Abstract: An on-demand production system for accessories for use with electronic devices is configured to generate digital templates defining the design of the accessories and provide the digital templates to retail or other locations. The retail or other locations may receive access to the digital templates automatically and/or electronically within a week, a day, or even minutes, of the digital template being created. When a customer requests an accessory, the digital template may be accessed. Using an electronic production machine and a supply of stock material, the accessory can be cut, formed, printed, or otherwise produced based on instructions or designs of the digital template. The electronic production machine may automatically read the digital template to automate the production at a retail location. The electronic production machine may produce the accessory on-demand, and production of the accessory may be completed within two hours, or potentially within ten minutes, of a request.

Abstract: The implementations provide a method and an apparatus for establishing a trusted cluster. The method is used to form a trusted computing cluster by using N trusted computing units, the method including: grouping the N trusted computing units into a plurality of groups; identifying a first trusted computing unit in each group, and causing first trusted computing units in the plurality of groups to each respectively perform inter-unit trust authentication with other trusted computing units in a same group in parallel; performing inter-group trust authentication between/among the plurality of groups in parallel to obtain the N trusted computing units on which trust authentication succeeds; and propagating secret information in the N trusted computing units on which trust authentication succeeds, so that the N trusted computing units obtain the same secret information to form the trusted computing cluster.

Abstract: Summarizing the invention, a computer-implemented method is provided. The computer-implemented method comprises: allocating, by an operating system kernel, a physical memory block for a privileged function; storing, by the operating system kernel, the privileged function in the physical memory block; creating, by the operating system kernel, an entry for the physical memory block in a mapping table, wherein the entry associates the physical memory block to a virtual memory block in an address space of a program; setting, by the operating system kernel, a security bit for the entry in the mapping table; executing, by a processor, the program in unprivileged mode; and if the program requests the privileged function: checking, by the processor, whether the security bit is set; if the security bit is set, switching, by the processor, execution to kernel mode for performing the privileged function.

Abstract: A method can be used for generating personalized profile package data for integrated circuit cards. The method includes encrypting data records corresponding to profile data with a respective data protection key thereby obtaining encrypted data records. Each record includes a number of personalization fields to store different types of personalization values. The method also includes encrypting a file for a profile package with a master encryption key thereby obtaining an encrypted file for the profile package. The file includes fields to be personalized corresponding to one or more of the personalization fields to store different types of personalization values. The encrypted file for the profile package and encrypted data records are transmitted to a data preparation entity where the encrypted data records and the encrypted file can be decrypted and combined to obtain personalized profile packages.

Abstract: Resource access control in a system-on-chip (“SoC”) may employ an agent executing on a processor of the SoC and a trust management engine of the SoC. The agent, such as, for example, a high-level operating system or a hypervisor, may be configured to allocate a resource comprising a memory region to an access domain and to load a software image associated with the access domain into the memory region. The trust management engine may be configured to lock the resource against access by any entity other than the access domain, to authenticate the software image associated with the access domain, and to initiate booting of the access domain in response to a successful authentication of the software image associated with the access domain.

Abstract: The present disclosure relates to an electronic device, such as a system on chip, that may perform firmware updates based on user consent. The system on chip includes a nonvolatile memory (NVM), a main processor, a security NVM, and a security processor. The nonvolatile memory (NVM) stores first firmware and a user permission indicator. The main processor Loads the first firmware to boot a security processor. The security NVM contains first version information. The security processor compares version information of the first firmware to the first version information based on the user permission indicator and executes the first firmware in response to the matching of the comparison result. In some examples, the security processor is implemented on the same chip as the main processor.

Abstract: Aspects of the disclosure relate to real-time validation of data transmissions based on security profiles. A computing platform may collect, in real-time, information associated with a plurality of data transmissions between applications, where the information may include, for each data transmission, an indication of a source application and a destination application. Then, the computing platform may retrieve, from a repository and for each data transmission, a first security profile associated with the source application, and a second security profile associated with the destination application. The computing platform may then compare, for each data transmission, the first security profile to the second security profile. Subsequently, the computing platform may detect, based on a determination that the first security profile does not match the second security profile, a potentially unauthorized data transmission.

Abstract: A server that shares key information to a portable terminal includes processing circuitry configured to deliver the key information to the portable terminal. The key information is associated with an object equipped with a control device, and the control device performs a predetermined control to the object when the control device receives the key information from an external terminal. The key information includes restriction information, where the restriction information sets a restriction content for the predetermined control.

Abstract: An apparatus to facilitate security within a computing system is disclosed. The apparatus includes a storage drive, a controller, comprising a trusted port having one or more key slots to program one or more cryptographic keys and an encryption engine to receive the cryptographic keys via the one or more key slots, encrypt data written to the storage drive using the cryptographic keys and decrypt data read from the storage drive using the cryptographic keys.

Abstract: A method for securely sharing and authenticating a last secret can include splitting a secret into a first split and a second split, the secret comprising a cryptographic element and controlling access to a first key, the secret comprising at least one of a password, a second key, and a tokenized value, and the first key controlling access to a secure computing system, encrypting the first split by an encryption key established between the dealer computing system and the combining computing system, encrypting the second split by the encryption key established between the dealer computing system and the combining computing system, transmitting the encrypted first split to a first share-holder, transmitting the encrypted second split to a second share-holder, designcrypting the encrypted first split, and designcrypting the encrypted second split.

Abstract: Secure multi-party information retrieval is disclosed. One example is a system including a query processor to request secure retrieval of candidate terms similar to a query term. A collection of information processors, where a given information processor receives the request and generates a random permutation. A plurality of data processors, where a given data processor generates clusters of a plurality of terms in a given dataset, where the clusters are based on similarity scores for pairs of terms, and selects a representative term from each cluster. The given information processor determines similarity scores between a secured query term received from the query processor and secured representative terms received from the given data processor, where the secured terms are based on the permutation, and the given data processor filters, without knowledge of the query term, the candidate terms of the plurality of terms based on the determined similarity scores.

Abstract: A server system sends, via a linearly ordered communication orbit, to computational machines at a first subset of nodes in a computer network, a set of local environment verification tests and a set of mappings that map results of the local environment verification tests into a set of risk scores. Requests sent by the server system cause the computational machines at the plurality of nodes to: locally evaluate the set of local environment verification tests to produce test results, and locally map the test results using the set of mappings into a set of risk scores. Queries sent by the server cause the computational machines at the plurality of nodes to return to the server system at least a portion of the test results and risk scores. The server, identifies, based on the received test results and risk scores, computational machines and/or control categories having risk scores satisfying predefined criteria.

Abstract: Some embodiments enable distributing data (e.g., recorded video, photographs, recorded audio, etc.) to a plurality of users in a manner which preserves the privacy of the respective users. Some embodiments leverage homomorphic encryption and proxy re-encryption techniques to manipulate the respective data so that selected portions of it are revealed according to an identity of the user currently accessing the respective data.

Abstract: First data from a user device is received on an electronic computing device. The first data is encrypted to generate second data. The second data is fragmented and stored in a plurality of data stores.

Abstract: Technologies disclosed herein provide a method for receiving at a device from a remote server, a request for state information from a first processor of the device, obtaining the state information from one or more registers of the first processor based on a request structure indicated by a first instruction of a software program executing on the device, and generating a response structure based, at least in part, on the obtained state information. The method further includes using a cryptographic algorithm and a shared key established between the device and the remote server to generate a signature based, at least in part, on the response structure, and communicating the response structure and the signature to the remote server. In more specific embodiments, both the response structure and the request structure each include a same nonce value.

Abstract: A method and system for certificate management for services in a container orchestrator. The method includes requesting a certificate for a service from a cloud certificate manager, in response to detecting a request from a control plane of the container orchestrator for the certificate for the service, receiving the certificate from the cloud certificate manager, storing the certificate in a secret storage, and returning the location of the secret storage to a requester of the certificate.

Abstract: The disclosure relates to various data processing terminals capable of operating in different modes each of which is granted with different authorities to access hardware or software elements of the terminals. More particularly, a terminal includes a lock system operating in a lock mode and a main system operating in an unlock mode, and erases an entire or a selected portion of results obtained by running operations in the lock mode, when a terminal switches from a lock mode to an unlock mode with greater access authority. Because potentially malicious computer codes which may be impregnated into such results are erased before switching to an unlock mode, the terminal enhances an integrity and a security of a terminal, and improves privacy of a user by preventing loss or unintended disclosure of private data stored in a terminal.

Abstract: Provided is a system including at least one host application processor and at least one field programmable gate array (FPGA) device coupled to the at least one host application processor via a communication bus, the at least one host application processor is programmed or configured to receive a transaction data record comprising transaction data associated with a payment transaction, transmit the transaction data record to the at least one FPGA device via the communication bus, and receive an encrypted transaction data record from the at least one FPGA device via the communication bus, wherein one or more data fields of the transaction data record are encrypted to generate the encrypted transaction data record. A method and computer program product are also provided.

Abstract: There are provided systems and methods for detecting leakage of personal information in computing code configurations. A service provider, such as an electronic transaction processor for digital transactions, may utilize one or more computing systems and architectures to provide services to users. These may utilize applications, decision services, and microservices that invoke different application programming interfaces (APIs). When computing code is provided or changed, use of certain APIs may risk data leakage or misappropriation. Thus, the service provider may utilize an intelligent data processor to determine if these APIs are used in the computing code, and if so, back-trace through the computing code to determine the data objects used in API calls and requests. Thereafter, the service provider may determine whether sensitivity levels of the personal information are impacted by the APIs use of the personal information and may mask data that may be impacted.

Abstract: Systems, computer program products, and methods are described herein for secure access control using dynamic resource replication. The present invention is configured to electronically receive, from a computing device of a user, a request to generate a resource access path to access a resource; determine one or more resource requirements associated with the resource; determine an authentication level associated with the user; initiate a resource replication engine on the one or more resource requirements and the authentication level associated with the user; determine, using the resource replication engine, that the one or more requirements and the authentication level associated with the user meets one or more conditions for a replication process; and generate, using the resource replication engine, the resource access path and a plurality of replicate resource access paths.

Abstract: Examples relate to verifying network elements. In one example, a computing device may: receive, from a client device, a request for attestation of a back-end network, the request including back-end configuration requirements; obtain, from a network controller that controls the back-end network, a controller configuration that specifies each network element included in the back-end network; provide each network element included in the back-end network with a request for attestation of a network element configuration of the network element; receive, from each network element, response data that specifies the network element configuration of the network element; verify that the response data received from each network element meets the back-end configuration requirements included in the request for attestation of the back-end network; and provide the client device with data verifying that the back-end network meets the back-end configuration requirements.

Abstract: A BIOS/OS key provisioning system includes an NVMe storage device coupled to a server device via a network. The server device includes an operating system engine and a BIOS engine. Subsequent to a current initialization of the server device and prior to an immediately subsequent initialization of the server device, the BIOS engine retrieves a key from a key storage subsystem and stores the key in a BIOS memory subsystem. When the BIOS engine receives a current key request that identifies the key from the operating system engine and determines that the key stored in the BIOS memory system has not previously been accessed subsequent to the current initialization and prior to the subsequent initialization, it provides the key from the BIOS memory subsystem to the operating system, and prevents the key from being provided from the BIOS memory subsystem in response to any subsequent key request.

Abstract: A hardware encryption module with reconfigurable security algorithms for randomly selecting block ciphers, stream ciphers, and their components, for internet of things (IoT) and data security applications. A corresponding system contains a hardware number generator for generating unique secrets in digital and wireless communication protocols. The system contains a cryptographically secure pseudorandom number generator for creating deterministic random sequences for the reconfigurable logic module. The system contains a multiplexing scheme to send keys and cipher texts in accordance with a wireless communication protocol. The hardware encryption module can be used to reconfigure block cipher algorithms, modes of operation, key scheduling algorithms, confusion functions, and/or round orders, based on reconfigurable logic. One type of reconfigurable logic allows stream cipher algorithms and key mixing keys to be changed at random.

Abstract: The invention is a device, system, and method for access control, including a combination of access control, live video communication, interactive virtual host, internal compound mapping, digital couponing, vacancy information, security system, maintenance requests, and administrative tracking and control.

Abstract: A high assurance kernel executed by a safety certified hypervised system using a separation kernel. The high assurance kernel includes a first level of the separation kernel configured to perform first security features associated with a hypervisor, the first level configured to run on a primary core and a second level of the separation kernel configured to augment the first security features with second security features, the second level implemented on a separate protected component from the primary core, the first level and the second level communicating with one another through a physical separation between the first and second levels. The high assurance kernel may further include a third level of the separation kernel configured as a virtual machine to perform third security features associated with the hypervisor.

Abstract: In accordance with aspects of the present invention a distributed energy system edge unit is presented. An edge unit includes a power grid interface; one or more device interfaces; a processing unit coupled to the power grid interface and the one or more device interfaces, the processing unit including a communication state that allows communications with an external entity; a control and monitor state that communicates with the communication state; a check unit state that communicates with the control and monitor state and provides a unit state data; wherein the control and monitor state and the communication state provide an instruction data set, current operating parameters according to the unit state data, the instruction set data, and a characterization parameter data, and wherein the control and monitor state provides control signals to the power grid interface and the one or more device interfaces.

Abstract: Disclosed herein are embodiments related to security in cloudlet environments. In some embodiments, for example, a computing device (e.g., a cloudlet) may include: a trusted execution environment; a Basic Input/Output System (BIOS) to request a Key Encryption Key (KEK) from the trusted execution environment; and a Self-Encrypting Storage (SES) associated with the KEK; wherein the trusted execution environment is to verify the BIOS and provide the KEK to the BIOS subsequent to verification of the BIOS, and the BIOS is to provide the KEK to the SES to unlock the SES for access by the trusted execution environment.

Abstract: An information security system that includes a data control engine configured to receive a data file and to segment the data file into a set of data blocks that each contain a portion of data from the data file. The data control engine is further configured to associate the set of data blocks with a reference tag and to store an association between the set of data blocks and the reference tag. The data control engine is further configured to identify an access key for encrypting each data block, to encrypt each data block with a corresponding access key, and to store an association between each data block and each corresponding access key. The data control engine is further configured to store each data block in a memory and to store location information identifying the location of each data block in the memory.

Abstract: A method of storing data on target data processing devices, the method comprising: for each target data processing device, using a security data processing device on which first data has been stored to: obtain a device cryptographic certificate from the target data processing device, the device cryptographic certificate having been generated by, and being verifiable as having been generated by, a trusted entity; verify the device cryptographic certificate as having been generated by the trusted entity; generate second data using the first data; and store the second data on the target data processing device.

Abstract: Methods, computer program products, computer systems, and the like are disclosed that provide for scalable deduplication in an efficient and effective manner. For example, such methods, computer program products, and computer systems can include receiving a data object at an assigned node, determining whether the data object includes a sub-data object, and processing the sub-data object. The assigned node is a node of a plurality of nodes of a cluster, where the data object includes a data segment, and a signature. The signature is generated based, at least in part, on data of the data segment. The processing includes sending the sub-data object to a remote node. The remote node is another node of the plurality of nodes of the cluster.

Abstract: A security device includes a covering device that, in response to an input signal, consistently provides a same random output signal that varies according to the microstructure of the covering device, where altering the microstructure of the covering device alters the random output signal, a key generation component that generates a secret key based on the random output signal, and a digital signature component that produces a digital signature of a message received by the security device using the secret key. The covering device surrounds at least a portion of the key generation component and the digital signature component to prevent access thereto and where accessing any of the components alters the microstructure of the covering device to alter the random output signal. The security device may be attached to an object and detaching the security device from the object may alter the microstructure of the covering device.

Abstract: Embodiments of the present disclosure provide a device monitoring method, an apparatus, a server, and a storage medium. The method includes receiving an authorization code, where the authorization code includes first information; the first information is configured to indicate a first value; and the first value is a maximum quantity of image forming devices capable of being monitored by a device monitoring system which is activated by the authorization code; determining the first value according to the authorization code; and configuring a first parameter value according to the first value, where the first parameter value is configured to record the maximum quantity of image forming devices capable of being monitored. The present disclosure reduces the data processing amount of the server where the device monitoring system is located, improves the monitoring effect of the device monitoring system on the image forming device and improves the user experience.

Abstract: A multifunction device includes: a non-volatile memory storing encrypted information, which is information that is encrypted; a TPM for decrypting the encrypted information; and a main board communicating with the non-volatile memory and the TPM. The non-volatile memory and the TPM are attachable to and removable from the main board, as a single body. More specifically, the multifunction device includes: a first sub board which has the non-volatile memory attached thereto and is attachable to and removable from the main board; and a chip board which has the TPM attached thereto and is attachable and removable from the first sub board.

Abstract: A method by a network device for detecting data in a data stream. The method includes receiving the data stream, where the data stream includes a sequence of original characters, generating a sequence of type-mapped characters corresponding to the sequence of original characters, converging each of two or more consecutive occurrences of a first character in the sequence of type-mapped characters into a single occurrence of the first character, searching for occurrences of one or more predefined sequences of characters in the sequence of type-mapped characters, and responsive to finding an occurrence of any of the one or more predefined sequences of characters, extracting a sequence of characters in the sequence of original characters corresponding to the occurrence of the predefined sequence of characters found in the sequence of type-mapped characters.

Abstract: Some embodiments of the present specification provide a method and an apparatus for establishing a trusted channel between a user and a trusted computing cluster. According to the method, when a user wants to establish a trusted channel with a trusted computing cluster, the user only negotiates a session key with any first trusted computing unit in the cluster to establish the trusted channel. Then, the first trusted computing unit encrypts the session key using a cluster key common to the trusted computing cluster to which the first trusted computing unit belongs, and sends the encrypted session key to a cluster manager. The cluster manager transmits the encrypted session key in the trusted computing cluster, so that other trusted computing units in the cluster obtain the session key and join the trusted channel. Thus, the user establishes a trusted channel with the entire trusted computing cluster.

Abstract: Techniques and mechanisms for IPsec processing of IPsec packets for routing platforms where IPsec is just one or more features in the middle of data path features on the packet processing path and hence, the typical, simple inline IPsec scheme does not work well for such platforms. The techniques include using a hardware look-up table for packet classification and inbound security association (SA) lookup in one pass with IP 5-tuple plus SPI as a lookup key at hardware table. The techniques provide an entry match action format and mechanism for deriving inbound SA dram addresses that may be used by a hardware (HW)/firmware (FW) crypto/IPsec engine to process inbound packet traffic. A software SA look-up table is also provided to overcome hardware look-up table resource limitations and support more IPsec session scaling than the physical hardware look-up table can handle. Additional techniques are described.

Abstract: An image forming apparatus includes a controller configured to, in response to a target portable memory being attached to a port, determine whether the target portable memory is set as a dedicated memory for a storage printing process, based on whether identification information is stored in the target portable memory, when determining that the target portable memory is set as the dedicated memory, cause a user interface to display a first screen configured to receive an instruction to specify a storage destination to store print data in the storage printing process, and when determining that the target portable memory is not set as the dedicated memory, cause the user interface to display a second screen differing depending on whether the port to which the target portable memory has been attached is set as a dedicated port for the storage printing process.

Abstract: An embodiment method for determining a carry digit indicator bit of a first binary datum includes a step for processing of the first binary datum masked by a masking operation, and not including any processing step of the first binary datum.

Abstract: A method for user authentication according to one embodiment of the present disclosure includes acquiring authentication information including biometric information of a user, generating a random string and a helper string from the biometric information, generating a secret value that corresponds to the authentication information, generating a private key and a public key using the secret value and the random string, and transmitting the public key to an authentication server.

Abstract: There is provided mechanisms for handling instances of a trusted execution environment on an execution platform. The trusted execution environment is associated with a secure cryptoprocessor. The secure cryptoprocessor holds a register. The trusted execution environment is configured to read from and write to the register at a given index i. A method is performed by the trusted execution environment. The method comprises checking, upon start of a new instance of the trusted execution environment, status of the register at the given index i, and wherein, when the register at the given index i has its status set to “undefined”, an internal status value is set to a first value, and else, when a value is read from the register at the given index i, the internal status value is set to a second value based on the read value. The method comprises writing the internal status value to the register at the given index i. The method comprises running the new instance.

Abstract: Systems, computer program products, and methods are described herein for implementing real-time redaction in a workflow configurable environment. The present invention is configured to electronically receive, from a user input device, a request to load at least one user interface associated with an application; initiate a real-time content redaction engine on contents of the one or more fields associated with the at least one user interface in response to receiving the request, wherein initiating further comprises: parsing one or more embedded structures associated with the one or more fields; identifying private information in the one or more fields based on at least parsing the one or more embedded structures; and masking the private information in the one or more fields; and load the at least one user interface associated with the application in response to masking the private information in the one or more fields.

Abstract: According to an embodiment, an electronic device comprises at least one processor, and a memory that stores instructions configured to cause the at least one processor to obtain first data associated with original data based on random number using a first program, obtain first similarity information between the original data and the first data, obtain second data associated with the original data based on the random number using a second program, obtain second similarity information between the original data and the second data, in response to receiving a request, and provide the first program or the second program based on information included in a request that corresponds to a range that includes at least one of the first similarity information or the second similarity information.

Abstract: Various examples are directed to systems and methods for managing a memory system. The memory system may generate a first encrypted physical address using a first clear physical address. The memory system may generate a first encrypted logical-to-physical (L2P) pointer indicating the first logical address and a first encrypted physical address. The memory system may send the first encrypted L2P pointer to a host device for storage at a host memory.

Abstract: Methods, systems, and devices for double wrapping for verification are described. In some cases, a memory subsystem can receive a firmware image for the memory subsystem where the firmware image is signed with a first signature according to a first signing procedure. The memory subsystem can then verify an integrity of the firmware image based on the first signing procedure. After verifying the integrity of the firmware image, the memory subsystem can then generate a second signature for the firmware image based on a second signing procedure different from the first signing procedure. The memory subsystem can then write the second signature to the firmware image. The memory subsystem can then perform a verification process to verify the integrity of the firmware image based on one or both of the first signing procedure or the second signing procedure.

Abstract: An apparatus to facilitate security within a computing system is disclosed. The apparatus includes a storage drive, a controller, comprising a trusted port having one or more key slots to program one or more cryptographic keys and an encryption engine to receive the cryptographic keys via the one or more key slots, encrypt data written to the storage drive using the cryptographic keys and decrypt data read from the storage drive using the cryptographic keys.

Abstract: Techniques for prioritization of media related to an incident are provided. Confirmed incident related media may be retrieved, the confirmed incident related media having been confirmed as being associated with the incident. Artifacts of interest may be identified in the confirmed incident related media. Presence of the artifacts of interest in a plurality of received media may be determined. The plurality of received media may be prioritized based on the presence of the artifacts of interest.

Abstract: One embodiment is a device comprising a controller for verifying a digital signature of a process, a memory for storing an indication from the controller that the digital signature was verified the indication including at least one symmetric key, and a bootloader for receiving the indication from the memory and performing at least one security check using the at least one symmetric key, wherein the bootloader executes a function of the external process, only when it passes the security check.

Abstract: According to some example embodiments, a method for providing security to a storage device includes receiving, by the storage device, a public key via a network; sending, by the storage device, the received public key and a proposed configuration corresponding to the storage device to a security manager that resides in a control plane of the network; determining, by the security manager, whether the public key received from the storage device matches a private key available to the security manager; downloading, by the security manager, the proposed configuration to the storage device; determining, by the security manager, if the proposed configuration is successfully downloaded to the storage device; operating the storage device according to the downloaded configuration; and granting, by the security manager, a request to lease the storage device operating in the downloaded configuration for a time interval.

Abstract: In a networked environment, an application executed on a computing device may transmit a distribution rule associated with a resource. The distribution rule can require a key application to be enabled as hardware associated with a client device prior to access to a resource. The application may receive a request for access to the resource by the client device. In an instance in which it is determined that the client device complies with the distribution rule, the application may provide, to the client device, authorization to access the resource.

Abstract: One embodiment provides a computer implemented method, including: receiving, at a service provider from each of a plurality of data owners each having data accessible to the service provider, a privacy budget, wherein the privacy budget identifies a set of privacy requirements to be employed by the service provider on data of the data owner; receiving, at the service provider, a query from a client; receiving, at the service provider from each of at least a subset of the data owners, a response to the query; adding, by the service provider, noise to each of the responses, wherein an amount of noise added to each response is based upon the privacy budget of the data owner corresponding to a given response; and returning, by the service provider to the client, an aggregated response including the responses having added noise.