Abstract: A first network namespace and second network namespace are created in a computing instance of a computer system, with the second network namespace being accessible to the first network namespace via an interface. A service is executed in the first namespace and an encoder is executed in the second namespace, with the encoder transforming media from one format to another format. Communication from the encoder to the service is regulated via the interface.

Abstract: Hardware Security Modules (HSMs) are used to secure data, such as encryption keys. Access to HSMs may be shared across applications, and virtualized to allow the HSMs to generate, store, and provide encryption and decryption processes to various applications when the HSMs are located apart from the particular systems on which the applications are stored. This configuration allows for application owners or developers to easily interface with the HSMs, such that applications may simply request an encryption key from the HSMs, utilize the encryption key for encrypting data, store the encryption key within the HSMs, and/or retrieve the encryption key for decryption without the disadvantages associated with HSMs. Utilizing centralized HSMs improves the efficiency of use, memory storage, and security of the HSMs, due at least in part to allowing application owners and/or developers to interface with HSMs without forcing cryptographic processes that are specific to the application.

Abstract: Apparatuses, systems, methods, and computer program products are disclosed for item level data aggregation. A method includes identifying a transaction made with a third party within a set of transactions. A method includes using electronic credentials for a user to login to an account of the user at a third party. A method includes downloading item-level data from a third party that corresponds to an identified transaction in response to logging into a user's account at a third party. Item-level data identifies one or more items within an identified transaction. A method includes displaying a set of transactions to a user. A method includes displaying item-level data for one or more items within an identified transaction to a user in response to receiving input from the user relative to the identified transaction in a displayed set of transactions.

Abstract: A method, apparatus and product for data-encryption-based purpose-specific access control. The method comprising: having data of a subject, wherein an approval for usage of the data for a purpose is provided; obtaining an encryption key associated with the purpose, wherein a decryption key is required for decrypting information encrypted with the encryption key; encrypting the data using the encryption key, whereby obtaining purpose-based encrypted data that is encoded with the purpose for which the data can be used; and enabling access to the purpose-based encrypted data to one or more data consumers, whereby access to the data is obtainable by decrypting the purpose-based encrypted data using the decryption key that is available to data consumers that are certified for the purpose.

Abstract: This disclosure relates to a cloud-local joint or collaborative data analytics framework that provides data analytics models trained and hosted in backend servers for processing data items preprocessed and encrypted by remote terminal devices. The data analytics models are configured to generate encrypted output data items that are then communicated to the local terminal devices for decryption and post-processing. This framework functions without exposing decryption keys of the local terminal devices to the backend servers and the communication network. The encryption/decryption and data analytics in the backend servers are configured to process and communicate data items efficiently to provide real-time or near real-time system response to requests for data analytics from the remote terminal devices.

Abstract: A method for performing secure computations on records, comprising: receiving a request to apply a computation on a record; assigning a respective partial record of a plurality of partial records of the record to each of a plurality of computational processes; instructing each of the plurality of computational processes to perform a computation scheme comprising: applying a semi honest multiparty computation on the partial record; iteratively repeating a predetermined number of times: using a secure multiparty arithmetic computation to generate random terms; using the secure multiparty arithmetic computation to assign the random terms and an outcome of the application to at least one predetermined equation; verifying an integrity of the semi honest multiparty computation by comparison of the assignments to the at least one predetermined equation to at least one constant; and when the integrity is valid, combining the applications of the semi honest multiparty computations on the partial records.

Abstract: In randomized traffic selection in a IPsec network, a source node sends a packet to a destination node. The packet is encapsulated with an application specific metadata header and the source node encapsulates the packet in a transport protocol header (UDP/TCP). The application specific metadata header includes information such as a final destination node, a configured number of hops, a current hop count. A security association associated with an intermediate node is randomly selected by a randomized traffic selector algorithm. The security association is randomly selected from the list of security associations. Upon receiving the packet at the intermediate node, a current hop count is incremented. It is determined that the current hop count is equal to the configured number of hops. The packet is sent to the destination node via the intermediate node based on the randomly selected security association.

Abstract: Systems and methods for end to end encryption are provided. In example embodiments, a computer accesses an image including a geometric shape. The computer determines that the accessed image includes a candidate shape inside the geometric shape. The computer determines, using the candidate shape, an orientation of the geometric shape. The computer determines a public key of a communication partner device by decoding, based on the determined orientation, data encoded within the geometric shape. The computer receives a message. The computer verifies, based on the public key of the communication partner device, whether the message is from the communication partner device. The computer provides an output including the message and an indication of the communication partner device if the message is verified to be from the communication partner device. The computer provides an output indicating an error if the message is not verified to be from the communication partner device.

Abstract: Embodiments of the present application disclose a user management method and apparatus of a hybrid cloud. The user management method of a hybrid cloud is performed by a management platform of the hybrid cloud. The method includes the steps of: obtaining user data in a role-based access control (RBAC) system; determining, according to a historical record, historical user data that has been distributed to a cloud platform in the hybrid cloud; obtaining incremental data of the user data relative to the historical user data; and sending the incremental data to the cloud platform in the hybrid cloud.

Abstract: An example device may include one or more processors to receive a request for a service from a requestor user device; provide transaction information associated with the service to a provider user device, where the transaction information may include location information corresponding to a location at which the service may be provided; obtain verification information from the requestor user device based on an interaction associated with the requestor user device or the provider user device at the location, where the verification information may include one or more characteristics of the requestor user device; generate a verification token based on the one or more characteristics of the requestor user device; provide the verification token to the requestor user device; and provide the verification information to the provider user device to permit the provider user device to verify the requestor user device, in connection with performance of the service, based on receiving the verification information and obtai

Abstract: Some embodiments of the present specification provide a method and an apparatus for establishing a trusted channel between a user and a trusted computing cluster. According to the method, when a user wants to establish a trusted channel with a trusted computing cluster, the user only negotiates a session key with any first trusted computing unit in the cluster to establish the trusted channel. Then, the first trusted computing unit encrypts the session key using a cluster key common to the trusted computing cluster to which the first trusted computing unit belongs, and sends the encrypted session key to a cluster manager. The cluster manager transmits the encrypted session key in the trusted computing cluster, so that other trusted computing units in the cluster obtain the session key and join the trusted channel. Thus, the user establishes a trusted channel with the entire trusted computing cluster.

Abstract: Some embodiments are directed to a compiler device (100) configured to identify a sub-graph (210) in a data flow graph having one or more output nodes marked as encoded and one or more output nodes marked as non-encoded, and to replace the sub-graph by an encoded first sub-graph (210.1), and a non-encoded second sub-graph (210.2), wherein the first sub-graph has only encoded output nodes, and the second sub-graph has only non-encoded output nodes.

Abstract: In various examples, there is provided a computer-implemented method for writing transaction log entries to a transaction log for a database system. At least part of the database system is configured to be executed within a trusted execution environment. The transaction log is stored outside of the trusted execution environment. The method maintains a first secure count representing a number of transaction log entries which have been written to the transaction log for transactions which have been committed to the database and writes a transaction log entry to the transaction log. In other examples, there is also provided is a computer-implemented method for restoring a database system using transaction log entries received from the transaction log and a current value of the first secure count.

Abstract: Disclosed are various examples for providing access to a clipboard based at least in part on one or more policies. Data is received from a client application. A permission associated with the client application is checked, the permission specifying that the client application is authorized to store data in a clipboard provided by an operating system of the computing device. In response, the data received from the client application is stored in the clipboard.

Abstract: According to one embodiment, an electronic apparatus includes a first processor, a second processor with a security capability higher than a security capability of the first processor, a first nonvolatile memory to store a program which is to be executed by the first processor, and a volatile second memory to store the program and data that is to be referred to by the first processor while the first processor executes the program. The second processor is configured to authenticate a rewrite command requesting to change the data in the second memory and selectively execute the rewrite command based on the authentication.

Abstract: A system for applying access permissions to read requests may write a file to a storage media. The file may contain data, an embedded flag, and an embedded verification datum of the embedded flag. The embedded flag may indicate an access permissions requisite for file access. The system may also receive a request to access the file from a user and retrieve an access permission for the user. The system may also compare the embedded flag to the access permission for the user to determine the user has permission to access the file. A verification datum may be calculated, and the calculated verification datum may be compared to the embedded verification datum to determine the embedded flag has not changed.

Abstract: The invention is a method for handling data in a secure container comprising first and second private keys uniquely allocated to the secure container. The secure container is configured to use the first private key to handle said data in a first operating mode and to use the second private key to handle said data in a second operating mode. The secure container is configured to prevent the update of the first private key after its clearing. The method comprises the step of automatically clearing the first private key in response to a request for enabling a software module in the second operating mode and a step of automatically using the first operating mode by the secure container if the first private key has not been cleared and of automatically using the second operating mode by the secure container if the first private key has been cleared.

Abstract: The present disclosure relates to a wearable radio device for access control. The radio device has an inside portion and an outside portion. The inside portion includes a first transponder and a second transponder. A first barrier is located between the first transponder and the second transponder. A second barrier is located between the first transponder and the second transponder in an outside portion of the wearable device.

Abstract: A device receives a first data item. The device stores the first data item in non-volatile memory. The device subsequently receives a second data item, where the second data item was previously generated from the first data item and a cryptographic key. The device performs a function such as, for example, an exclusive-or operation on the first data item and the second data item to generate the cryptographic key. The device uses the generated cryptographic key to encrypt data which may be transmitted over a wireless interface.

Abstract: An apparatus in one embodiment comprises a processing platform that includes a plurality of processing devices. The processing platform is configured to implement a master control plane and a plurality of messaging interfaces. Each messaging interface corresponds to one of a plurality of infrastructure controllers residing on an infrastructure under management by the processing platform. The master control plane is configured to communicate with each of the plurality of infrastructure controllers via the corresponding messaging interface. The plurality of infrastructure controllers are each configured to manage a corresponding one of a plurality of infrastructure components of the infrastructure under management.

Abstract: A method of checking the authenticity of the content of a non-volatile memory of an electronic device including a microcontroller and an embedded secure element includes starting the microcontroller with instructions stored in a first non-reprogrammable memory area associated with the microcontroller, starting the secure element, executing, with the secure element, a signature verification on the content of a second reprogrammable non-volatile memory area associated with the microcontroller, and interrupting the microcontroller power supply if the signature is not verified.

Abstract: A system and method for identifying write filter exclusions for information handling systems in a computing environment. Each information handling system includes a file exclusion driver and a file exclusion service. The file exclusion driver can monitor files to be stored in a write filter overlay and identify recurring files previously stored in the write filter overlay. The file exclusion driver can determine if a cumulative file size of a recurring file exceeds an adjustable threshold, and add data describing the recurring file to an exclusion list if the cumulative file size exceeds the adjustable threshold. The file exclusion service can transmit the exclusion list to the device management server for analysis, receive a master exclusion list from the device management server based on analysis, and can store a set of excluded files in a local storage resource based on the master exclusion list.

Abstract: Embodiments include cryptographic circuits having isolated operation with respect to embedded sensor operations to mitigate side-channel attacks. A cryptographic circuit, a sensor, and an analog-to-digital converter (ADC) circuit are integrated into an integrated circuit along with a cryptographic circuit. A sensed signal is output with the sensor, and the sensed signal is converted to digital data using the ADC circuit. Further, cryptographic data is generated using one or more secret keys and the cryptographic circuit. The generation of the cryptographic data has isolated operation with respect to the operation of the sensor and the ADC circuit. The isolated operation mitigates side-channel attacks. The isolated operation can be achieved using power supply, clock, and/or reset circuits for the cryptographic circuit that are electrically isolated from similar circuits for the sensor and ADC circuit. The isolated operation can also be achieved using time-division multiplex operations.

Abstract: A method of checking the authenticity of the content of a non-volatile memory of an electronic device including a microcontroller and an embedded secure element includes starting the microcontroller with instructions stored in a first non-reprogrammable memory area associated with the microcontroller, starting the secure element, executing, with the secure element, a signature verification on the content of a second reprogrammable non-volatile memory area associated with the microcontroller, and if the signature is verified, using the secure element to send the first key to the microcontroller.

Abstract: Before sending a message to a destination device, a source device automatically uses a pattern matching algorithm to analyze entropy characteristics of a plaintext version of the message. The pattern matching algorithm uses at least one pattern matching test to generate at least one entropy metric for the message. The source device automatically determines whether the message has sufficiently low entropy, based on results of the pattern matching algorithm. In response to a determination that the message does not have sufficiently low entropy, the source device automatically generates integrity metadata for the message and sends the integrity metadata to the destination device. However, in response to a determination that the message has sufficiently low entropy, the source device sends the message to the destination device without sending any integrity metadata for the message to the destination device. Other embodiments are described and claimed.

Abstract: Techniques of dynamic hash function composition for change detection in distributed storage systems are disclosed herein. In one embodiment, a method includes dynamically selecting a hash function for a property of a new version of the document and generating a hash value of the value of the property using the selected hash function. The method can then include determining whether the generated hash value of the property of the received new version is different than that of a previous version of the document in the distributed storage system. In response to determining that the generated hash value is different than that of the previous version of the document, a notification can be transmitted to one or more computing services previously registered to receive a notification regarding a change in the property without transmitting the notification to other computing services not registered to receive the notification.

Abstract: In order to handle the security issues with regards to maintaining privacy of the submitted confidential data, in an example embodiment, no single service is permitted to access both confidential data and member identity data. This design ensures that an attacker would have to compromise more than two services to be able to associate a member with their corresponding compensation data. Thus, member privacy would be preserved if there were any single point of breach. In an example embodiment, an approach is taken where it is still possible for a member to delete his or her confidential data information.

Abstract: A method, implementable by a data processing server comprising a trusted execution environment, includes: obtaining a ciphertext of target data from an external system; obtaining one or more parameters of a model for processing the target data; obtaining, via a data transmission channel between the trusted execution environment and the external system, an encryption key associated with the ciphertext of the target data; inputting the ciphertext of the target data and the one or more parameters of the model to the trusted execution environment; decrypting, in the trusted execution environment, the ciphertext using the encryption key to obtain the target data; processing, in the trusted execution environment, the obtained target data using the model with the one or more parameters to obtain a result; encrypting, in the trusted execution environment, the result using the encryption key; and sending the encrypted result to the external system.

Abstract: A host device includes a power supply unit configured to supply power to a SoC, a current measurement circuit configured to measure a current from the power supply unit to the SoC, a detection unit configured to detect a power supply glitch in the host device, on the basis of a result of current measurement by the current measurement circuit, and a controller configured to suspend transmission of encrypted command from the host device to the memory device if the detection unit detects a power supply glitch in the host device.

Abstract: Controlling execution of software is provided. In response to receiving an input to execute a software module on a data processing system, a set of measurements are performed on the software module performing a process to prepare the software module for execution on the data processing system. In response to determining that the set of measurements meets a predetermined criterion, an authorization to proceed with the process of preparing the software module for execution on the data processing system is requested from a trusted third party computer. In response to receiving the authorization to proceed with the process of preparing the software module for execution on the data processing system from the trusted third party computer, the software module is executed.

Abstract: A facility control service and programmable logic controller (PLC) interfaces enable coordination and optimization of control of various PLCs that use various PLC specific protocols. The facility control service sends control commands formatted in accordance with a secure protocol and respective PLC interfaces convert the control commands into respective PLC specific protocols. In some embodiments, a facility control service employs machine learning techniques to optimize control of PLCs at a facility. Also, in some embodiments, a facility control service coordinates deployment of PLC software to various PLCs in one or more facilities that use various PLC specific protocols.

Abstract: A data processing system and method for generating a digital code for use as a physically unclonable function (PUF) response is provided. The method includes activating a plurality of word lines for a read operation. A first bit line is coupled to a first input of a comparator during the read operation. A second bit line is coupled to a second input of the comparator during the read operation. A current is generated on each of the first and second bit lines. The currents on the first and second bit lines are converted to voltages. The voltage on the first bit line is compared to the voltage on the second bit line. A logic bit is output from the comparator as part of the digital code, a logic state of the logic bit is determined in response to the comparison. By selecting multiple word lines to determine a PUF response, noise immunity is improved.

Abstract: A method of starting-up a computer system includes accessing a second storage area of a storage in which program data are stored; loading and executing the program data from a second storage area; mounting an external storage medium connected to the computer system, wherein a file system key that decrypts a file system data is stored on an external storage medium, wherein the file system key is encrypted on the external storage medium; loading the encrypted file system key from the external storage medium into the computer system; decrypting the encrypted file system key by a key stored in the second storage area; setting the decrypted file system key in a cryptographic module established by the start-up process; and decrypting and loading file system data of the encrypted file system by the cryptographic modules by the set file system key, whereby the computer system is started up completely.

Abstract: A request to access a computing resource of a computing resource service provider is determined to be associated with specious data previously generated by the computing resource service provider. Information about an entity associated with the request is determined from the request. The information is provided to a breach detection system as notification of a potential attack against the computing resource service provider.

Abstract: Embodiments for managing bare metal networking in a cloud computing environment. A network communication module that receives a configuration instruction over a direct network link from an external remote management device on a network endpoint may be initialized.

Abstract: An entanglement and recall system includes an antifuse-type PUF cell array and a processing circuit. The antifuse-type PUF cell array generates at least one key. The processing circuit is connected with the antifuse-type PUF cell array to receive the at least one key. While an entanglement action is performed, the processing circuit receives a plain text and the at least one key and generates a cipher text according to the plain text and the at least one key. While a recall action is performed, the processing circuit receives the cipher text and the at least one key and generates the plain text according to the cipher text and the at least one key.

Abstract: A secure programming system and method for provisioning and programming a target payload into a programmable device mounted in a programmer. The programmable device can be authenticated before programming to verify the device is a valid device produced by a silicon vendor. The authentication process can include a challenge-response validation. The target payload can be programmed into the programmable device and linked with an authorized manufacturer. The programmable device can be verified after programming the target payload by verifying the silicon vendor and the authorized manufacturer. The secure programming system can provision different content into different programmable devices simultaneously to create multiple final device types in a single pass.

Abstract: A non-transitory computer-readable medium stores computer-readable instructions, the computer-readable instructions, in response to being activated by an operating system, causing the portable terminal to perform: a first acceptance process of accepting an operation designating one of image forming devices communicable; a first storage process of causing the memory to store a first device ID, as a designated device ID; a second acceptance process of accepting an operation designating contents; and an operation instruction process of transmitting operation instruction information, and the computer-readable instructions, in response to being activated by another program, causing the portable terminal to perform: an acquisition process of acquiring, from the another program, a second device ID for identifying the image forming device; and a second storage process of causing the memory to store the second device ID, as the designated device ID.

Abstract: A system includes a read/write controller removably coupled to a storage drive. Responsive to detection of a coupling between the read/write controller and the storage drive, the read/write controller retrieves key information from the storage drive, uses the key information to locate adaptives associated with the primary storage medium, and loads the adaptives into volatile memory to configure read/write settings for access to the primary storage medium.

Abstract: Techniques described herein leverage a trusted entity within a domain to enable devices to establish trust with one another so they can securely discover each other and connect to one another. In various examples discussed herein, a device is configured to provide trust information to, and/or receive trust information from, the trusted entity. The trust information may include, for example, a public key of an encryption key pair, a certificate signed by the trusted entity proving authenticity, and/or a hash function and a hash seed used to compute a series of results that form a hash chain. The device may use the trust information to discover another device and to connect to the other device securely and automatically (e.g., with no user involvement or limited user involvement). Moreover, the device may use the trust information to dynamically change a MAC address being used to communicate with the other device.

Abstract: A processor includes a cryptographic engine to control access, using an secure region key identifier (ID), to one or more memory range of memory allocable for flexible conversion to secure pages of architecturally-protected memory regions, and a processor core. The processor core is to, responsive to receipt of a request to access the memory, perform a walk of page tables and extended page tables to translate a linear address of the request to a physical address of the memory. The processor core is further to determine that the physical address corresponds to an secure page within the one or more memory range of the memory, that a first key ID located within the physical address does not match the secure region key ID, and issue a page fault and deny access to the secure page in the memory.

Abstract: In an embodiment, a system supports an external trust cache. That is, the trust cache is separate from the kernel image on the non-volatile storage in the system. During boot, the boot code may read the trust cache from the storage and write it to the working memory of the system (e.g. the Random Access Memory (RAM) forming the memory system in the system). The boot code may also validate the kernel image and write it to the memory system. The boot code may program a region register in the processor to define a region in the working memory that encompasses the kernel image and the trust cache, to protect the region from modification/tampering.

Abstract: A cryptographic service device includes: a processor; and a memory storing instructions executable by the processor, wherein the processor is configured to execute the instructions to operate as a registration module, a working key creation module, and a cryptographic operation calling module. The registration module is configured to call a secondary security module to generate an asymmetric key pair including a target public key and a target private key. The working key creation module is configured to receive a working key creation request of a business system, and call a primary security module to generate a working key for the business system. The cryptographic operation calling module is configured to receive a cryptographic operation request of the business system, and call a target security module to obtain an operation result of the target security module.

Abstract: A multimedia file and methods of generating, distributing and using the multimedia file are described. Multimedia files in accordance with embodiments of the present invention can contain multiple video tracks, multiple audio tracks, multiple subtitle tracks, a complete index that can be used to locate each data chunk in each of these tracks and an abridged index that can enable the location of a subset of the data chunks in each track, data that can be used to generate a menu interface to access the contents of the file and ‘meta data’ concerning the contents of the file. Multimedia files in accordance with several embodiments of the present invention also include references to video tracks, audio tracks, subtitle tracks and ‘meta data’ external to the file.

Abstract: A system and method that converts the digital typesetting documents used in publishing to a device-specific format for electronic publishing. A “smart file and device-specific application” approach maintains the “look and feel” (design) of the source document used for print publication while typesetting for a specific device. Although this approach requires considerably more resources to create a smart file for each device-specific format, the smart file retains the unique typesetting characteristics of the printed book, is more aesthetically pleasing, and is easier to read. Furthermore, the device-specific application can render the smart file more quickly thereby eliminating any latency.

Abstract: A group of processors in a processor pool comprise a secure “enclave” in which user code is executable and user data is readable solely with the enclave. This is facilitated through the key management scheme described that includes two sets of key-pairs, namely: a processor group key-pair, and a separate user key-pair (typically one per-user, although a user may have multiple such key-pairs). The processor group key-pair is associated with all (or some define subset of) the processors in the group. This key-pair is used to securely communicate a user private key among the processors. The user private key, however, is not transmitted to non-members of the group. Further, preferably the user private key is refreshed periodically or upon any membership change (in the group) to ensure that non-members or ex-members cannot decipher the encrypted user key.

Abstract: According to one example, a system includes a first computing device that includes one or more processors configured to receive a request, from a second computing device, for data; generate a first encryption key; and encrypt the requested data using the first encryption key. The one or more processors are further configured to determine a first set of tokens; determine, from the first set of tokens, a plurality of tokens for the first encryption key; generate a packet comprising the encrypted requested data, and further comprising the plurality of tokens; and transmit the packet for receipt by the second computing device.

Abstract: A method for authentication of GNSS messages by an authentication transmitter apparatus comprising a reference receiver, an authentication server and an authentication transmitter. The method comprises: receiving, by the reference receiver, a plurality of navigation messages from a plurality of GNSS satellites; hashing, by the authentication server, the navigation messages to create a plurality of hashed messages; creating, by the authentication server, a table comprising the plurality of hashed messages; signing, by the authentication server, the table to create a signed table comprising the hashed messages and acryptographic signature, and transmitting, by the authentication transmitter, the signed table to an authentication receiver apparatus.

Abstract: The present disclosure describes apparatuses and methods for artificial intelligence-enabled management of storage media. In some aspects, a media access manager of a storage media system receives, from a host system, host input/output commands (I/Os) for access to storage media of the storage media system. The media access manager provides information describing the host I/Os to an artificial intelligence engine and receives, from the artificial intelligence engine, a prediction of host system behavior with respect to subsequent access of the storage media. The media access manager then schedules, based on the prediction of host system behavior, the host I/Os for access to the storage media of the storage system. By so doing, the host I/Os may be scheduled to optimize host system access of the storage media, such as to avoid conflict with internal I/Os of the storage system or preempt various thresholds based on upcoming idle time.

Abstract: A system groups multiple entities in a large distributed data store (DDS), such as directories and files, into a subset called a domain. The domain is treated as a unit for defining policies to detect and treat sensitive data. Sensitive data can be defined by enterprise or industry. Treatment of sensitive data may include quarantining, masking, and encrypting, of the data or the entity containing the data. Data in a domain can be copied as a unit, with or without the same structure, and with transformations such as masking or encryption, into parts of the same DDS or to a different DDS. Domains can be the unit of access control for organizations, and assigned tags useful for identifying their purpose, ownership, location, or other characteristics. Policies and operations, assigned at the domain level, may vary from domain to domain, but within a domain are uniform, except for specific exclusions.