Abstract: Described are platforms, systems, and methods for providing an in-line, transparent Transmission Control Protocol (TCP)/Transport Layer Security (TLS) proxy. In one aspect, a programmable input output (IO) device comprises at least one advanced reduced instruction set computer (RISC) machine (ARM) core communicably coupled to at least one central processing unit (CPU) core of a host device; a programmable P4 pipeline comprising a cryptographic offload subsystem; and a memory unit. The programmable IO device executing instruction stored on the memory unit comprising: establishing a session for an incoming TCP connection received from a remote host via the at least one ARM core; processing data packets received from the remote host via the programmable P4 pipeline; decrypting the received data packets via the cryptographic offload subsystem; and providing the decrypted data packets to the host device.

Abstract: An information security system that includes an information security engine configured to monitor data transmissions within a network and to detect a first attack by a malicious software element. The information security engine is further configured to detect a second attack by the malicious software element within a predetermined time interval from the first attack and to transfer the malicious software element from the network to an emulated network in response to detecting the second attack. The information security engine is further configured to generate an attack log comprising behavior characteristics for attacks performed by the malicious software element in the emulated network and to train a machine learning model based on behavior characteristics from the attack log.

Abstract: A method is provided for transmitting encrypted packets from a first node to a second node of a communication network. The first node pads each plaintext packet with a respective padding content. The padded plaintext packets are then encrypted and transmitted to the second node. For each plaintext packet, the first node randomly selects the padding size in a range comprised between a minimum padding size and a maximum padding size. If the size of a plaintext packet is lower than a predefined minimum packet size, the minimum padding size is set equal to the difference between predefined minimum packet size and the plaintext packet size.

Abstract: A method is provided for detecting a cold boot attack in a data processing system. The data processing system includes a processor, a memory with ECC, and a monitor circuit. In the method, during a boot process of the data processing system, the monitor circuit counts read and write accesses to the memory and maintains a count of the number of errors in the memory detected by the ECC. The read and write access count and the error count are used to detect suspicious activity that may indicate a cold boot attack on the memory. A data processing system that implements the method is also provided.

Abstract: A security system within a digital network receives a request to access a feature of the digital network from a remote computing device. The security system obtains obtains characteristic data corresponding to the remote computing device and generates a security score corresponding to the remote computing device based at least in part on the characteristic data. The security system compares the security score to an access threshold, allowing the remote computing device to access to the feature of the digital network if the security score exceeds the access threshold.

Abstract: A method of encrypting a data file includes: opening the data file; selecting, via a first user interface, a portion of the data file; encrypting, via an encryption component, the selected portion of the data file as one of a first level of encryption associated with a first authorized user and a second level of encryption associated with a second authorized user so as to create an encrypted data file; and saving the encrypted data file. The encryption component includes an out-of-band encryption key component having stored therein, a first encryption key associated with the first level of encryption and a second encryption key associated with the second level of encryption.

Abstract: Methods, systems and apparatuses may provide for technology that includes a system on chip (SoC) having a root of trust and an embedded controller to conduct functional safety operations and non-functional safety operations with respect to the SoC. The technology may also include an enhanced serial peripheral interface (eSPI) coupled to the SoC and the embedded controller, wherein the eSPI is to tunnel communications associated with the functional safety operations between the embedded controller and the root of trust.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for enabling blockchain-based service of process. One method includes: receiving a request generated based on a blockchain-based application for delivering a notice associated with a legal action from a serving party to another party. The serving party is determined to be a registered user of the blockchain-based application. A time that the request is received is recorded on the blockchain. If the party to be served is determined to be a registered user of the blockchain-based application, identifying one or more manners of delivering the notice based on available communication methods included in the registration information of the serving party and registration information of the party to be served. The notice to the party to be served is determined based on at least one of the one or more manners.

Abstract: A method for data decryption comprises receiving, over an AXI bus operating in burst mode, data access requests for data units stored in a memory, subdividing the requests received into requests for encrypted data units and requests for non-encrypted data units, forwarding both requests for encrypted data units and requests for non-encrypted data units towards the memory, retrieving the respective sets of data units over the AXI bus, and applying Advanced Encryption Standard, AES, processing to the requests for encrypted data units by calculating decryption masks for the encrypted data units and applying the decryption masks calculated to the encrypted data units retrieved. Subdividing the requests into requests for encrypted data units and requests for non-encrypted data units is performed depending on data start addresses and security information conveyed by the requests.

Abstract: An integrated circuit comprising a CPU coupled to a system bus, a network interface configured to interface with an external device, and a crypto neuromorphic core coupled to the system bus. The cryptographic core comprising a processor or core, an internal bus, and a non-transitory computer-readable memory, wherein the crypto neuromorphic core is isolated from the CPU and the network interface via the system bus and the crypto neuromorphic core runs its own operating system. The crypto neuromorphic core is configured to: contain a secure core comprising a secure processor and dedicated/protected memory; store a private key in the dedicated/protected memory accessible to the secure core but not accessible to other components of the crypto neuromorphic core, the central processing unit, and the network interface; add data to a blockchain using the private key via the network interface; and read data from the blockchain via the network interface.

Abstract: A software cryptography library management program allows a user to provide a software cryptography library via a graphical user interface. A cryptography toolbox program displays to the user a plurality of cryptographic operation modules in a cryptography toolbox view such that each of the cryptographic operation modules is a graphical shape representation of an operation that performs one or more of application programming interfaces from the provided software cryptography library. A cryptography design program allows the user to place cryptographic operation modules in a drawing area to form a cryptosystem. The user sends a command to a simulation engine to simulate the cryptosystem using the application programming interfaces. The user may send a different command to a code generation engine to generate code from the cryptosystem using the application programming interfaces.

Abstract: An example apparatus can include a memory device and a controller coupled to the memory device configured to receive a command including command information to access a register from a host device. The controller can grant access to the register in response to the controller determining the command is valid and/or deny access to the register in response to the controller determining the command is invalid. The controller can determine the command is valid by calculating an answer using a seed from the command in a formula and verifying the calculated answer matches an answer from the command. The command, once verified as valid, can allow the host device to access configuration registers and/or data registers.

Abstract: A method and associated system for randomizing data to be stored in a memory storage device including, receiving a plurality of data bytes to be randomized at a memory controller and written to a page of a memory storage device, wherein the page comprises a plurality of data sectors and wherein each of the plurality of data sectors are configured to store a plurality of data bytes, randomizing a first portion of the plurality of data bytes using a first randomizer initialized by a first seed to generate a first portion of randomized data bytes and randomizing a second portion of the plurality of data bytes using a second randomizer initialized by a second seed to generate a second portion of randomized data bytes, wherein the first seed is uncorrelated with the second seed.

Abstract: Techniques are disclosed relating to data storage. In various embodiments, a computing device includes first and second processors and memory having stored therein a first encrypted operating system executable by the first processor and a second encrypted operating system executable by the second processor. The computing device also includes a secure circuit configured to receive, via a first mailbox mechanism of the secure circuit, a first request from the first processor for a first cryptographic key usable to decrypt the first operating system. The secure circuit is further configured to receive, via a second mailbox mechanism of the secure circuit, a second request from the second processor for a second cryptographic key usable to decrypt the second operating system, and to provide the first and second cryptographic keys.

Abstract: In an embodiment, a system is provided in which the private key is managed in hardware and is not visible to software. The system may provide hardware support for public key generation, digital signature generation, encryption/decryption, and large random prime number generation without revealing the private key to software. The private key may thus be more secure than software-based versions. In an embodiment, the private key and the hardware that has access to the private key may be integrated onto the same semiconductor substrate as an integrated circuit (e.g. a system on a chip (SOC)). The private key may not be available outside of the integrated circuit, and thus a nefarious third party faces high hurdles in attempting to obtain the private key.

Abstract: A transaction device for securing a transaction includes an NFC controller, a communication interface, an application processor, a display and a user input device. The NFC controller is configured to receive, via a contactless NFC interface, data related to the transaction from an external device. The communication interface is configured to receive an application program for the transaction device. The application processor is coupled to the NFC controller and configured to process the application program. The display is coupled to the application processor and configured to display transaction information. The user input device is linked to the NFC controller and configured to receive a user acknowledgement of the transaction.

Abstract: This disclosure is directed to a processing device including a memory to store data, processing circuitry to process data, the processing circuitry including a memory controller to control access to the memory and encryption circuitry to encrypt and decrypt data, and I/O circuitry. The I/O circuitry includes an I/O port to write data to a storage device and to read data from the storage device and an enable encryption bit associated with the I/O port, the I/O port to receive a request to read data from the memory, to send a read command to the memory controller with an enable encryption attribute set when the enable encryption bit is set, and to send a read command to the memory controller with the enable encryption attribute not set when the enable encryption bit is not set.

Abstract: A communication adapter for authentication of a user includes a receiving unit for receiving encrypted credentials, a decryption unit for decrypting the encrypted credentials and an output unit for outputting the decrypted credentials to a terminal device.

Abstract: Systems and methods for encryption key shredding to protect non-persistent data are described. In one embodiment, the storage system device may include a storage drive and a controller. In some embodiments, the controller may be configured to power on the storage drive, identify an encryption key on the storage drive created upon powering on the storage drive, and encrypt data in a cache of the storage drive using the encryption key. In some embodiments, the controller may be configured to power off the storage drive and delete the encryption key upon powering off the storage drive. In some cases, the storage drive may include at least one of a solid state drive and a hard disk drive. In some embodiments, the storage drive may include a hybrid storage drive that includes both a solid state drive and a hard disk drive.

Abstract: The invention introduces a method for blocking unauthorized applications, at least containing: receiving an input parameter from an application; determining whether the application is authenticated by inspecting content of the input parameter; randomly generating a session key, storing the session key in a file and storing the file in a path that can be accessed by a motherboard support service and the application only when the application is authenticated; and replying with the path and a filename of the file to the application.

Abstract: The instruction code including an instruction code stored in the area where the encrypted instruction code is stored in a non-rewritable format is authenticated using a specific key which is specific to the core where the instruction code is executed or an authenticated key by a specific key to perform an encryption processing for the input and output data between the core and the outside.

Abstract: The present invention relates to an authorization processing method and a device. An authorization server receives an authorization update request including a first identifier of an access device; sends, to the access device, an authorization update response including signature request information, where the signature request information instructs the access device to sign verification information; receives a signature verification request sent by the access device, where the signature verification request includes the first identifier, the verification information, and a signature of the verification information; determines that the signature of the verification information in the signature verification request is valid; and updates the authorization relationship according to the first identifier.

Abstract: An Internet-of-Things (IoT) device platform to communicate in a trusted portion of an IoT network is disclosed. The trusted IoT platform can include a secure IoT system-on-chip (SoC) and can be integrated into various devices such that each of the devices may implement “roots of trust” to establish a trusted portion, or a trusted backbone, of the IoT network.

Abstract: The present disclosure relates to a method for updating a firmware component of a measurement and control technology device. The method includes: a segment-by-segment reception of a first firmware image; an authentication of the first firmware image based upon a first encryption method; a creation of a second authentication datum for the first firmware image via an algorithm that differs from the first encryption method; a re-transmission of the data used for updating the firmware component as a second firmware image; an authentication of the second-firmware image based upon the second authentication datum; and in the case of a successful authentication of the second firmware image, enabling and execution of the firmware program code.

Abstract: Instantiating an attestation facilitation component that allows a remote application to attest to a secure state of a secure memory application executing upon a secure platform of a computer system regardless of a type of either the secure platform or a health attestation service. Instantiation comprises identifying a property that includes at least one of the secure platform type and the health attestation service type. The instantiation is customized with the identified property. The attestation facilitation component verifies that a report generated by the secure platform represents that the secure memory application is operating in a secure state, and accesses a token generated by the health attestation service that represents that the secure platform is operating in a secure state. The attestation facilitation component generates a quote that allows the remote application to verify that the secure platform and the secure memory application are both operating in secure states.

Abstract: Methods and systems for operating a remote desktop client from a computing system hosting a secure boot device. In some embodiments, a method comprises initiating execution of an operating system from the computing system hosting the secure boot device, the computing system communicatively connected within a secure enterprise network, the computing system being untrusted within the secure enterprise network and based on verification of received authentication credentials, booting an operating system from the secure boot device and establishing a secure communication tunnel with a service appliance.

Abstract: Various embodiments are generally directed to techniques for secure message authentication and digital signatures, such as with a cipher-based hash function, for instance. Some embodiments are particularly directed to a secure authentication system that implements various aspects of the cipher-based hash function in dedicated hardware or circuitry. In various embodiments, the secure authentication system may implement one or more elements of the Whirlpool hash function in dedicated hardware. For instance, the compute-intensive substitute byte and mix rows blocks of the block cipher in the Whirlpool hash function may be implemented in dedicated hardware or circuitry using a combination of Galois Field arithmetic and fused scale/reduce circuits. In some embodiments, the microarchitecture of the secure authentication system may be implemented with delayed add key to limit the memory requirement to three sequential registers.

Abstract: A method and apparatus for initiating secure operations in a microprocessor system is described. In one embodiment, one initiating logical processor initiates the process by halting the execution of the other logical processors, and then loading initialization and secure virtual machine monitor software into memory. The initiating processor then loads the initialization software into secure memory for authentication and execution. The initialization software then authenticates and registers the secure virtual machine monitor software prior to secure system operations.

Abstract: A method for operating a cloud gateway is provided. The method includes generating a plurality of rules relating users and groups to data access at a plurality of cloud service providers. The method includes encrypting, at one of a plurality of connectors, outgoing data that is moving through a cloud gateway en route from a proxy server to one of the plurality of cloud service providers, responsive to a data write request associated with a first user, the encrypting in accordance to one of the plurality of rules as related to the first user. The method includes decrypting, at one of the plurality of connectors, incoming data that is moving through the cloud gateway en route from one of the plurality of cloud service providers to the server, responsive to a data read request associated with a second user, the decrypting in accordance to one of the plurality of rules as related to the second user.

Abstract: A computer system, includes a crypto mechanism that decrypts and integrity-checks Secure Object information as the Secure Object information moves into the computer system from an external storage and encrypts and updates an integrity value for Secure Object information as the Secure Object information moves out of the computer system to the external storage.

Abstract: A method and apparatus for initiating secure operations in a microprocessor system is described. In one embodiment, one initiating logical processor initiates the process by halting the execution of the other logical processors, and then loading initialization and secure virtual machine monitor software into memory. The initiating processor then loads the initialization software into secure memory for authentication and execution. The initialization software then authenticates and registers the secure virtual machine monitor software prior to secure system operations.

Abstract: A file security management apparatus and method which protect various types of systems for executing files, entering from the outside, from malicious code, and which prevent data from being divulged from the systems and also prevent the systems from operating erroneously, thereby ultimately protecting the systems. The file security management apparatus includes a conversion module configured to convert an incoming file, received by a system, into a monitoring target file; a search module configured to identify a selection for the execution of the monitoring target file, and to output incoming files, configured in the monitoring target file, into a search window; and a security module configured to decrypt the monitoring target file to the incoming file, and to perform processing so that the incoming file is executed via a corresponding application program in an isolated drive set as an isolated environment.

Abstract: Trusted firmware on a host server is used for managing access to a hardware security module (HSM) connected to the host server. The HSM stores confidential information associated with an operating system. As part of access management, the firmware detects a boot device identifier associated with a boot device configured to boot the operating system on the host server. The firmware then receives a second boot device identifier from the HSM. The boot device identifier and the second boot device identifier are then compared by the firmware. Based on the comparison, the firmware determines that the boot device identifier matches with the second boot device identifier. Based on this determination, the firmware grants the operating system access to the HSM.

Abstract: Systems and methods of contact center data integration with customer relationship management (CRM) applications on client computing devices in contact center environments are provided. A workspace routing connector application, responsive to an actuation command, can integrate the contact center enterprise with the different enterprise. A configuration component of the workspace routing connector application can select a contact center parameter from a contact center enterprise server. The workspace routing connector application can display, in a graphical user interface, an available CRM application and a CRM script based on the contact center parameter, and can receive an indication of selection of the CRM application. Responsive to selection of the CRM application, the CRM script can provide, from the contact center enterprise server via the computer network, for display by a client computing device in a contact center environment, contact center data related to the contact center parameter.

Abstract: Systems and methods for reducing problems and disadvantages associated with traditional approaches to encryption and decryption of data are provided. An information handling system may include a processor, a memory communicatively coupled to the processor, and a computer-readable medium communicatively coupled to the processor.

Abstract: A method of data transfer in an electronic device including a secure module, which includes a processor and a secure element, an application processor, and a sensor, may include: switching an operation mode of the processor to a bypass mode; performing a cross-authentication, by the application processor and the secure element; generating a session key, by the application processor and the secure element, when the cross-authentication is succeeded; switching the operation mode of the processor to a normal mode; encrypting, by the secure module, sensing data provided by the sensor using the session key; transferring the encrypted sensing data from the processor to the application processor; and/or acquiring, by the application processor, the sensing data by decrypting the encrypted sensing data using the session key.

Abstract: Trusted firmware on a host server is used for managing access to a hardware security module (HSM) connected to the host server. The HSM stores confidential information associated with an operating system. As part of access management, the firmware detects a boot device identifier associated with a boot device configured to boot the operating system on the host server. The firmware then receives a second boot device identifier from the HSM. The boot device identifier and the second boot device identifier are then compared by the firmware. Based on the comparison, the firmware determines that the boot device identifier matches with the second boot device identifier. Based on this determination, the firmware grants the operating system access to the HSM.

Abstract: Embodiments include a method, a computing device, and a computer program product. An embodiment provides a method implemented in a computing environment. The method includes receiving a designation of an individualized digital identifier. The method also includes associating a human-perceptible form of the designated individualized digital identifier with each element of a group of human-perceivable elements displayed by the computing environment.

Abstract: The instruction code including an instruction code stored in the area where the encrypted instruction code is stored in a non-rewritable format is authenticated using a specific key which is specific to the core where the instruction code is executed or an authenticated key by a specific key to perform an encryption processing for the input and output data between the core and the outside.

Abstract: A secure password generation method and system is provided. The method includes enabling by a processor of a computing system, password translation software. The computer processor generates and stores the random translation key. A first password is received and a second associated password is generated. The computer processor associates the second password with a secure application. The computer processor stores the random translation key within an external memory device and disables a connection between the computing system and the external memory device.

Abstract: Approaches are described for enabling a host computing device to store credentials and other security information useful for recovering the state of the host computing device in a secure store, such as a trusted platform module (TPM) on the host computing device. When recovering the host computing device in the event of a failure (e.g., power outage, network failure, etc.), the host computing device can obtain the necessary credentials from the secure store and use those credentials to boot various services, restore the state of the host and perform various other functions. In addition, the secure store (e.g., TPM) may provide boot firmware measurement and remote attestation of the host computing devices to other devices on a network, such as when the recovering host needs to communicate with the other devices on the network.

Abstract: An automated process collects and organizes field data from an inspection of a building or other structure such as pipe supports, bridges, buildings, over head supports, and smoke stacks.

Abstract: A protection mechanism for the execution of an encryption algorithm is disclosed. In the mechanism the encryption algorithm has its execution preceded by an update of a counter stored in a reprogrammable non-volatile memory. Storing the value of the counter into the memory corresponds with the execution of the algorithm.

Abstract: In one embodiment, a computer system provides a process for executing software that cannot be executed in a first configuration. The computer system determines source media for the software stored in a first data store, the source media being in the first configuration. The computer system retrieves metadata relating to executing the software from the source media. The computer system next transforms the retrieved metadata to generate a second configuration of the source media according to a transformation rule set, where the software can be executed in the second configuration, and stores the transformed metadata in a second data store. Next, the computer system presents the second configuration of the source media based on the transformed metadata. Thereafter, the computer system satisfies a request relating to executing the software using the transformed metadata in the second data store, wherein the request is satisfied based on the second configuration.

Abstract: Systems and methods for managing jobs to be scanned based on existence of processing nodes are described. One of the methods includes obtaining identification information regarding operation of a first set of the processing nodes from an inventory and creating a job for scanning the processing nodes of the first set for security vulnerability. The job includes the identification information. The method further includes verifying the inventory to determine the first identifying information of the first set of processing nodes for removal from the job and loading the job having second identifying information for a second set of processing nodes that remain after the verifying operation.

Abstract: Computational complexity, specifically, cryptographic operations, is removed from the IKE(Internet Key Exchange) process in a VPN gateway appliance, thereby enabling scaling of the number of datapaths that can be managed by a single IKE process. A two-tier cache configuration enables necessary cryptographic operations on packets in the gateway but does so without placing additional computational burdens on the IKE process. One cache containing security association data is local to the IPSec component of the datapath instance. The second cache is higher level and is populated by IKE with security association data upon completion of IKE Phase 2 negotiations. The local cache is searched first for security policy data and if found is used to encrypt/decrypt the data packet. If not found locally, the IKE centralized cache is searched and if found, the local cache is updated with the security association data.

Abstract: An SOC implements a security enclave processor (SEP). The SEP may include a processor and one or more security peripherals. The SEP may be isolated from the rest of the SOC (e.g. one or more central processing units (CPUs) in the SOC, or application processors (APs) in the SOC). Access to the SEP may be strictly controlled by hardware. For example, a mechanism in which the CPUs/APs can only access a mailbox location in the SEP is described. The CPU/AP may write a message to the mailbox, which the SEP may read and respond to. The SEP may include one or more of the following in some embodiments: secure key management using wrapping keys, SEP control of boot and/or power management, and separate trust zones in memory.

Abstract: A method to defend effectively against cold-boot attacks includes checking state data stored in a state memory to which the system software has access. At least two of the state data items are checked (111; 112) to determine deviations from parameters that are defined for a normal state of the computer. If deviations from the parameters are determined for at least two of the checked state data items, at least subareas of the main memory are cleared or overwritten (120); otherwise, the main memory is not cleared or overwritten (130); then, the system startup of the computer is carried out by means of the configured system software (140).

Abstract: In accordance with some embodiments, a single trusted platform module per platform may be used to handle conventional trusted platform tasks as well as those that would arise prior to the existence of a primary trusted platform module in conventional systems. Thus one single trusted platform module may handle measurements of all aspects of the platform including the baseboard management controller. In some embodiments, a management engine image is validated using a read only memory embedded in a chipset such as a platform controller hub, as the root of trust. Before the baseboard management controller (BMC) is allowed to boot, it must validate the integrity of its flash memory. But the BMC image may be stored in a memory coupled to a platform controller hub (PCH) in a way that it can be validated by the PCH.

Abstract: In one implementation, flash memory chips are provided with an operating power supply voltage to substantially match a power supply voltage expected at an edge connector of a dual inline memory module. The one or more of the flash memory chips and a memory support application integrated circuit (ASIC) may be mounted together into a multi-chip package for integrated circuits. The one or more flash memory chips and the memory support ASIC may be electrically coupled together by routing one or more conductors between each in the multi-chip package. The multi-chip package may be mounted onto a printed circuit board (PCB) of a flash memory DIMM to reduce the number of packages mounted thereto and reduce the height of the flash memory DIMM. The number of printed circuit board layers may also be reduced, such as by integrating address functions into the memory support ASIC.