Abstract: In order to improve the efficiency of transfer to outside devices while necessary buffer memory is suppressed, the present invention is an information processing apparatus for decoding a packet that is encrypted in accordance with Transport Layer Security (TLS) protocols and in which a padding portion has a variable length, the information processing apparatus including acquisition means for acquiring an encrypted packet on a unit data basis, decoding means for decoding the encrypted packet on the unit data basis, output means for outputting decoded data obtained through the decoding performed by the decoding means to an external device in accordance with an order in which the decoding is performed by the decoding means, and control means for restricting output to be performed by the output means in a case where a padding pattern is detected from the decoded data obtained through the decoding performed by the decoding means.

Abstract: An example apparatus can include a memory device and a controller coupled to the memory device configured to receive a command including command information to access a register from a host device. The controller can grant access to the register in response to the controller determining the command is valid and/or deny access to the register in response to the controller determining the command is invalid. The controller can determine the command is valid by calculating an answer using a seed from the command in a formula and verifying the calculated answer matches an answer from the command. The command, once verified as valid, can allow the host device to access configuration registers and/or data registers.

Abstract: A hardware camera may include a camera sensor configured to determine input image data. The hardware camera may also include an image signal processor configured to perform one or more image signal processing operations on the input image data. The hardware camera may also include a neural processing unit configured to determine encoded image data by encoding the input image data with an image data encoder portion of a camera autoencoder. The camera autoencoder may be trained based on training image data collected from the camera sensor and a fingerprint specific to the hardware camera. The hardware camera may also include a camera communication interface configured to transmit the encoded image data to a remote computing system, which may determine decoded image data by decoding the encoded image data via an image data decoder portion of the camera autoencoder.

Abstract: An integrated circuit comprising a CPU coupled to a system bus, a network interface configured to interface with an external device, and a crypto neuromorphic core coupled to the system bus. The cryptographic core comprising a processor or core, an internal bus, and a non-transitory computer-readable memory, wherein the crypto neuromorphic core is isolated from the CPU and the network interface via the system bus and the crypto neuromorphic core runs its own operating system. The crypto neuromorphic core is configured to: contain a secure core comprising a secure processor and dedicated/protected memory; store a private key in the dedicated/protected memory accessible to the secure core but not accessible to other components of the crypto neuromorphic core, the central processing unit, and the network interface; add data to a blockchain using the private key via the network interface; and read data from the blockchain via the network interface.

Abstract: A vehicle control system includes: an entry/exit management device including a first processor including hardware, the first processor being configured to detect that a user of a vehicle enters or leaves a facility, and output a first signal indicating user's entering the facility and a second signal indicating user's leaving the facility, to a server; and the server comprising a second processor comprising hardware, the second processor being configured to output to the vehicle a third signal for deactivating a smart key function of the vehicle when acquiring the first signal and prohibit unlocking of a door of the vehicle performed by wireless communication, and output to the vehicle a fourth signal for setting the smart key function of the vehicle when acquiring the second signal and permit unlocking of the door of the vehicle performed by wireless communication.

Abstract: Methods for securing an electronic communication is provided. Methods may include, in a registration process, creating and/or selecting an anti-phish, personalized, security token for a predetermined avatar. Methods may include, in the registration process, storing the token in a database. Methods may include, in an in-use process, generating an electronic communication at a virtual kiosk in a metaverse. Methods may include, in the in-use process, forwarding an electronic communication from the virtual kiosk to the avatar. The avatar may be associated with the account. Methods may include, in the in-use process, intercepting the communication at an edge interface. Methods may include, in the in-use process, selecting, from the database, the anti-phish, personalized, security token that is associated with the account. Methods may include, in the in-use process, injecting the selected token into the communication.

Abstract: Mesh agents for an overlay network may be provided such that each mesh agent may be hosted on network computers in the overlay network. In response to a network interface providing raw datagrams to a mesh agent in the overlay network further actions may be performed, including: determining a payload protocol based on the raw datagrams; determining payload datagrams included in the raw datagrams based on the payload protocol; determining a request from a client based on the payload datagrams and the payload protocol; or the like. In response to an infrastructure security computer determining validation information that validates the request further actions may be performed, including: modifying the payload datagrams based on the payload protocol and the validation information; modifying the raw datagrams to include the modified payload datagrams; forwarding the modified raw datagrams to a next mesh agent identified with the validation information; or the like.

Abstract: Representative embodiments are disclosed for providing network and system security. A representative apparatus includes an input-output connector coupleable to a data network; a network interface circuit having a communication port; a nonvolatile memory storing a configuration bit image; and a field programmable gate array (“FPGA”) coupled to the network interface circuit through the communication port, the FPGA configurable to appear solely as a communication device to the first network interface circuit, and to bidirectionally monitor all data packets transferred between the input-output connector and the first network interface circuit and any coupled host computing system. In another embodiment, the FPGA is further configurable for only a partial implementation of a communication protocol, such as a PCIe data link and/or physical layers. The FPGA may also monitor host memory and provide encryption and decryption functionality.

Abstract: A content stake offering system is disclosed. The content stake offering system includes a content stake offering module, comprising computer-executable code stored in non volatile memory, a processor, and a plurality of computing devices. The content stake offering module, the processor, and the plurality of computing devices are configured to receive a request to sell a stake of content, determine a value of the content, generate a stake offering based on the value of the content, and update the value of the content. Determining the value of the content includes transferring data of a piece of content between the plurality of computing devices, recording a content data, which corresponds to the transferred data of the piece of content, in a database chunk, hashing the database chunk into a hashed database chunk, and appending the hashed database chunk to a block on a blockchain.

Abstract: Techniques for obfuscating and deploying digital assets (e.g., mobile applications) are provided to mitigate the risk of unauthorized disclosure. An asset can be received that is to be deployed to a plurality of mobile devices, each of the mobile devices associated with a corresponding account having account attributes. A deployment group of one or more mobile devices for deploying the asset can be identified based on a set of one or more obfuscation parameters, comprising account attributes shared among the one or more mobile devices within the deployment group. A customized obfuscation scheme to be applied to the asset can be determined based at least in part on the set of obfuscation parameters. The customized obfuscation scheme can be applied to the asset to generate an obfuscated asset. The obfuscated asset can be transmitted and/or updated over a network to the one or more mobile devices within the deployment group.

Abstract: A message limit value to be used in enqueuing one or more messages on a queue of a device of the computing environment is obtained. The message limit value indicates whether an extended maximum message length is supported by the device. The extended maximum message length is different from a default maximum message length supported by the device. Based on determining that the extended maximum message length is supported and that the obtained message limit value has a defined relationship with a select value, at least one message of an extended length is enqueued on the queue of the device.

Abstract: A blockchain based alias directory may be utilized. Encrypted lists of aliases may be stored on the blockchain and may be accessible to network computers and secure gateways. Embodiments are directed to secure gateways and user devices for accessing the alias directory stored in the blockchain during a financial transaction. The user device may be provided with a list of aliases from which a user may select a payment account. Upon selection the user may be redirected to an identity verification system of the associated payment network.

Abstract: An individual data unit for enhancing the security of a user data record is provided that includes a processor and a memory configured to store data. The individual data unit is associated with a network and the memory is in communication with the processor. The memory has instructions stored thereon which, when read and executed by the processor cause the individual data unit to perform basic operations only. The basic operations include communicating securely with computing devices, computer systems, and a central user data server. Moreover, the basic operations include receiving a user data record, storing the user data record, retrieving the user data record, and transmitting the user data record. The individual data unit can be located in a geographic location associated with the user which can be different than the geographic locations of the computer systems and the central user data server.

Abstract: A highly versatile process control or factory automation field device is configured with an interface and communication connection structure and security features that enable the field device to operate as a data server that communicates with and supports multiple different applications or clients, either directly or indirectly, while simultaneously performing standard process and factory automation control functions in a highly secure manner. The security features include a root of trust component, a secure boot component, secure memory components, secure communication components, security audit components, secure provisioning components and endpoint identity components, making the field device communications and operations secure and trustworthy.

Abstract: Embodiments of systems and methods for managing control of a security processor in a supply chain are described. In some embodiments, a security processor may include: a core; and a memory coupled to the core, the memory having program instructions stored thereon that, upon execution by the core, cause the security processor to: store a first public key usable to initiate a first secure boot process and unusable to initiate a second secure boot process; store a second public key usable to initiate the second secure boot process and unusable to initiate the first secure boot process; and in response to a first change of control or ownership of the security processor, render the first public key unusable to initiate the first secure boot process.

Abstract: A computer implemented system and method provide for a transfer learning platform system. The method provides an introduced enterprise security policy (IESP) to a first enterprise system. During a threat, the IESP is toggled on and off. A first change element is determined that represents a change in a logging system of the first enterprise between a first and second log element of the first enterprise captured when the IESP was toggled on and off, respectively. The IESP is provided to a second enterprise system. A second change element is determined that represents a change in a logging system of the second enterprise between a first log element of the second enterprise. The method further determines that the first and second change element are different, and, conditioned upon the determining that the second change element is different than the first change element, removes the IESP from the second enterprise system.

Abstract: Example embodiments of systems and methods for data transmission in a contactless card are provided. The contactless card may include a processor, and a memory. The memory may contain a first applet, a second applet, and a plurality of keys. The first applet and the second applet may be stored within a shared security domain. The second applet may be configured to communicate with the first applet to perform one or more cryptographic services. The second applet may be configured to transmit one or more requests to the first applet to encode one or more payload strings based on the plurality of keys to perform the one or more cryptographic services. The first applet may be configured to perform the one or more cryptographic services on behalf of the second applet based on the one or more requests.

Abstract: Methods and systems for managing the operation of data processing systems are disclosed. A data processing system may include a computing device that may enter various operating states by performing various types of startups. Performance of some startups may be restricted by use of passwords or other security information. The data processing systems may host management controllers that may bypass the restrictions on the startups. Prior to doing so, the management controllers may verify that the requests to perform the startups are from trusted entities, or should be performed for other reasons.

Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information.

Abstract: Methods and systems are described for enhanced-security database encryption via cryptographic software, where key management is carried out, without exporting or exposing cleartext keys, using an independent key manager coupled to a cryptographic hardware security module (HSM).

Abstract: A memory controller for controlling a non-volatile memory device includes a key management unit configured to control an access right to a secure key based on a biometric authentication message and a unique value, which are received from an external device; and a data processing unit configured to encrypt data received from a host and decrypt data stored in the non-volatile memory device based on the secure key.

Abstract: Examples disclosed herein relate to processing health information of a computing device according to a deep learning model to determine whether an anomaly has occurred. Multiple computing devices can be part of a system. One of the computing devices includes a host processing element, a management controller separate from the host processing element, and a deep learning model that includes parameters that are trained to identify anomalistic behavior for the computing device. The management controller can receive health information from multiple components of the computing device and process the health information according to the deep learning model to determine whether an anomaly occurred.

Abstract: A memory controller and a storage device including the same are disclosed. A memory controller for controlling a nonvolatile memory includes: a security access control module configured to convert biometric authentication data received from a biometric module into security configuration data having a data format according to a security standard protocol and perform, based on the security configuration data, at least one of authority registration and authority authentication of a user authority set for an access control of a secure area of the nonvolatile memory, encrypted user data being stored in the secure area; and a data processing unit configured to, based on an access to the secure area being permitted, encrypt user data received from a host device or decrypt the encrypted user data read from the secure area.

Abstract: The invention introduces an apparatus for encrypting and decrypting user data, including a memory, a bypass-flag writing circuit and a flash interface controller. The bypass-flag writing circuit writes a bypass flag in a remaining bit of space of the memory that is originally allocated for storing an End-to-End Data Path Protection (E2E DPP), where the bypass flag indicates whether user data has been encrypted. The flash interface controller reads the user data, the E2E DPP and the bypass flag from the memory and programs the user data, the E2E DPP and the bypass flag into the flash device.

Abstract: In some examples, a management controller includes a communication interface to communicate with a computing device, where the management controller is separate from a processor of the computing device. The management controller includes a management processor to receive, from the computing device, a first hash value that is based on a first hash function applied on an input value and a salt, generate a second hash value based on applying a second hash function on the first hash value and a pepper, and send the second hash value to the computing device.

Abstract: In an embodiment, a system is provided in which the private key is managed in hardware and is not visible to software. The system may provide hardware support for public key generation, digital signature generation, encryption/decryption, and large random prime number generation without revealing the private key to software. The private key may thus be more secure than software-based versions. In an embodiment, the private key and the hardware that has access to the private key may be integrated onto the same semiconductor substrate as an integrated circuit (e.g. a system on a chip (SOC)). The private key may not be available outside of the integrated circuit, and thus a nefarious third party faces high hurdles in attempting to obtain the private key.

Abstract: Various embodiments of the present invention set forth techniques for security monitoring of a network connection, including analyzing network traffic data for a network connection associated with a computing device, identifying one or more network traffic metrics for the network connection based on the network traffic data, determining that the network connection corresponds to at least one network connection profile based on the one or more network traffic metrics, detecting a potential security threat for the network connection based on the one or more network traffic metrics and the at least one network connection profile, and initiating a mitigation action with respect to the network connection in response to detecting the potential security threat. Advantageously, the techniques allow detecting potential security threats based on network traffic metrics and categorizations, without requiring monitoring of the content or the total volume of all traffic exchanged via the connection.

Abstract: In some embodiments, securing device commands includes a first electronic device receiving a command authorization request message from a second electronic device, including a device command to be performed by the second electronic device, a command argument, and a first message authentication code (MAC) generated by applying a hash function to the device command, the command argument and a first counter value. The first electronic device generates a second MAC by applying the hash function to the device command, the command argument and a second counter value synchronized with the first counter value. The first electronic device compares the first MAC and the second MAC to authenticate the device command and transmit a command approval message or a command denial message. The command approval message causes the second electronic device to perform the device command and the command denial message causes the second electronic device to reject the device command.

Abstract: One embodiment provides an apparatus. The apparatus includes a lightweight cryptographic engine (LCE), the LCE is optimized and has an associated throughput greater than or equal to a target throughput.

Abstract: Examples of cloud-based removable drive encryption policy enforcement and recovery key management are described. In some examples, a removable drive encryption policy is received from a cloud-based management service. A removable drive is recognized by an operating system of a client device. An encryption command causes the operating system to request user password creation and encrypt the removable drive. A recovery key is identified from a write-output of the operating system. The recovery key is transmitted to the cloud-based management service for storage in a cloud-based removable drive recovery key escrow.

Abstract: A system for securing electronic devices includes a processor, a storage medium communicatively coupled to the processor, and a monitoring application comprising computer-executable instructions on the medium. The instructions are readable by the processor. The monitoring application is configured to receive an indication that a client has been affected by malware, cause the client to boot from a trusted operating system image, cause a launch of a secured security application on the client from a trusted application image, and analyze a malware status of the client through the secured security application.

Abstract: A method and apparatus for controlling access to memory is disclosed. In one implementation, a memory controller may receive a memory access request that may include a virtual memory address, a device identifier (ID) and a protected access indicator. Additionally, the memory controller can receive page table entries including a physical memory address based on the virtual memory address and a security attribute associated with the physical memory address. The memory controller may access a memory based on the physical memory address, the security attribute, the protected access indicator, and the device ID.

Abstract: Systems, apparatuses, methods, and computer-readable media are provided for detecting security attacks based on transaction flow graphs. Other embodiments may be described and/or claimed.

Abstract: Systems and methods are described for a display driver integrated circuit that is configured to certify whether an application processor and the display driver integrated circuit are genuine products. The display driver integrated circuit includes: an encryptor for generating first encrypted data by encrypting first data; a data converter for converting the first data into a first converted signal expressed with four or more voltage levels; an interface for providing the first converted signal to a host processor, and receiving, from the host processor, a second converted signal corresponding to second encrypted data generated by the host processor; and a determiner for controlling a display panel by comparing the first encrypted data with converted data corresponding to the second encrypted data. The second converted signal transferred through the interface is expressed with the voltage levels.

Abstract: A method includes receiving, from a computing device, a request for content hosted by a content provider and determining one or more experiment variations for the requested content that the computing device is assigned to based, at least in part, on the request. The method further includes generating, by a processing device, a hash value of the one or more experiment variations and transmitting the hash value to the computing device and to a caching server.

Abstract: Embodiments described herein provide for a system, method, and apparatus to provision domains in a secure enclave processor to support multiple users. One embodiment provides for an apparatus comprising a first processor to receive a set of credentials associated with one of multiple user accounts on the apparatus and a second processor including a secure circuit to provide a secure enclave, the secure enclave to receive a request from the first processor to authenticate the set of credentials, the request including supplied credentials and an authentication type, where the secure enclave is to block the request from the first processor in response to a determination that the user account has exceeded a threshold number of successive failed authentication attempts for the authentication type.

Abstract: A controller that is separate from a processor of the system verifies controller code for execution on the controller. In response to verifying the controller code, the controller verifies system boot code.

Abstract: Processing circuitry may support a secure domain and a less secure domain, where secure information associated with a secure software process is prevented from being accessed by a less secure software process in the less secure domain. Shared resource is accessible to both secure and less secure software processes. In response to detection of an anomaly condition, allocation policy for the shared resource is switched from a shared allocation policy to a secure-biased allocation policy. The secure-biased allocation policy has a stronger bias of resource allocation to secure software processes than the shared allocation policy.

Abstract: In one embodiment, a system includes power management control that controls a duty cycle of a processor to manage power. The duty cycle may be the amount of time that the processor is powered on as a percentage of the total time. By frequently powering up and powering down the processor during a period of time, the power consumption of the processor may be controlled while providing the perception that the processor is continuously available. For example, the processor may be a graphics processing unit (GPU), and the period of time over which the duty cycle is managed may be a frame to be displayed on the display screen viewed by a user of the system.

Abstract: A blockchain integrated station initiates a ciphertext request to a server, where the ciphertext request includes first information associated with input data of an off-chain contract. The blockchain integrated station obtains, from the server, an execution result, where the execution result is obtained by the server by executing the off-chain contract using the input data.

Abstract: Systems and methods for securing objects in a computing environment. Objects are encrypted using keys that are also encrypted after encrypting the objects. In order to access the objects, a master key that is unknown to the service storing the objects and/or managing the keys is used to decrypt the keys so that the objects can be decrypted with the decrypted key. Thus, a key is needed to access the key needed to access the object. The master key is typically maintained separately from all of the encrypted objects and corresponding encrypted keys.

Abstract: Some embodiments are directed to a cryptographic device (20). A reliable bit function may be applied to a raw shared key (k*) to obtain reliable indices, indicating coefficients of a raw shared key, and reliable bits derived from the indicated coefficients. Reconciliation data (h) may be generated for the indicated coefficients of the raw shared key. A code word may be encapsulated using the reliable bits by applying an encapsulation function, obtaining encapsulated data (c) which may be transferred.

Abstract: A device receives, from an application, a request to access an attestation key stored in a secure element of the device. The device obtains an attestation policy, by which to verify an identity of the application. The device examines an application file associated with the application, to determine whether the application file satisfies the attestation policy. The device selectively generates a temporary key based on a result of examining the application file. The temporary key may be used to access the attestation key. The temporary key may be generated based on the application file satisfying the attestation policy, and may not be generated based on the application file not satisfying the attestation policy.

Abstract: A method and device for protecting a flow-conducting device of an installation against cavitation initiated by cyber attacks. At least one signal relating to an operating state of the installation is evaluated by an evaluation unit in order to detect a cyber attack by comparison with at least one reference value. If the evaluation unit detects a willfully brought-about irregular operating mode of the installation based on the evaluation, the unit passes on signals to components of the installation to bring about an installation operating mode which is in compliance with regulations and during which generation of cavitation is avoided, and produces a state in which the flow-conducting device is protected against the current cyber attack and/or against future cyber attacks.

Abstract: In order to improve the efficiency of transfer to outside devices while necessary buffer memory is suppressed, the present invention is an information processing apparatus for decoding a packet that is encrypted in accordance with Transport Layer Security (TLS) protocols and in which a padding portion has a variable length, the information processing apparatus including acquisition means for acquiring an encrypted packet on a unit data basis, decoding means for decoding the encrypted packet on the unit data basis, output means for outputting decoded data obtained through the decoding performed by the decoding means to an external device in accordance with an order in which the decoding is performed by the decoding means, and control means for restricting output to be performed by the output means in a case where a padding pattern is detected from the decoded data obtained through the decoding performed by the decoding means.

Abstract: A system includes a parallel redundancy protocol (PRP) link redundancy entity (LRE) configured to receive data and copy the data to create a first copy of the data and a second copy of the data for transmission and a switch configured to cause operation between a first PRP media access control security (MACsec) mode and a second PRP MACsec mode to encrypt the data. The first PRP MACsec mode includes performing MACsec encryption on the data received by the PRP LRE prior to the data being copied by the PRP LRE, and the second PRP MACsec mode includes performing the MACsec encryption on the first copy of the data and the second copy of the data after the data has been copied by the PRP LRE.

Abstract: A system and method for securely encrypting and booting a headless appliance. A computerized method is disclosed that includes: providing the network appliance with content encrypted with a secret key; launching the network appliance in a fallback configuration that provides limited operational capabilities; forwarding a request for the secret key to an online service that independently utilizes an identity provider to establish trust with an appliance administrator; receiving the secret key from the online service upon establishment of trust with the appliance administrator; decrypting the content with the secret key received from the online service; and utilizing the content to launch the network appliance in a full configuration.

Abstract: Protecting usage of key store content at a given user device of an end user includes receiving the key store content at the given user device. The key store content includes key materials encrypted using encryption credentials compatible with the given user device. The key store content is in a format compatible with the given user device. The encrypted key materials of the key store content are imported to a protected key store of the given user device, wherein all the key materials of the key store content are imported at one go. The key materials are stored at the protected key store in the encrypted form, and are non-exportable from the key store. Internally within the protected key store, one or more key store integrated services of the given user device are allowed to access the non-exportable key materials for use, via key references only.

Abstract: A data processing method based on an integrated chip is provided. The method includes providing computing information of a trusted computing chip to a high-speed encryption chip, and invoking the high-speed encryption chip to perform data encryption or trusted computing based on the computing information. As such, after these two types of chips are integrated, these two types of secure computing (the trusted computing and the data encryption) can share common computing information. Compared with using individual sets of computing information before integration, corresponding hardware and management costs are reduced. Moreover, the trusted computing chip is superior to the high-speed encryption chip in terms of functional integrity and reliability for data encryption functions. Storing the computing information by the trusted computing chip can improve the security of the data encryption.

Abstract: A method for storing encrypted data in a non-volatile memory device, that includes receiving, by a processor, an indication of a power interruption event; disabling, based on the indication, decryption of encrypted data read from a volatile memory module; copying the encrypted data from the volatile memory module to cache; and copying the encrypted data from the cache to the non-volatile memory device.