Abstract: Mechanisms are provided for computing resource access security in which a credential of a user agent is authenticated to determine if the user agent is associated with an entity for which an attribute based encryption (ABE) key is to be generated. If so, an ABE key is generated and provided which corresponds to a set of attributes of the entity. Token issuance logic receives a token request and the ABE key from a relying party computing device and executes a decryption operation on locking metadata associated with at least one attribute value based on the ABE key. The token issuance logic, in response to the decryption operation successfully decrypting the locking metadata, issues a generated token to the relying party computing device based on the at least one attribute value. The relying party computing device accesses the computing resources using the generated token.

Abstract: A system and method are provided to facilitate securing windows discretionary access control. During operation, the system determines a Windows domain model including capability assignments of principals on resources, wherein a respective capability assignment comprises a permission of a respective principal to a respective resource and wherein a respective principal comprises a user or a group of users. The system specifies desired effective permissions of each principal to each resource. The system generates, based on the specified desired effective permissions, access control entries for the respective principal to the respective resource. The system generates, based on the specified desired effective permissions, group memberships indicating which users belong to which groups.

Abstract: A system and method for applying cybersecurity policies across multiple computing environments is presented.

Abstract: Decrypting data at a first storage system that has been encrypted at a second, separate, storage system includes the first storage system requesting a key that decrypts the data from the second storage system, the second storage system determining if the first storage system is authorized for the key, the second storage system providing the key to the first storage system in response to the first storage system being authorized, a host that is coupled to the first storage system obtaining the key from the first storage system, and the host using the key to decrypt and access the data at the first storage system. The host and the first storage system may provide failover functionality for a system that includes the second storage system. The host may obtain the key from the first storage system in response to a failure of the system that includes the second storage system.

Abstract: A hidden information-based security system includes a security agent. The security agent includes: a hidden information module configured to search for custom.xml by analyzing the source code of electronic document data executed by an operating system-based word processor unit, and to identify authority information; a content execution module configured to control the content execution of the electronic document data by the word processor unit according to the control of a security module; and the security module configured to generate hidden information, in which a security agent-dedicated fmtID is designated, by hiding custom.xml, in which authority information for security of electronic document data is configured, at a specific location in source code of the corresponding electronic document data by using a steganographic technique, and to compare the authority information with reference information and restrict an allowable range of content.

Abstract: Disclosed herein are a process, an apparatus, and an article of manufacture for storing encrypted documents using a plurality of participating nodes that submit transactions to and/or retrieve transactions from a blockchain network. Functionality disclosed herein includes, but is not limited to, generating a collaborative public key with each of the participating nodes having a share of a corresponding collaborative private key, submitting, based on the collaborative public key and one or more shares of corresponding collaborative public keys, a respective encrypted document to a document repository, submitting a commitment transaction and a subsequent transaction associated with the encrypted document, and, at a future time, retrieving, based on a share of the collaborative public key, a set of subsequent transactions to generate a collective private key and decrypt the encrypted document.

Abstract: A key management system for providing encryption of a disk in a client device is provided. The system comprises a trusted platform module (TPM) having a first fragment of a key, a remote storage having a second fragment of the key, and a processing unit to partially boot instructions relating to booting of the client device, send a request for validation to the TPM, receive the first fragment of the key from the TPM on successful validation, request for the second fragment of the key with credentials to access the remote storage. The credentials and a network of the request are verified, the second fragment of the key is transmitted on successful validation. The first fragment and the second fragment of the key are combined to generate an encryption key for booting the client device. The first fragment of the key and the second fragment of the key are rotatable.

Abstract: A method which comprises storing a readable identifier, which identifies a semiconductor product, and a unique key, being unique for said semiconductor product or for a group of semiconductor products, in a memory of said semiconductor product, generating an initial security data structure, said initial security data structure depending on a root key and on said unique key, wherein both said root key and said unique key are assigned to said semiconductor product, and wherein said initial security data structure is assigned to said readable identifier, and supplying said initial security data structure to said semiconductor product for further processing.

Abstract: Validating proof of possession (POP) of a private key by a device. A computer system generates a provisioning package for a device catalog. The provisioning package including a POP challenge. After generating the provisioning package, the computer system receives a device activation request for a device. The device activation request includes a public key, a device identifier, and a signature. The computer system validates POP of a private key corresponding to the public key, including using the public key, the device identifier, and the POP challenge to cryptographically verify the signature. The computer system establishes a trust relationship with the device, including registering the public key and the device identifier into the device catalog.

Abstract: A method is provided. In some examples, the method includes reading a first customer identification value from a first memory on a device and reading a second customer identification value from a first field in a certificate. The method also includes determining whether the first customer identification value matches the second customer identification value. In addition, the method includes reading application data from a second field in the certificate in response to determining that the first customer identification value matches the second customer identification value. The method further includes writing the application data to a second memory on the device in response to determining that the first customer identification value matches the second customer identification value.

Abstract: Systems, methods, and software can be used to identify API use in a binary code. In some aspects, a method comprises: obtaining a base memory-write profile description for a binary code, wherein the description comprises: a base memory-write profile for each of a plurality of API calls in the binary code, wherein the base memory-write profile comprises a count of memory updates for each of a plurality of memory locations during an execution of a corresponding API call; receiving an execution request that invokes the binary code; generating an execution memory-write profile for the request, wherein the execution memory-write profile comprises a count of memory updates for each memory location during an execution of the request; determining, based on a comparison between the execution memory-write profile and the base memory-write profiles in the description, an API call corresponding to the request; and generating a notification indicating the determined API call.

Abstract: Hybrid encryption of imported key material is provided. A request to import key material is received from a user system. In response to the request, two public keys are sent to the user system. The two public keys include a classical cryptography (CC) public key and a quantum-safe cryptography (QSC) public key. At least one public key of the two public keys is retrieved from a hardware security module (HSM). Hybrid-encrypted key material is received from the user system. The hybrid-encrypted key material is key material that has been encrypted using the two public keys. The key material, at least partially encrypted by the at least one public key, is sent to the HSM.

Abstract: Systems and methods are provided that may be implemented by services executing on one or more remote servers and on an endpoint information handling system to remotely erase (i.e., clear or remove) biometric fingerprint credential data that is previously stored on non-volatile memory of a discrete “match-on chip” fingerprint reader (MOFR) of the endpoint information handling system, as well as to erase separate non-biometric OS user identifier (ID) fingerprint enrollment information stored on separate system non-volatile memory of the endpoint information handling system.

Abstract: The present invention relates to a method and a system for providing processing data to a numerically controlled machine tool (100), comprising: providing processing data (S301) to a data processing device (300), wherein the processing data comprises numeric control data, in particular one or more NC programs, on the basis of which a processing of a workpiece on the numerically controlled machine tool (100) can be carried out; specifying encryption specifications (S302) on the data processing device (300), which indicate specifications for encrypting the processing data and/or the execution data; specifying authentication specifications (S303) on the data processing device (300), which indicate specifications for authentication of the numerical machine tool and/or of an operator of the machine tool; specifying execution specifications (S304) on the data processing device (300), which indicate specifications for the machining of the workpiece on the numerically controlled machine tool; generating execution dat

Abstract: This disclosure describes techniques for allowing an organization to manage user identities. In some examples, the management of user identities may be serverless. In some examples, serverless identity management may be enabled through a distributed application on user devices of the organization. The application may generate and/or store information related to the user identities on the user devices. Serverless identity management may further include storing at least some of the information at a location that is easily accessible to the user devices, such as a cloud computing location, while maintaining security for private data. Serverless identity management may therefore provide an organization with greater operational flexibility.

Abstract: There is provided an information processing terminal, an information processing device, an information processing method, a program, and an information processing system which enable key change to be performed more reliably. A user terminal includes: a secure element that has a protection area in which an area in which data to be protected is stored is protected by an encryption key; and a processing execution unit that executes a process of changing, in the secure element, a first key used at a time of shipment to a second key different from the first key. Setting information which is referred to when the first key is changed to the second key is stored at the time of shipment in the protection area.

Abstract: Mesh agents for an overlay network may be provided such that each mesh agent may be hosted on network computers in the overlay network. In response to a network interface providing raw datagrams to a mesh agent in the overlay network further actions may be performed, including: determining a payload protocol based on the raw datagrams; determining payload datagrams included in the raw datagrams based on the payload protocol; determining a request from a client based on the payload datagrams and the payload protocol; or the like. In response to an infrastructure security computer determining validation information that validates the request further actions may be performed, including: modifying the payload datagrams based on the payload protocol and the validation information; modifying the raw datagrams to include the modified payload datagrams; forwarding the modified raw datagrams to a next mesh agent identified with the validation information; or the like.

Abstract: Techniques described herein relate to a method for composition for complex solutions. The method may include receiving, by a system control processor manager, a composition request to compose a composed information handling system, the request comprising a solution manifest file; parsing, by the system control processor manager, the solution manifest file to identify a solution requirement set; performing, using the solution requirement set, an analysis of a telemetry data map and a topology and connectivity graph; making a determination, based on the analysis, that the composition request may be satisfied using resources represented in the topology and connectivity graph; and composing the composed information handling system based on the determination.

Abstract: The inputs and/or outputs of a generative artificial intelligence model are monitored to determine whether they contain or otherwise elicit undesired behavior by the model such as bypassing security measures, leaking sensitive information, or generating or consuming malicious content. This determination can be used to selectively trigger remediation processes to protect the model from malicious actions. Related apparatus, systems, techniques and articles are also described.

Abstract: One embodiment provides a method, including: identifying, using a tamper detection switch of an information handling device, a tampering event; determining, using a processor, contextual data associated with the tampering event; constructing, based on the determining, a signal comprising the contextual data; and broadcasting, using a radio transmission beacon, the signal. Other aspects are described and claimed.

Abstract: In order to improve the efficiency of transfer to outside devices while necessary buffer memory is suppressed, the present invention is an information processing apparatus for decoding a packet that is encrypted in accordance with Transport Layer Security (TLS) protocols and in which a padding portion has a variable length, the information processing apparatus including acquisition means for acquiring an encrypted packet on a unit data basis, decoding means for decoding the encrypted packet on the unit data basis, output means for outputting decoded data obtained through the decoding performed by the decoding means to an external device in accordance with an order in which the decoding is performed by the decoding means, and control means for restricting output to be performed by the output means in a case where a padding pattern is detected from the decoded data obtained through the decoding performed by the decoding means.

Abstract: An example apparatus can include a memory device and a controller coupled to the memory device configured to receive a command including command information to access a register from a host device. The controller can grant access to the register in response to the controller determining the command is valid and/or deny access to the register in response to the controller determining the command is invalid. The controller can determine the command is valid by calculating an answer using a seed from the command in a formula and verifying the calculated answer matches an answer from the command. The command, once verified as valid, can allow the host device to access configuration registers and/or data registers.

Abstract: A hardware camera may include a camera sensor configured to determine input image data. The hardware camera may also include an image signal processor configured to perform one or more image signal processing operations on the input image data. The hardware camera may also include a neural processing unit configured to determine encoded image data by encoding the input image data with an image data encoder portion of a camera autoencoder. The camera autoencoder may be trained based on training image data collected from the camera sensor and a fingerprint specific to the hardware camera. The hardware camera may also include a camera communication interface configured to transmit the encoded image data to a remote computing system, which may determine decoded image data by decoding the encoded image data via an image data decoder portion of the camera autoencoder.

Abstract: An integrated circuit comprising a CPU coupled to a system bus, a network interface configured to interface with an external device, and a crypto neuromorphic core coupled to the system bus. The cryptographic core comprising a processor or core, an internal bus, and a non-transitory computer-readable memory, wherein the crypto neuromorphic core is isolated from the CPU and the network interface via the system bus and the crypto neuromorphic core runs its own operating system. The crypto neuromorphic core is configured to: contain a secure core comprising a secure processor and dedicated/protected memory; store a private key in the dedicated/protected memory accessible to the secure core but not accessible to other components of the crypto neuromorphic core, the central processing unit, and the network interface; add data to a blockchain using the private key via the network interface; and read data from the blockchain via the network interface.

Abstract: A vehicle control system includes: an entry/exit management device including a first processor including hardware, the first processor being configured to detect that a user of a vehicle enters or leaves a facility, and output a first signal indicating user's entering the facility and a second signal indicating user's leaving the facility, to a server; and the server comprising a second processor comprising hardware, the second processor being configured to output to the vehicle a third signal for deactivating a smart key function of the vehicle when acquiring the first signal and prohibit unlocking of a door of the vehicle performed by wireless communication, and output to the vehicle a fourth signal for setting the smart key function of the vehicle when acquiring the second signal and permit unlocking of the door of the vehicle performed by wireless communication.

Abstract: Methods for securing an electronic communication is provided. Methods may include, in a registration process, creating and/or selecting an anti-phish, personalized, security token for a predetermined avatar. Methods may include, in the registration process, storing the token in a database. Methods may include, in an in-use process, generating an electronic communication at a virtual kiosk in a metaverse. Methods may include, in the in-use process, forwarding an electronic communication from the virtual kiosk to the avatar. The avatar may be associated with the account. Methods may include, in the in-use process, intercepting the communication at an edge interface. Methods may include, in the in-use process, selecting, from the database, the anti-phish, personalized, security token that is associated with the account. Methods may include, in the in-use process, injecting the selected token into the communication.

Abstract: Representative embodiments are disclosed for providing network and system security. A representative apparatus includes an input-output connector coupleable to a data network; a network interface circuit having a communication port; a nonvolatile memory storing a configuration bit image; and a field programmable gate array (“FPGA”) coupled to the network interface circuit through the communication port, the FPGA configurable to appear solely as a communication device to the first network interface circuit, and to bidirectionally monitor all data packets transferred between the input-output connector and the first network interface circuit and any coupled host computing system. In another embodiment, the FPGA is further configurable for only a partial implementation of a communication protocol, such as a PCIe data link and/or physical layers. The FPGA may also monitor host memory and provide encryption and decryption functionality.

Abstract: Mesh agents for an overlay network may be provided such that each mesh agent may be hosted on network computers in the overlay network. In response to a network interface providing raw datagrams to a mesh agent in the overlay network further actions may be performed, including: determining a payload protocol based on the raw datagrams; determining payload datagrams included in the raw datagrams based on the payload protocol; determining a request from a client based on the payload datagrams and the payload protocol; or the like. In response to an infrastructure security computer determining validation information that validates the request further actions may be performed, including: modifying the payload datagrams based on the payload protocol and the validation information; modifying the raw datagrams to include the modified payload datagrams; forwarding the modified raw datagrams to a next mesh agent identified with the validation information; or the like.

Abstract: A content stake offering system is disclosed. The content stake offering system includes a content stake offering module, comprising computer-executable code stored in non volatile memory, a processor, and a plurality of computing devices. The content stake offering module, the processor, and the plurality of computing devices are configured to receive a request to sell a stake of content, determine a value of the content, generate a stake offering based on the value of the content, and update the value of the content. Determining the value of the content includes transferring data of a piece of content between the plurality of computing devices, recording a content data, which corresponds to the transferred data of the piece of content, in a database chunk, hashing the database chunk into a hashed database chunk, and appending the hashed database chunk to a block on a blockchain.

Abstract: A blockchain based alias directory may be utilized. Encrypted lists of aliases may be stored on the blockchain and may be accessible to network computers and secure gateways. Embodiments are directed to secure gateways and user devices for accessing the alias directory stored in the blockchain during a financial transaction. The user device may be provided with a list of aliases from which a user may select a payment account. Upon selection the user may be redirected to an identity verification system of the associated payment network.

Abstract: Techniques for obfuscating and deploying digital assets (e.g., mobile applications) are provided to mitigate the risk of unauthorized disclosure. An asset can be received that is to be deployed to a plurality of mobile devices, each of the mobile devices associated with a corresponding account having account attributes. A deployment group of one or more mobile devices for deploying the asset can be identified based on a set of one or more obfuscation parameters, comprising account attributes shared among the one or more mobile devices within the deployment group. A customized obfuscation scheme to be applied to the asset can be determined based at least in part on the set of obfuscation parameters. The customized obfuscation scheme can be applied to the asset to generate an obfuscated asset. The obfuscated asset can be transmitted and/or updated over a network to the one or more mobile devices within the deployment group.

Abstract: A message limit value to be used in enqueuing one or more messages on a queue of a device of the computing environment is obtained. The message limit value indicates whether an extended maximum message length is supported by the device. The extended maximum message length is different from a default maximum message length supported by the device. Based on determining that the extended maximum message length is supported and that the obtained message limit value has a defined relationship with a select value, at least one message of an extended length is enqueued on the queue of the device.

Abstract: An individual data unit for enhancing the security of a user data record is provided that includes a processor and a memory configured to store data. The individual data unit is associated with a network and the memory is in communication with the processor. The memory has instructions stored thereon which, when read and executed by the processor cause the individual data unit to perform basic operations only. The basic operations include communicating securely with computing devices, computer systems, and a central user data server. Moreover, the basic operations include receiving a user data record, storing the user data record, retrieving the user data record, and transmitting the user data record. The individual data unit can be located in a geographic location associated with the user which can be different than the geographic locations of the computer systems and the central user data server.

Abstract: A highly versatile process control or factory automation field device is configured with an interface and communication connection structure and security features that enable the field device to operate as a data server that communicates with and supports multiple different applications or clients, either directly or indirectly, while simultaneously performing standard process and factory automation control functions in a highly secure manner. The security features include a root of trust component, a secure boot component, secure memory components, secure communication components, security audit components, secure provisioning components and endpoint identity components, making the field device communications and operations secure and trustworthy.

Abstract: Embodiments of systems and methods for managing control of a security processor in a supply chain are described. In some embodiments, a security processor may include: a core; and a memory coupled to the core, the memory having program instructions stored thereon that, upon execution by the core, cause the security processor to: store a first public key usable to initiate a first secure boot process and unusable to initiate a second secure boot process; store a second public key usable to initiate the second secure boot process and unusable to initiate the first secure boot process; and in response to a first change of control or ownership of the security processor, render the first public key unusable to initiate the first secure boot process.

Abstract: Example embodiments of systems and methods for data transmission in a contactless card are provided. The contactless card may include a processor, and a memory. The memory may contain a first applet, a second applet, and a plurality of keys. The first applet and the second applet may be stored within a shared security domain. The second applet may be configured to communicate with the first applet to perform one or more cryptographic services. The second applet may be configured to transmit one or more requests to the first applet to encode one or more payload strings based on the plurality of keys to perform the one or more cryptographic services. The first applet may be configured to perform the one or more cryptographic services on behalf of the second applet based on the one or more requests.

Abstract: A computer implemented system and method provide for a transfer learning platform system. The method provides an introduced enterprise security policy (IESP) to a first enterprise system. During a threat, the IESP is toggled on and off. A first change element is determined that represents a change in a logging system of the first enterprise between a first and second log element of the first enterprise captured when the IESP was toggled on and off, respectively. The IESP is provided to a second enterprise system. A second change element is determined that represents a change in a logging system of the second enterprise between a first log element of the second enterprise. The method further determines that the first and second change element are different, and, conditioned upon the determining that the second change element is different than the first change element, removes the IESP from the second enterprise system.

Abstract: Methods and systems for managing the operation of data processing systems are disclosed. A data processing system may include a computing device that may enter various operating states by performing various types of startups. Performance of some startups may be restricted by use of passwords or other security information. The data processing systems may host management controllers that may bypass the restrictions on the startups. Prior to doing so, the management controllers may verify that the requests to perform the startups are from trusted entities, or should be performed for other reasons.

Abstract: Technologies for trusted I/O attestation and verification include a computing device with a cryptographic engine and one or more I/O controllers. The computing device collects hardware attestation information associated with statically attached hardware I/O components that are associated with a trusted I/O usage protected by the cryptographic engine. The computing device verifies the hardware attestation information and securely enumerates one or more dynamically attached hardware components in response to verification. The computing device collects software attestation information for trusted software components loaded during secure enumeration. The computing device verifies the software attestation information. The computing device may collect firmware attestation information for firmware loaded in the I/O controllers and verify the firmware attestation information.

Abstract: Methods and systems are described for enhanced-security database encryption via cryptographic software, where key management is carried out, without exporting or exposing cleartext keys, using an independent key manager coupled to a cryptographic hardware security module (HSM).

Abstract: A memory controller for controlling a non-volatile memory device includes a key management unit configured to control an access right to a secure key based on a biometric authentication message and a unique value, which are received from an external device; and a data processing unit configured to encrypt data received from a host and decrypt data stored in the non-volatile memory device based on the secure key.

Abstract: Examples disclosed herein relate to processing health information of a computing device according to a deep learning model to determine whether an anomaly has occurred. Multiple computing devices can be part of a system. One of the computing devices includes a host processing element, a management controller separate from the host processing element, and a deep learning model that includes parameters that are trained to identify anomalistic behavior for the computing device. The management controller can receive health information from multiple components of the computing device and process the health information according to the deep learning model to determine whether an anomaly occurred.

Abstract: A memory controller and a storage device including the same are disclosed. A memory controller for controlling a nonvolatile memory includes: a security access control module configured to convert biometric authentication data received from a biometric module into security configuration data having a data format according to a security standard protocol and perform, based on the security configuration data, at least one of authority registration and authority authentication of a user authority set for an access control of a secure area of the nonvolatile memory, encrypted user data being stored in the secure area; and a data processing unit configured to, based on an access to the secure area being permitted, encrypt user data received from a host device or decrypt the encrypted user data read from the secure area.

Abstract: The invention introduces an apparatus for encrypting and decrypting user data, including a memory, a bypass-flag writing circuit and a flash interface controller. The bypass-flag writing circuit writes a bypass flag in a remaining bit of space of the memory that is originally allocated for storing an End-to-End Data Path Protection (E2E DPP), where the bypass flag indicates whether user data has been encrypted. The flash interface controller reads the user data, the E2E DPP and the bypass flag from the memory and programs the user data, the E2E DPP and the bypass flag into the flash device.

Abstract: In some examples, a management controller includes a communication interface to communicate with a computing device, where the management controller is separate from a processor of the computing device. The management controller includes a management processor to receive, from the computing device, a first hash value that is based on a first hash function applied on an input value and a salt, generate a second hash value based on applying a second hash function on the first hash value and a pepper, and send the second hash value to the computing device.

Abstract: In an embodiment, a system is provided in which the private key is managed in hardware and is not visible to software. The system may provide hardware support for public key generation, digital signature generation, encryption/decryption, and large random prime number generation without revealing the private key to software. The private key may thus be more secure than software-based versions. In an embodiment, the private key and the hardware that has access to the private key may be integrated onto the same semiconductor substrate as an integrated circuit (e.g. a system on a chip (SOC)). The private key may not be available outside of the integrated circuit, and thus a nefarious third party faces high hurdles in attempting to obtain the private key.

Abstract: Various embodiments of the present invention set forth techniques for security monitoring of a network connection, including analyzing network traffic data for a network connection associated with a computing device, identifying one or more network traffic metrics for the network connection based on the network traffic data, determining that the network connection corresponds to at least one network connection profile based on the one or more network traffic metrics, detecting a potential security threat for the network connection based on the one or more network traffic metrics and the at least one network connection profile, and initiating a mitigation action with respect to the network connection in response to detecting the potential security threat. Advantageously, the techniques allow detecting potential security threats based on network traffic metrics and categorizations, without requiring monitoring of the content or the total volume of all traffic exchanged via the connection.

Abstract: In some embodiments, securing device commands includes a first electronic device receiving a command authorization request message from a second electronic device, including a device command to be performed by the second electronic device, a command argument, and a first message authentication code (MAC) generated by applying a hash function to the device command, the command argument and a first counter value. The first electronic device generates a second MAC by applying the hash function to the device command, the command argument and a second counter value synchronized with the first counter value. The first electronic device compares the first MAC and the second MAC to authenticate the device command and transmit a command approval message or a command denial message. The command approval message causes the second electronic device to perform the device command and the command denial message causes the second electronic device to reject the device command.

Abstract: One embodiment provides an apparatus. The apparatus includes a lightweight cryptographic engine (LCE), the LCE is optimized and has an associated throughput greater than or equal to a target throughput.

Abstract: Examples of cloud-based removable drive encryption policy enforcement and recovery key management are described. In some examples, a removable drive encryption policy is received from a cloud-based management service. A removable drive is recognized by an operating system of a client device. An encryption command causes the operating system to request user password creation and encrypt the removable drive. A recovery key is identified from a write-output of the operating system. The recovery key is transmitted to the cloud-based management service for storage in a cloud-based removable drive recovery key escrow.