coupled to the flash memory to receive at least one first hash data related to a first firmware data, and it divides the first hash data into a plurality of data groups. The controller sorts the data groups based on a predetermined sorting mechanism to generate a first sorting hash data. The controller includes an efuse region for writing the predetermined sorting mechanism. When the controller determines that a second sorting hash data of a second firmware data is identical to the first sorting hash data or a second hash data of the second firmware data is identical to the first hash data, the second firmware data is allowed to update the controller.

Abstract: Technologies for defeating secure enclave side-channel attacks include a computing device having a processor with secure enclave support. The computing device instruments an executable binary with multiple gadgets, a fault-generating function, and at least one invocation of the fault-generating function. The computing device executes the instrumented executable binary within a secure enclave. During execution of the instrumented binary, each gadget may be located at a different memory page of the secure enclave. The computing device invokes the fault-generating function, which selects a random sequence of the gadgets and executes the random sequence of gadgets. The processor may generate a page fault in response to executing each of the gadgets. Each gadget may generate one or more data accesses to memory pages within the secure enclave. The processor may generate a page fault in response to each of the data accesses. Other embodiments are described and claimed.

Abstract: An individual data unit for enhancing the security of a user data record is provided that includes a processor and a memory configured to store data. The individual data unit is associated with a network and the memory is in communication with the processor. The memory has instructions stored thereon which, when read and executed by the processor cause the individual data unit to perform basic operations only. The basic operations include communicating securely with computing devices, computer systems, and a central user data server. Moreover, the basic operations include receiving a user data record, storing the user data record, retrieving the user data record, and transmitting the user data record. The individual data unit can be located in a geographic location associated with the user which can be different than the geographic locations of the computer systems and the central user data server.

Abstract: In one example, the patient data hub includes a housing, a first network interface disposed within the housing, a second network interface disposed within the housing, a first controller coupled to the first network interface and a second controller coupled to the second network interface. The first controller is configured to receive sensitive patient data via the first network interface and to transmit the sensitive patient data to the second controller. The second controller is configured to receive the sensitive patient data from the first controller, to secure the sensitive patient data according to a security standard to provide secured sensitive patient data, and to store the secured sensitive patient data in a data storage device.

Abstract: Disclosed are various examples for validating a public SSH host key. The examples can be implemented in a hyper-converged computing environment to detect potential man-in-the-middle attacks in which an attacker intercepts or spoofs an internet protocol (IP) address of a target virtual machine (VM) that is being addressed by a management service and with which a secure shell (SSH) session is being established.

Abstract: A method, a computer readable medium, and a client device are disclosed, which create multiple profiles to mitigate profiling of the client device on a network. The method includes generating a request on the client device, the request including a uniform resource locator (URL) indicating a source hosting content; forwarding the request to a profile generation application on the client device, the profile generation application configured to generate a plurality of requests for the request, and wherein only one request of the plurality of requests has system information pertaining to the client device; and sending the plurality of requests to the network to retrieve the content hosted on the source.

Abstract: Various embodiments are generally directed to an apparatus, method, and other techniques to provide direct-memory access, memory-mapped input-output, and/or other memory transactions between devices designated for use by an enclave and the enclave itself. A secure device address map may be configured to map addresses for the enslave device and the enclave, and a register filter component may grant access to the enclave device to the enclave.

Abstract: In a method for enabling support for backwards compatibility in a User Domain, in one of a Rights Issuer (RI) and a Local Rights Manager (LRM), a Rights Object Encryption Key (REK) and encrypted REK are received from an entity that generated a User Domain Authorization for the one of the RI and the LRM and the REK is used to generate a User Domain Rights Object (RO) that includes the User Domain Authorization and the encrypted REK.

Abstract: Technologies for secure memory usage include a computing device having a processor that includes a memory encryption engine and a memory device coupled to the processor. The processor supports multiple processor usages, such as secure enclaves, system management firmware, and a virtual machine monitor. The memory encryption engine is configured to protect a memory region stored in the memory device for a processor usage. The memory encryption engine restricts access to one or more configuration registers to a trusted code base of the processor usage. The processor executes the processor usage and the memory encryption engine protects contents of the memory region during execution. The memory encryption engine may access integrity metadata based on the address of the protected memory region. The memory encryption engine may prepare top-level counter metadata for entering a low-power state. Other embodiments are described and claimed.

Abstract: A system for securely provided content to a user hides the identity of the user and/or the content from an outside observer by utilizing a plurality of virtual private networks (VPNs) and virtual machines (VMs) to obfuscate transmission sources. A key is used to generate and control access to a first VPN between a user device and a server that has access to the content. Once the first VPN is generated, user device and server could communicate securely to generate unique VMs having distinct identifiers from the user device and the server, and a second VPN could be generated between the two newly generated VMs. Once content has been provided to the user device via its VM, the content session could end and all the secure infrastructure could be deconstructed.

Abstract: Disclosed embodiments relate to systems and methods for distributed transmission of divisible and reconstructible data among network resources. Techniques include identifying data to be securely transmitted across a network to a receiving network resource; applying a splitting scheme to form one or more data portions; obtaining a unique session identifier; selecting a distribution scheme; accessing one or more cryptographic keys; encrypting one or more data portions to form a plurality of corresponding encrypted blocks; transmitting, according to the selected distribution scheme, the one or more of the plurality of encrypted blocks to one or more of the constituent network nodes, en route to the receiving network resource. The receiving network resource may be configured to, upon obtaining the one or more data portions, and with reference to the unique session identifier, combine and validate the one or more data portions.

Abstract: After receiving a qualification acquisition request sent by an end-user device, a service platform can return a block generation rule to the end-user device, instead of returning the block generation rule only when a predetermined moment arrives. Even if the end-user device sends the qualification acquisition request to the service platform before the predetermined moment, the service platform still returns the block generation rule. The service platform can separate, in terms of time, users who participate in obtaining service qualification, so that some users can obtain the block generation rule before the predetermined moment, and then participate in a service based on the obtained block generation rule when the predetermined moment arrives. Access pressure faced by the service platform when the predetermined moment arrives is relieved, and normal running of the service platform after the predetermined moment arrives is ensured.

Abstract: An anonymized biometric representation of a target individual is used in a computer based security system. A detailed input biometric signal associated with a target individual is obtained. A weakened biometric representation of the detailed biometric signal is constructed such that the weakened biometric representation is designed to identify a plurality of individuals including the target individual. The target individual is enrolled in a data store associated with the computer based security system wherein the weakened biometric representation is included in a record for the target individual. In another aspect of the invention, a detailed input biometric signal from a screening candidate individual is obtained. The detailed biometric signal of the screening candidate is matched against the weakened biometric representation included in the record for the target individual.

Abstract: An electronic device is provided. The electronic device includes a memory configured to store an application and first unique information of the application, and at least one processor operatively connected with the memory. The at least one processor is configured to divide code of the application into a plurality of segments, select at least one segment among the plurality of segments, create second unique information in relation to the at least one segment, compare the first unique information and the second unique information, and determine whether the code of the application has been tampered with, based on a result of the comparison of the first unique information and the second unique information.

Abstract: Controlling execution of software is provided. In response to receiving an input to execute a software module on a data processing system, a set of measurements are performed on the software module performing a process to prepare the software module for execution on the data processing system. In response to determining that the set of measurements meets a predetermined criterion, an authorization to proceed with the process of preparing the software module for execution on the data processing system is requested from a trusted third party computer. In response to receiving the authorization to proceed with the process of preparing the software module for execution on the data processing system from the trusted third party computer, the software module is executed.

Abstract: A method and apparatus for retrieving data from a memory in which data, an associated message authentication code (MAC) and an associated error correction code (ECC) are stored in a memory such that the data, MAC and ECC can be retrieved together in a single read transaction and written in a single write transaction. Additional read transactions may be used to retrieve counters values that enable the retrieved MAC to be compared with a computed MAC. Still further, node value values of an integrity tree may also be retrieved to enable hash values of the integrity tree to be verified. The MAC and ECC may be stored in a metadata region of a memory module, for example.

Abstract: The presently disclosed method and apparatus for sharing security metadata memory space proposes a technique to allow metadata sharing two different encryption techniques. A section of memory encrypted using a first type of encryption and having first security metadata associated therewith is converted to a section of memory encrypted using a second type of encryption and having second security metadata associated therewith. At least a portion of said first security metadata shares a memory space with at least a portion of said second security metadata for a same section of memory.

Abstract: Encryption interface technologies are described. A processor can include a system agent, an encryption interface, and a memory controller. The system agent can communicate data with a hardware functional block. The encryption interface can be coupled between the system agent and a memory controller. The encryption interface can receive a plaintext request from the system agent, encrypt the plaintext request to obtain an encrypted request, and communicate the encrypted request to the memory controller. The memory controller can communicate the encrypted request to a main memory of the computing device.

Abstract: A method and a user device (110) for authentication of the user device (110) as well as a method and an authenticator device (120) for authentication of the user device (110) are disclosed. The user device (110) generates (A030) a one-time password. The user device (110) sends (A040), to an authenticator device (120), the one-time password as an acoustic signal, wherein the acoustic signal comprises a frequency within an ultrasound range or an infrasound range. The authenticator device (120) receives (A050), from the user device (110), the one-time password. The authenticator device (120) validates (A060) the one-time password.

Abstract: Embodiments of the present disclosure disclose a method and apparatus for detecting a side channel attack. An embodiment of the method comprises: clearing data in a state save area of a target enclave; sequentially executing an instruction sequence in the target enclave; acquiring data in the state save area; and in response to determining that the acquired data in the state save area indicates that an asynchronous enclave exit with a cause of exception exit happens to the target enclave, determining that the side-channel attack to the target enclave exists. The embodiment implements detecting a side channel attack to the enclave without additional hardware.

Abstract: A flexible video-on-demand viewing period is varied depending on whether the customer has completed viewing the entire program, allowing the viewing period to be extended if the customer has not completed viewing the entire program. The approach better assures the customer that they will have the opportunity to complete viewing the entire program, compared to a fixed rental period, while assuring program copyright owners that the utility of the rental is limited, fundamentally as intended, preserving the future value of the asset. The approach also enables viewers to retain bookmarks as needed for content that is not naturally tied to a rental period, such as subscription video-on-demand, without unnecessarily enlarging their list of active rentals.

Abstract: A data processing apparatus is provided which uses flag circuitry (174) to set an access tracking flag (SFPA) to a first value when the processing circuitry (154) enters a secure mode in association with a function call and to switch the access tracking flag to a second value upon detection of a first access of at least one type to predetermined state data, such as floating point register data, by processing circuitry operating in the secure mode in association with that function call. This access tracking flag may then be used in association with a lazy-protection program instruction (VLSTM) and a lazy-load program instruction (VLLDM) to control whether or not push operations of the state data and restore operations of the state data are performed in order to prevent access in the non-secure mode to that state data.

Abstract: Embodiments relate to inserting a preamble code as a preamble of a sub-frame of encrypted data to indicate rekeying is to be performed at a source device and to indicate data of the sub-frame and subsequent sub-frames is encrypted. A sink device authenticates a source device using an authentication and encryption protocol. The sink device receives a data stream including audio data. At least a portion of the received audio data is encrypted and the encrypted audio data is packetized into sub-frames. The sink device inserts a first preamble code as a preamble of a sub-frame to indicate rekeying is to be performed at the source device according to the authentication and encryption protocol, and to indicate that the audio data in a payload of the sub-frame and payloads of subsequent sub-frames is encrypted. The sink device transmits the packet to the source device via a first data link.

Abstract: Herein are methods and systems for automated assessment of user devices and associated data, and granting access to wireless networks based on the assessment. For example, the systems and methods assess a user request for access to a wireless network at an access point, and automatically determine the type of access to be granted based on at least a loyalty score associated with the user. The automatic assessment can be used to encourage customer loyalty as well as to manage limited network resources.

Abstract: Herein are methods and systems for automated assessment of user devices and associated data, and granting access to wireless networks based on the assessment. For example, the systems and methods assess a user request for access to a wireless network at an access point, and automatically determine the type of access to be granted based on at least a loyalty score associated with the user. The automatic assessment can be used to encourage customer loyalty as well as to manage limited network resources.

Abstract: A secure interaction method includes receiving, by a processor, a secure processing request sent by an application program, where the application program operates in a normal mode, and the processor operates in the normal mode when receiving the secure processing request, switching, by the processor, from the normal mode to a secure mode according to the secure processing request, reading, by the processor operating in the secure mode, data information into a memory operating in the secure mode, where the data information is data that the processor operating in the secure mode generates after parsing the secure processing request, and controlling, by the processor operating in the secure mode, an accessed device to operate according to the data information stored in the memory operating in the secure mode.

Abstract: A method for verifying information of a first data item in a plurality of different data items stored on a server includes a) generating a hash tree, b) computing an authentication path for the first data item based on a recomputation of the hash tree, wherein an authentication path includes all siblings of tree nodes from the first data item to a root of the hash tree, c) recomputing the root-hash based on the first data item and a computed authentication path of the first data item and comparing the recomputed root-hash with the root-hash of the hash-tree of step a), d) determining a side element in leaves or a tree level above of the hash tree and its authentication path, and e) verifying the authentication path of the side element.

Abstract: The present invention provides a method for authenticating distributed peripherals on a computer network using an array of physically unclonable functions (PUF). As each PUF is unique, each PUF is able to generate a plurality of challenge response pairs that are unique to that PUF. The integrated circuits of the PUF comprise a plurality of cells, where a parameter (such as a voltage) of each cell may be measured (possibly averaged over many readings). The plurality of cells in the PUF may be arranged in a one, two or more dimensional matrix. A protocol based on an addressable PUF generator (APG) allows the protection of a network having distributed peripherals such as Internet of things (IoT), smart phones, lap top and desk top computers, or ID cards. This protection does not require the storage of a database of passwords, or secret keys. and thereby is immune to traditional database hacking attacks.

Abstract: A memory system includes an interface, a non-volatile memory and a controller. The interface is configured to communicate over an unsecured communication link with an external host. The non-volatile memory is pre-programmed with a device identifier and a corresponding initialization key that are additionally stored in a database that resides externally to the memory system, and is securely accessible by the host. The controller is configured to send the device identifier to the host, to receive from the host, via the interface, binding information that was generated in the host, to generate, using at least the received binding information and the pre-programmed initialization key, a first binding key that matches a second binding key that is generated in the host based on an initialization key securely obtained by the host from the database, and to securely communicate with the host over the communication link using the first binding key.