Abstract: A method for securing data stream processing includes implementing a stage of a data processing pipeline in a trusted execution environment. A state of the stage is represented by a graph-based data structure. Protected memory of the trusted execution environment is reserved for computations of the stage. A key-value store is maintained in the protected memory. The key-value store includes hashes of graph segments of the graph-based data structure for the computations and memory locations of the graph segments. A state part of the computations is moved from the protected memory to unprotected memory. The state part of the computations is loaded back to the protected memory. An integrity of a computation using the state part of the computations is checked using the hashes in the key-value store.

Abstract: An example method of managing a lifecycle of virtualization software in a host is described. The method includes: obtaining, by an initiator in a current version of the virtualization software, a software installation bundle (SIB) from an image repository for a target version of the virtualization software, the SIB including a patcher; verifying, by the initiator, authenticity of the SIB; mounting at least one payload of the SIB in a root filesystem of the virtualization software, and initiating, by the initiator, the patcher in the at least one payload as mounted to perform at least one check operation.

Abstract: In one embodiment, a method for validating a partition of a device communicably coupled to an information handling system includes: determining platform attributes associated with the information handling system; identifying a platform key associated with the information handling system; generating a trusted platform key for the information handling system based on the platform attributes and the platform key; determining partition attributes associated with the partition of the device; generating a storage root key for the partition of the device based on the partition attributes and the trusted platform key; generating a trusted boot signature for the partition of the device based on the trusted platform key and the storage root key; and storing the trusted boot signature in the partition of the device to validate the partition.

Abstract: Some embodiments of the present disclosure relate to a system that may include a replaceable module and a user device. The replaceable module may include an element and a one-wire authentication element in parallel with the element. The user device may be configured for operable coupling with the replaceable module. The user device may include a power source configured to provide power to the element, an authentication unit configured to perform a verification process for verifying authenticity of the replaceable module, and a signal conditioning unit arranged in a communication path between the one-wire authentication element and the authentication unit.

Abstract: A method, system and computer program product for performing computations on sensitive data while guaranteeing privacy. A service provider receives a first and a second ciphertext from a medical provider that homomorphically encrypts matrices A and B, respectively, using an encryption key, where the matrices A and B include medical data encoded as vectors. The service provider performs a homomorphic matrix multiplication on the first and second ciphertexts without decrypting the first and second ciphertexts. An encrypted result from the performed homomorphic matrix multiplication on the first and second ciphertexts is generated and transmitted to the medical provider to decrypt which matches a result of performing a matrix multiplication on unencrypted matrices A and B thereby enabling computations to be performed on the medical data in a secure manner.

Abstract: Systems and methods for protecting secret or secure information involved in generation of ciphered data by circuitry. The circuitry includes data paths and key paths that operate to perform cipher operations to generate a plurality of key shares and a plurality of data shares using a key and data as input. The data and the key may be masked by at least one mask. The plurality of key shares may be generated using the key and a first mask. The plurality of data shares are generated using key shares, the data, and a second mask.

Abstract: A storage device providing a function of securely discarding data and an operating method of the storage device are provided. The storage device includes a safety pin device removably mounted on the storage device, the safety pin device configured to store first encrypted information and second encrypted information, the first encrypted information encrypted using a first key associated with a first user, and the second encrypted information encrypted using a second key associated with a second user, security circuitry configured to, receive the first encrypted information from the safety pin device, decrypt the first encrypted information, and generate a data encryption key based on results of the decrypting the first encrypted information, and a nonvolatile memory configured to store data encrypted with the data encryption key.

Abstract: A master-slave system for communication over a Bluetooth Low Energy connection includes at least one slave device and at least one master device. The slave device and the master device are configured to communicate over the Bluetooth Low Energy connection. The slave device has a communication unit and a processing unit, the processing unit of the slave device being configured to generate a first query message with a header field and a payload field, the processing unit of the slave device being further configured to generate a first identity information item based on a first stored key and to save it as the first information item in the header field, and the communication unit of the slave device being configured to transmit the first query message thus generated to the master device over the Bluetooth Low Energy connection.

Abstract: An example computing device includes a communication device, an input device, a storage device, firmware stored in the storage device, and a processor. The processor is to: in response to receiving a set of credentials, transmit a request to a server via the communication device, where the request includes the set of credentials and identification information of the computing device; receive a temporary password and expiration information of the temporary password from the server via the communication device; replace a password of the firmware with the temporary password; in response to receiving the temporary password via the input device, determine if the temporary password is valid based on the expiration information; and in response to a determination that the temporary password is valid, provide access to the firmware.

Abstract: An information handling system may include a processor, non-transitory computer readable media communicatively coupled to the processor and having stored thereon a primary operating system of the information handling system and a secondary operating system of the information handling system, and a basic input/output system communicatively coupled to the processor and having provisioned thereon a signed signature of the secondary operating system signed with a private key of a public-private key pair and a public key of the public-private key pair. The basic input/output system is configured to, responsive to a determination to boot to the secondary operating system in lieu of booting to the primary operating system of the information handling system verify the secondary operating system using the signed signature of the secondary operating system and the public key and responsive to verifying the secondary operating system, allow the information handling system to boot to the secondary operating system.

Abstract: Devices and techniques for host accelerated operations in managed NAND devices are described herein. A host logical-to-physical (L2P) table of the NAND device has an associated map. Entries in the map correspond to one or more logical addresses (LA) and indicate whether the host L2P table is current for those LAs. If the table is not current, then a request will bypass the host L2P table, using a standard device L2P lookup instead. Otherwise, the host L2P table can be used.

Abstract: Systems and techniques described herein are concerned with providing supervisory control of computer programs. In particular, a method for executing application code defining a computer program includes providing a “kill switch” to the operator, which allows the operator to disable the computer program. The kill switch is configured so that the computer program is incapable of over-riding it.

Abstract: Aspects of the subject disclosure may include, for example, a processing system including a processor with a memory that stores executable instructions that, when executed by the processing system, facilitate performance of operations, the operations including: receiving an identity bridge file comprising records from a service provider, wherein each record includes one or more encrypted service identifiers for a customer, a customer location code of the customer, and an address location code of the customer; determining whether a tokenized identifier exists in a cross-reference table; responsive to a determination that the tokenized identifier does not exist in the cross-reference table: a) generating a new tokenized identifier; and b) adding a record to the cross-reference table comprising the new tokenized identifier, the customer location code, the address location code, and the one or more encrypted service identifiers; securing a usage record of a data usage log, wherein the usage record includes a uniq

Abstract: An abstract enclave identity is presented. An abstract identity may be a secure identity that may be the same for multiple related, but not identical, enclave instantiations. An enclave identity value may be determined from an abstract enclave identity type with respect to a instantiated enclave. Various enclave operations may be performed with an abstract identity, such as sealing data to an abstract identity, incrementing a monotonic counter, making trusted time measurement.

Abstract: The present disclosure is directed to systems and methods for deploying a prototype of a user interface. For example, the method may include providing a single sign-on process over a communications network for enabling a user to access a design environment. The method may also include providing the design environment to the user for designing the UI. The method may also include deploying, via the design environment, the prototype of the UI to an instance from among a plurality of instances. Each of the plurality of instances may be associated with a different stage in a development process for designing the UI. Deploying the prototype of the UI may include transitioning the prototype of the UI from a first stage to a second stage of the development process.

Abstract: A computer-implemented method for managing access rights to a knowledge graph is provided. The method comprises splitting, for each user system, its respective portion of the knowledge graph into a plurality of knowledge subgraphs, encrypting each of the knowledge subgraphs, and generating a plurality of private summary graphs. The method also comprises maintaining a collaboration graph comprising one vertex per user system and edges representing collaborations between the users, mapping all private subgraphs of all user systems to one public summary graph, each vertex of the public summary graph comprises less data than the related vertex of the related private summary graphs and wherein none of the vertices of the summary graph comprises any encryption or decryption key, and granting access to a selected knowledge subgraph from a first user system to a second user system.

Abstract: Techniques are provided for data management across a persistent memory tier and a file system tier. A block within a persistent memory tier of a node is determined to have up-to-date data compared to a corresponding block within a file system tier of the node. The corresponding block may be marked as a dirty block within the file system tier. Location information of a location of the block within the persistent memory tier is encoded into a container associated with the corresponding block. In response to receiving a read operation, the location information is obtained from the container. The up-to-date data is retrieved from the block within the persistent memory tier using the location information for processing the read operation.

Abstract: A key management system for providing encryption of a disk in a client device is provided. The system comprises a trusted platform module (TPM) having a first fragment of a key, a remote storage having a second fragment of the key, and a processing unit to partially boot instructions relating to the booting of the client device, send a request for validation of the instructions to the TPM, receive the first fragment of a key from the TPM if the validation is successful, send a request for the second fragment of the key along with credentials to access the remote storage. The remote storage verifies the credentials and a network through which the request is received and transmits the second fragment if the verification is successful. The processing unit then combines the first fragment and second fragment of the key to generate an encryption key which is used to complete the booting.

Abstract: A vehicle configuration and activity history tracking system and method. A first vehicle configuration and history blockchain is read from a first node in a vehicle configuration and history blockchain network comprising a plurality of nodes. A second vehicle configuration and history blockchain is read from a second node in the plurality of nodes of the vehicle configuration and history blockchain network. The first vehicle configuration and history blockchain is compared to the second vehicle configuration and history blockchain to determine whether the first vehicle configuration and history blockchain is valid. A new maintenance operation on the vehicle or a new modification of the vehicle is initiated using the first vehicle configuration and history blockchain in response to a determination that the first vehicle configuration and history blockchain is valid.

Abstract: One or more implementations of the present specification provide a method and apparatus for securely entering a trusted execution environment in a hyper-threading scenario. The method can include: in response to that a logical processor running on a physical processor core generates a trusted execution environment entry event through an approach provided by a virtual machine monitor, labeling the logical processor with a state of expecting to enter a trusted execution environment; and in response to determining that all logical processors corresponding to the physical processor core are labeled with the state of expecting to enter a trusted execution environment, separately controlling each one of the logical processors to enter a trusted execution environment built on the physical processor core.

Abstract: A data storage and retrieval system stores a collection of data in which a first portion is encrypted using a first cryptographic key, and comprises a second portion encrypting using a second cryptographic key. The data storage and retrieval system receives a request to query the collection on behalf of a security principal. The request comprises information indicative of the first and second keys. The system confirms the authorization of the security principal to access at least some of the collection of data, and generates intermediate results which comprise the encrypted first and second portions. The system causes the intermediate results to be decrypted using the first and second key information.

Abstract: There is provided a mobile terminal capable of being protected against unauthorized use by a third party without using a dedicated key device. A plurality of mobile terminals are previously registered mutually. When unlocked among them, one mobile terminal communicates with another mobile terminal in a communication range of short-range wireless communications, unlocks the above another mobile terminal, and when out of the communication range, locks it again.

Abstract: A system and method are disclosed for allowing a plurality of augmented and/or virtual reality users to interact with higher dimensional virtual or augmented environment models in which a plurality of objects are placed throughout in a pseudorandom fashion. The placed plurality of objects are subsequently assigned values either in a predetermined or real time manner. The system and method enable security countermeasures, thereby protecting the higher dimensional environmental model from malicious users.

Abstract: A mobile device includes a biological information detecting device and a wireless communication interface. The mobile device uploads the biological characteristic to the server. The server generates a token that corresponds to the biological characteristic and transmits the token to the mobile device. The mobile device transmits the token to the verification terminal device. The verification terminal device can confirm the identity of the user by verifying the token. This modularizes the process of identity verification, replacing the verification process of applications that need to verify identity, so that these applications do not need to bear the cost of identity verification after interfacing with the identity verification system.

Abstract: According to one embodiment, a feature amount management apparatus includes a data generation unit, an ID generation unit, a storage unit, and a deletion unit. The data generation unit generates, from an image, feature amount data indicating a feature amount of biometric information of a person. The ID generation unit generates identification information including expiration date information used for determining an expiration date of the feature amount data. The storage unit stores the feature amount data in correlation with the identification information. The deletion unit deletes the feature amount data when the feature amount data pass the expiration date.

Abstract: In general, this disclosure describes scalable, partitionable encryption engines. The partitionable encryption engines of this disclosure yield power savings, such as by controlling operation of partitioned sub-datapaths at reduced clock rates. An apparatus includes an interface configured to receive a block of encrypted data for decryption, and a decryption engine in communication with the interface. The decryption engine includes a plurality of decryption sub-datapaths, where each respective decryption sub-datapath has no data interdependency with any other decryption sub-datapath of the plurality of decryption sub-datapaths. The decryption engine is configured to selectively enable one or more decryption sub-datapaths of the plurality of decryption sub-datapaths to decrypt the block of encrypted data to form a decrypted block of data.

Abstract: Aspects of the present invention disclose a method for encoding and transmitting access codes of a network to a computing device that is attempting to access the network. The method includes one or more processors identifying an audio command received by a first computing device. The method further includes generating a sound waveform that includes an access code of an access point, by encoding the access code into the sound waveform. The method further includes defining a sound power level of the sound waveform. The method further includes transmitting the sound waveform. The method further includes determining whether a second computing device receives the access code that is encoded in the sound waveform.

Abstract: Examples are disclosed for remote management of a computing device. In some examples, a secure communication link may be established between a network input/output device for a computing device and a remote management application. Commands may be received from the remote management application and management functions may be implemented at the network input/output device. Implementation of the management functions may enable the remote management application to manage or control at least some operating parameters of the computing device. Other examples are described and claimed.

Abstract: Disclosed and described herein are systems, methods and computer program products providing elastic data privacy-compliant healthcare analytics that enables privacy certification on a case-by-case basis.

Abstract: A system and method for detecting replay attacks on secure data are disclosed. A system on a chip (SOC) includes a security processor. Blocks of data corresponding to sensitive information are stored in off-chip memory. The security processor uses an integrity data structure, such as an integrity tree, for the blocks. The intermediate nodes of the integrity tree use nonces which have been generated independent of any value within a corresponding block. By using only the nonces to generate tags in the root at the top layer stored in on-chip memory and the nodes of the intermediate layers stored in off-chip memory, an amount of storage used is reduced for supporting the integrity tree. When the security processor detects events which create access requests for one or more blocks, the security processor uses the integrity tree to verify a replay attack has not occurred and corrupted data.

Abstract: Disclosed techniques relate to caching tenant encryption keys for a multi-tenant database. In some embodiments, a computing system encrypts data for a database in a multi-tenant database system using encryption keys assigned to respective tenants that are using the database. The computing system may store the encryption keys in a cache and, in response to a key rotation request for a first tenant, invalidate an entry in the cache for the first encryption key of the first tenant. The computing system may block writes for the first tenant until a new key is cached (e.g., based on retrieval from a key management system). In various embodiments, disclosed techniques may reduce encryption latency.

Abstract: A computer-implemented method and system for encrypting an executable of a computer software for installation using a distributed hash table and a peer-to-peer distributed ledger. This may be the Bitcoin blockchain or an alternative implementation. The method may include determining a generator value.

Abstract: A method includes a computing device of a storage network dispersed storage error encoding a plurality of data segments to produce a plurality of sets of encoded data slices. The method further includes the computing device obfuscating a first set of encoded data slices of the plurality of sets of encoded data slices using an obfuscating method to produce a first set of obfuscated encoded data slices. The method further includes the computing device outputting the first set of obfuscated encoded data slices for storage in the storage network.

Abstract: Systems and methods for entitlement tracking and control with blockchain technology are provided. A server node may receive usage information indicating usage of a licensed component by a remote device. The server node may generate a datablock that includes the usage information and append the datablock to a blockchain. The server node may acquire, from the blockchain, a license smart contract. The license smart contract may include control logic to control access to the license component. The server node may control access to the license component by the remote device based on the usage information and the control logic.

Abstract: An apparatus for security management based on event correlation in a distributed multi-layered cloud environment is disclosed, wherein the distributed multi-layered cloud environment comprises at least one first layer cloud service provider, and at least one second layer cloud service provider as a tenant of the first layer cloud service provider, and the apparatus is installed at least on one cloud service provider of the first layer cloud service provider and the second layer cloud service provider, the apparatus comprising: a central processing module configured to: provide correlation as a Service (CORRaaS) to a plurality of tenants as virtualized security appliances or virtualized security functions for the plurality of tenants's lices, generate a second interface for allowing the plurality of tenants to configure the correlation as a Service (CORRaaS), and correlate and process security events from security functions in the plurality of tenants' slices to form processed security event data, and to detec

Abstract: An always-listening-capable computing device is disclosed, comprising: a first electronic sensor configured to receive user input, a second electronic sensor configured to receive a signal indicating that a user depressed a physical button, a gate-keeping module implemented by a processor, wherein data from the first electronic sensor passes through the gate-keeping module while a gatekeeping function is disabled, no data from the first electronic sensor passes through the communications module while the gatekeeping function is enabled, all data input to the gate-keeping module is received via an exclusive input lead from the first electronic sensor, and all data output from the gate-keeping module is transmitted via an exclusive output lead to a component other than the first electronic sensor. The device receives the signal indicating that the user has depressed the physical button; and enables or disables a functionality of a second computing device.

Abstract: A key management device for data encryption/decryption is provided. The key management device includes a static random access memory (SRAM), a register, an arbitration circuit, and a control circuit. The arbitration circuit is electrically connected to an encryption/decryption device having a plurality of encryption/decryption circuits. There is a bypass channel between each encryption/decryption circuit and the arbitration circuit. The control circuit arranges a key lookup table in the SRAM or the register, and manages a key database including the SRAM and a one-time programmable memory. The key lookup table includes a key number and metadata of each key stored in the key database. In response to the control circuit retrieving a specific key corresponding to a specific key number indicated by a key read command, the control circuit directly transmits the retrieved specific key to the corresponding encryption/decryption circuit through the corresponding bypass channel.

Abstract: A method for performing adaptive locking range management, an associated data storage device and a controller thereof are provided. The method may include: receiving a security command from outside of the data storage device, wherein the security command is related to changing an old locking range into a new locking range; obtaining a start Logical Block Address (LBA) and a length value of the new locking range according to the security command; determining whether the start LBA of the new locking range is less than an end LBA of the old locking range, and determining whether an end LBA of the new locking range is greater than a start LBA of the old locking range; and in response to both determination results being true, performing data trimming on any respective non-overlapped portions of the new locking range and the old locking range.

Abstract: A security data processing device comprising a processor and memory, the processor configured to: receive a script comprising at least one instruction set for provisioning a type of programmable device, the instruction set(s) defining one or more cryptographic operations, each of the cryptographic operations referring to a parameter; store the script in memory; verify a signature associated with the script using an authorization key retrieved from memory; receive a programming request from a programming module of a programming machine in communication with said processor, said programming request requesting the programming of a programmable device and identifying an instruction set of the instruction set(s) in said script; for each cryptographic operation in the identified instruction set, determine a value for the parameter and perform the cryptographic operation using the value; and in response to performing each cryptographic operation, output programming information to the programming module for programmi

Abstract: A cryptographic device (100) arranged to compute a target block cipher (Bt) on an input message (110), the device comprising a first and second block cipher unit (121, 122) arranged to compute the target block cipher (Bt) on the input message, and a first control unit (130) arranged to take the first block cipher result and the second block cipher result as input, and to produces the first block cipher result only if the block cipher results are equal.

Abstract: A method for providing access to a communication includes generating a timed key table in device nonvolatile memory, storing archival copies of the timed key table within enterprise environments, encrypting a master secret with the currently applicable key of the timed key table, generating an encrypted timed key table by encrypting the timed key table with a public key, sending data on an encrypted session from a communication device to a server over a network, sending the encrypted master secret and encrypted timed key table from the communication device over the network, decrypting the encrypted timed key table with a private key, decrypting the encrypted master secret sent from the communication device using at least a subset of an unencrypted timed key table to obtain the master secret, and decrypting the encrypted data sent from the communication device using the unencrypted master secret.

Abstract: Disclosed herein are methods, systems, and apparatus, for securely executing smart contract operations in a trusted execution environment (TEE). One of the methods includes establishing, by a key management (KM) TEE of a KM node, a trust relationship with a plurality of KM TEEs in a plurality of KM nodes based on performing mutual attestations with the plurality of KM TEEs; initiating a consensus process with the plurality of KM TEEs for reaching consensus on providing one or more encryption keys to a service TEE of the KM node; in response to reaching the consensus with the plurality of KM TEEs, initiating a local attestation process with a service TEE in the KM node; determining that the local attestation process is successful; and in response to determining that the local attestation process is successful, providing one or more encryption keys to the TEE executing on the computing device.

Abstract: Examples associated with digital composition hashing are described. One example method includes receiving a digital composition file from a user. The digital composition file may include a top-level design and a hierarchy of sub-level designs. A hashed structure may be generated from the digital composition file, where a node in the hashed structure for the first sub-level design is generated based on hashes of sub-level designs below the first sub-level design in the hierarchy. The hashed structure and a hash of the digital composition file are stored in association with the user.

Abstract: According to one example, a method includes, with a serverless function infrastructure, associated a routing secret with a function sequence. The method further includes, with a sequence controller of the serverless function infrastructure, appending the routing secret to a header of a request to invoke a first function of the function sequence. The method further includes, with the serverless function infrastructure invoking the first function of the function sequence, in response to authenticating the routing secret in the header of the request. The method further includes, after the first function has been invoked and before the first function completes execution, with a serving controller of the serverless function infrastructure, preloading subsequent functions of the function sequence.

Abstract: Aspects of the disclosure relate to conducting software testing using dynamically masked data. In some embodiments, a computing platform may receive, from a developer computing platform, a test execution request that includes a test code for execution. Subsequently, the computing platform may establish a secure connection to an enterprise data storage database. Upon establishing the secure connection, the computing platform may request confidential data from the enterprise data storage database in connection the test execution request. Thereafter, the computing platform mat execute the test code, which may include receiving encrypted confidential data from the enterprise data storage, decrypting the confidential data, and plugging the confidential data into the test code.

Abstract: The present disclosure relates to a method of creating a trusted bond between a hearing device and a user accessory device, wherein the method comprises: transmitting, by a hearing device fitting system, an authentication key to the hearing device; creating, by the hearing device fitting system authentication data comprising the authentication key in encrypted form; obtaining, by the user accessory device, the created authentication data; receiving, by the user accessory device, identification information from the hearing device the identification information identifying the hearing device; decrypting, by the user accessory device, the encrypted authentication key comprised in the obtained authentication data using at least the received identification information; establishing communication between the hearing device and the user accessory device based on the authentication key.

Abstract: A method comprises initializing, by an accelerator device of the computing device, an authentication tag in response to an initialization command from a trusted execution environment of the computing device, initiating a transfer, by the accelerator device, of data between a host memory and an accelerator device memory in response to a descriptor from the trusted execution environment, wherein the descriptor comprises a target memory address and is indicative of a transfer direction, comparing, in a memory range selection engine comprising at least one comparator to compare the target memory address with a plurality of address ranges and select a cryptographic key from the plurality of plurality of address range registers based on the target memory address, performing, by the accelerator device, a cryptographic operation with the data in response to transferring the data, updating, by the accelerator device, the authentication tag in response to transferring the data, and finalizing, by the accelerator device

Abstract: Methods and systems for encrypting shared information through its life cycle are described. The method includes receiving and storing a document. The method further includes encrypting document using a primary key. Further, the method includes receiving sharing request from current user of document for sharing document with a next user. The method includes, for each time the document is to be shared with next user in a series, generating a key for next user specified in sharing request. The method further includes encrypting document for next user using key generated for corresponding next user. Furthermore, the method includes binding access rights to document for authorizing request to access document by next user. The method includes sharing encrypted document with next user. Thereafter, the method includes receiving a request to access the document from the next user and providing the access to encrypted document meant for next user to next user.

Abstract: A computer-readable media, system, and method for providing role-based access management to channels within a group-based communication system. Role-based access management allows for a plurality of roles to be established and for users to be associated with these roles. Roles may be associated with sets of permissions allowing users assigned to the respective role to perform various actions within the group-based communication system. The group-based communication system may include preset, system roles with predetermined permissions and custom, user-defined roles may be created by administrators within the group-based communication system.

Abstract: Respective sets of homomorphically encrypted training data are received from multiple users, each encrypted by a key of a respective user. The respective sets are provided to a combined machine learning model to determine corresponding locally learned outputs, each in an FHE domain of one of the users. Conversion is coordinated of the locally learned outputs in the FHE domains into an MFHE domain, where each converted locally learned output is encrypted by all of the users. The converted locally learned outputs are aggregated into a converted composite output in the MFHE domain. A conversion is coordinated of the converted composite output in the MFHE domain into the FHE domains of the corresponding users, where each converted decrypted composite output is encrypted by only a respective one of the users. The combined machine learning model is updated based on the converted composite outputs. The model may be used for inferencing.