Abstract: This application relates to establishing a communication session between a host device and a trusted client device. A host device generates a one-time secret (OTS) and transmits the OTS to a trusted client device via an out-of-band communication channel. The trusted client device verifies an identity of a user of the trusted client device utilizing one or more sensors of the trusted client device. Responsive to verifying the identity of the user, the trusted client device negotiates an encryption key with the host device based on the OTS. The trusted client device then establishes a communication session with the host device utilizing the encryption key. The communication session can be utilized to pass credentials in a protected manner from the trusted client device to the host device that enable the host device to access a user account associated with a service.

Abstract: According to one embodiment, a storage device includes a SoC, a disk, and an e-fuse. The SoC is an integrated circuit configured on one chip on which a CPU is mounted. The disk is controlled through the SoC. The e-fuse is provided on a clock signal line mounted in the SoC and is disconnected by an external input to the CPU.

Abstract: A method for recovering data from a database, the method performed by a device having a processor, the method including encrypting information stored in the database using an encrypting cryptographic key, sending encrypted information associated with a specific entity to a remote device associated with the specific entity, where the remote device lacks access to a decrypting cryptographic key enabled to decrypt the information associated with a specific entity, upon failure of the database, sending the encrypted information associated with the specific entity from the remote device to a recovering server, and decrypting the encrypted information by the recovering server.

Abstract: A security processor includes a key generator circuit configured to randomly generate a key, an encryption circuit configured to encrypt user data based on the key, and a security manager circuit configured to receive a first user identification (ID), which uniquely corresponds to a user of a device, and determine whether to allow access to the user data by authenticating the first user ID.

Abstract: In some aspects, the techniques described herein relate to a system including: a memory device including a secure storage area; a server configured to generate cryptographic data and compute a cyclical redundancy check (CRC) value of the cryptographic data; and a manufacturer computing device configured to receive the cryptographic data and the CRC value and issue a command including the cryptographic data and the CRC value to the memory device, wherein the memory device is configured to compute a local CRC value using the cryptographic data in the command, compare the local CRC value to the CRC value, and write the cryptographic data to the secure storage area when the local CRC value matches the CRC value.

Abstract: A method and system for storing electronic documents based on a distributed environment includes the following steps of: a storage management server receives a document data stream sent by a client; the storage management server parses the document type of the electronic document; the storage management server Match the corresponding first storage server based on the document type of the electronic document and the user information; the storage management server sends the corresponding electronic document to the corresponding first storage server; the first storage server is based on the first storage server The digital watermark loading rule of the server loads the digital watermark on the electronic document; the first storage server stores the electronic document loaded with the digital watermark.

Abstract: Methods and apparatus for providing a resource element identification system to process received uplink transmissions. In an embodiment, a method is provided that includes receiving soft-demapped symbols that comprises resource elements. The method also includes descrambling the resource elements of the symbols one-by-one using descrambling bits generated by at least one linear feedback shift register (LFSR). After each symbol is descrambled, a state of the at least one LFSR is stored as a stored state. The method also comprises restoring the stored state to the at least one LFSR before a next symbol is descrambled so that generation of the descrambling bits continues from symbol to symbol. The method also comprises forwarding the descrambled symbols to a downstream combining function.

Abstract: A command to perform a data operation at a memory device is received. The command includes an encryption key tag. A first key table is accessed from local memory. The first key table includes a first set of key entries corresponding to a first set of encryption keys. The first key table is searched to determine whether it includes an entry corresponding to the encryption key tag. Based on determining the first key table does not include an entry corresponding to the tag, a second key table is accessed from RAM. The second key table includes a second set of key entries corresponding to a second set of encryption keys. A key entry corresponding to the encryption key tag is identified from the second key table. The key entry includes an encryption key corresponding to the encryption key tag. The command is processed using the encryption key.

Abstract: A method for generating data visualizations includes receiving user selection of a data source, and receiving user input to define a dynamic set according to: (i) user selection of visual marks in a visualization region and/or (ii) user specification of a parameter corresponding to data fields in the data source. The method also includes receiving user input to define a calculation to compare data values for a data field from the data source to data values in the dynamic set. The method further includes identifying a set of rows from the data source whose data values are included in the dynamic set. The method also includes receiving user input to place a data field from the data source in a shelf region, and displaying a data visualization that includes a plurality of visual marks corresponding to data values, of the data field, in the set of rows.

Abstract: Devices and techniques are generally described for anomalous computer activity detection. In various examples, first computer activity data associated with a first account may be determined. A first linear detection event that corresponds to the first computer activity data may be determined. In some examples, a set of gradient-based data associated with the first linear detection event may be determined. The set of gradient-based data may represent comparative analysis of the first computer activity data with computer activity data of other accounts. In some examples, first data representing the first linear detection event and the set of gradient-based data may be generated. In various cases, network access for the first account may be disabled based on the first data.

Abstract: A method to prevent or reduce cyberattacks can include analyzing information of users of a 5G network. The information can include user profile data and social media data. The method can further include ranking the users according to a network security ranking based on a social media ranking, to identify target users as potential hotspots for cyberattacks. The 5G network dynamically assigns computing resources based on the network security ranking to monitor computing device(s) associated with the target users and receives an indication of a malicious software of the computing device(s) as detected by the computing resources.

Abstract: Boot firmware of a terminal sets a lock password on a hard disk drive of the terminal to lock the hard disk drive from access. The password is obfuscated in boot variables or stored separately on a server independently of the terminal. During subsequent boots of the terminal, the firmware de-obfuscates the password from the boot variables or obtains the password from the server and provides the password to the hard disk drive, which causes the hard disk drive to unlock for operation with the terminal following the subsequent boots.

Abstract: An electronic device configured for retail display includes a persistent memory on which boot instructions are stored, a storage device on which security monitoring instructions are stored, and a processor configured to execute the boot instructions during a boot sequence to initiate execution of the security monitoring instructions. The processor is further configured, via the execution of the security monitoring instructions, to monitor the retail display of the electronic device for a security trigger event and, upon detection of the trigger event, lock a user interface of the electronic device.

Abstract: Technologies disclosed herein provide cryptographic computing. An example method comprises executing a first instruction of a first software entity to receive a first input operand indicating a first key associated with a first memory compartment of a plurality of memory compartments stored in a first memory unit, and execute a cryptographic algorithm in a core of a processor to compute first encrypted contents based at least in part on the first key. Subsequent to computing the first encrypted contents in the core, the first encrypted contents are stored at a memory location in the first memory compartment of the first memory unit. More specific embodiments include, prior to storing the first encrypted contents at the memory location in the first memory compartment and subsequent to computing the first encrypted contents in the core, moving the first encrypted contents into a level one (L1) cache outside a boundary of the core.

Abstract: In some embodiments, an apparatus includes a memory and a processor. The processor is configured to receive an index file that associates a characteristic in a set of documents with a set of information associated with the characteristic in the set of documents. The processor is further configured to generate an index identifier associated with the index file and calculate a set of pseudorandom logical block identifiers associated with a set of storage locations of a database based on the index identifier. The processor is then configured to parse the index file into a set of index data portions and send a signal to the database to write each index data portion from the set of index data portions at a different storage location within the database as indicated by a different identifier from the set of pseudorandom logical block identifiers.

Abstract: A computer vision processor in an image cluster defines a fenced memory region (FMR) that controls access to image data stored in a first portion of a trusted memory region (TMR). The computer vision processor receives FMR requests from an application implemented in a processing cluster. The FMR requests are to access the image data in the first portion of the TMR. The computer vision processor selectively allows the requesting application to access the image data. In some cases, the computer vision processor acquires the image data and stores the image data in the first portion of the TMR, such as buffers in the TMR. A data fabric selectively permits the image processing application to access the data stored in the TMR based on whether the image cluster has opened or closed the FMR for the portion of the TMR.

Abstract: A user device may determine to back up a hardware key that is associated with a hardware component of the user device. The user device may determine that the user device has an operation key. The user device may retrieve the hardware key from a first data structure that is included in the user device and may encrypt, based on the operation key, the hardware key. The user device may process, after encrypting the hardware key, the hardware key to generate a hash value and may determine that the hash value is not included in a registry of the user device. The user device may transmit, based on determining that the hash value is not included in the registry, the encrypted hardware key to a server device to cause the hardware key to be backed up in a second data structure associated with the server device.

Abstract: Methods, computing apparatuses, computer readable media and systems are described that are for use with blockchain applications. An authority server may communicate a data package to a mining node. The mining node may receive the data package from the authority server, the data package comprising a plurality of datasets, each dataset comprising signal information. The mining node may analyse the data package to convert the signal information of each dataset to a corresponding data output. The mining node may communicate the plurality of data outputs to an authority server and, upon verification of the plurality of data outputs, the plurality of data outputs may be used in establishing a proof-of-work for appending a block record to a blockchain. Encryption and decryption methods may be used to secure data according to methods described herein. In some examples, the signal information of each dataset relates to a polynucleotide sequence and the corresponding data output relates to a read.

Abstract: A privacy protecting transaction engine for a cloud provider network is described. According to some embodiments, a computer-implemented method includes receiving a request from a customer of a cloud provider network to create a customer cloud in the cloud provider network, generating the customer cloud in the cloud provider network, receiving a first request at the cloud provider network for the customer cloud that includes private information of an end customer of the customer of the cloud provider network, removing the private information from the first request by a privacy protecting transaction engine of the cloud provider network to generate a second request, and sending the second request to the customer cloud for servicing.

Abstract: An encrypted hard disk device is provided, including a near-field communication (NFC) sensing module, a processor, a storage unit, and a power switch. The NFC sensing module is configured to read a user identification (UID) of at least one sensor element. The processor is electrically connected to the NFC sensing module and the storage unit. The processor receives the UID and generates a control signal when the UID is approved. The power switch is electrically connected to the processor and the storage unit and maintains a conducting state according to the control signal and supplies power to the storage unit for accessing the storage unit.

Abstract: A method and system of creating and managing encryption keys that facilitates sharing of encrypted content. The system may include an information management system with a key management server and a computing device having an encryption service module. The encryption service module detects operations at the computing device and encrypts a document with an encryption key created using user information and a secret.

Abstract: A system, apparatus, method, and machine-readable medium are described for endorsing authenticators. For example, one embodiment of an apparatus comprises: a first instance of an authenticator associated with a first app to allow a user of the first app to authenticate with a first relying party; a secure key store accessible by the first instance of the authenticator to securely store authentication data related to the first app; and a synchronization processor to share at least a portion of the authentication data with a second instance of the authenticator associated with a second app to be executed on the apparatus.

Abstract: Data storage devices and apparatuses that include a data storage device are disclosed. In some implementations, the apparatus may include a data storage device including a replay protected memory block accessed by a security protocol and a processor configured to generate a command information unit instructing the data storage device to access the replay protected memory block and to provide the data storage device with the command information unit, wherein the command information unit includes a basic header segment included in every information unit transferred between the host and the memory controller and an extra header segment including a host side RPMB message.

Abstract: A data storage management system is enhanced to accommodate, and moreover to optimize, the storing and retention of deduplicated secondary copies at write-once read-many (WORM) enabled storage platforms. Enhancements include without limitation: user interface (UI) options to enable WORM functionality for secondary storage, whether used for deduplicated or non-deduplicated secondary copies; enhancements to secondary copy (e.g., deduplication copy, backup) operations; and pruning changes. The storage manager is generally responsible for managing the creation, tracking, and deletion of secondary copies, with and without deduplication. Media agents that store secondary copies to and prune them from the WORM-enabled storage platforms also are enhanced for communicating and interoperating with both bucket-level and object-level WORM-enabled storage platforms to implement the features disclosed herein.

Abstract: The techniques herein are directed generally to a “zero-knowledge” data management network. Users are able to share verifiable proof of data and/or identity information, and businesses are able to request, consume, and act on the data—all without a data storage server or those businesses ever seeing or having access to the raw sensitive information (where server-stored data is viewable only by the intended recipients, which may even be selected after storage). In one embodiment, source data is encrypted with a source encryption key (e.g., source public key), with a rekeying key being an encrypting combination of a source decryption key (e.g., source private key) and a recipient's public key. Without being able to decrypt the data, the storage server can use the rekeying key to re-encrypt the source data with the recipient's public key, to then be decrypted only by the corresponding recipient using its private key, accordingly.

Abstract: The present disclosure relates to a program verification method and apparatus, a platform, a user terminal, and an online service system, includes: acquiring a root evidence of a server-side program from a blockchain network, and acquiring a verification evidence of the server-side program from a server side, where the root evidence is written into the blockchain network after server-side program review succeeds, and the success of the server-side program review indicates a data processing method of the server-side program satisfies a preset data processing rule; verifying whether the root evidence and the verification evidence are matched, where the root evidence and the verification evidence being matched indicates the server-side program is a program that is operated in a TEE of a computer and is not modified after the root evidence is written into the blockchain network; and determining to connect a user-side program to the server-side program.

Abstract: Methods and systems for gateway agnostic tokenization are disclosed. Gateway agnostic tokenization enables a resource provider to quickly, safely, and efficiently route a token for authorization via any appropriate gateway computer. As part of an interaction with a user, a resource provider can transmit a token to an edge computer. The edge computer can then forward the token to a gateway computer. The gateway computer can identify a data item comprising two ciphertexts associated with the token. The edge computer and gateway computer can collectively decrypt the two ciphertexts to obtain a credential. The gateway computer can then forward the credential to an authorizing entity computer. The authorizing entity computer can then determine whether or not to authorize the interaction.

Abstract: A data sharing system may facilitate sharing of data with third party systems. In one example, the data sharing system can provide a graphical user interface that displays an available subset of user data for sharing. The available subset may be based on previously shared user data with the third party system. The third party system can provide a selection of data of interest within the available subset, and the selected data can be shared.

Abstract: Various embodiments of the present technology generally relate to data delivery. More specifically, some embodiments of the present technology relate to systems and methods for using spatial and temporal analysis to associate data sources with mobile devices. The delivery of data to support a wide variety of services for and about mobile devices that are based on data stored in corporate, commercial, and government databases which is not currently linked to individual mobile devices. Some embodiments allow advertisers to better target their ads to relevant target audiences with greater accuracy.

Abstract: According to certain embodiments, an electronic device comprises: a secure element storing at least one content application and backup data associated with the at least one content application; a memory storing instructions; and a processor electrically connected to the secure element and the memory and configured to executed the instructions, wherein execution of the instructions by the processor causes the processor to perform a plurality of operations comprising: when receiving a message requesting a backup operation from an external electronic device, loading encrypted backup data from the secure element, transmitting the backup data to the external electronic device, and when receiving a message about backup completion from the external electronic device, setting the backup data to an unavailable state.

Abstract: A computer implemented method to provide encrypted protected data in response to an unauthorized access request and unencrypted protected data in response to an authorized access request may include the following steps: receiving a first access request for accessing protected data; determining if the first access request identifies the protected data through a specified namespace; and returning an encrypted version of the protected data in response to the first access request if the first access request did not identify the protected data through the specified namespace. Optionally, the method may include the steps of: receiving a second access request to access the protected data; determining if the second access request identifies the protected data through the specified namespace; and returning an unencrypted version of the protected data in response to the second access request only if the second access request identifies the protected data through the specified namespace.

Abstract: A method, system and computer readable medium include objects with media content. The method includes receiving, at one or mom servers, a request for the media content to be displayed at an endpoint. The method includes identifying information about an environment associated with the endpoint. The method includes identifying a set of objects to include in a container for the media content based on the information identified about the environment. At least one of the objects includes program code for completing a transaction during display of the media content. Additionally, the method includes sending, by one or more servers, the set of objects to the endpoint.

Abstract: A method and system for analysis of a facility may include providing an emulation host system, first generating a golden circuit model on the emulation host system, first inserting a first hardware trojan model, first emulating operation of the golden circuit model, and second emulating operation of the first hardware trojan model. A facility may include a trojan instrument facility having a trojan detection instrument comparing logic circuit output against a threshold for detecting hardware trojan activity, and outputting alert data, and in relation to opening one of a plurality of scannable access points, a scannable register is inserted into an active scan chain with an associated instrument interface.

Abstract: A technique and system protects documents at rest and in motion using declarative policies and encryption. Encryption in the system is provided transparently and can work in conjunction with policy enforcers installed at a system. A system can protect information or documents from: (i) insider theft; (ii) ensure confidentiality; and (iii) prevent data loss, while enabling collaboration both inside and outside of a company.

Abstract: A play method for a streaming media file, and a display apparatus are provided. The method comprises: in response to a command for playing a streaming media file on a display of the display apparatus, obtaining the streaming media file and determining a state of the streaming media file; in response to the state of the streaming media file being encrypted state, flowing video data in the streaming media file into a trusted execution environment of the display apparatus, and determining a state of the video data in the trusted execution environment; and in response to the state of the video data being encrypted state, decrypting the video data, decoding the decrypted video data, and then playing the decoded video data.

Abstract: The invention relates to information representation, exchange, validation, and utilization. Embodiments of the invention enable a fully digital shared information reality: an information fabric, in which unlimited numbers of participants can all permanently access (with access controls) information objects that all participants can trust and verify, according to a universal set of protocols that are logically complete, address all stages of information exchange, and enable convincing, persuasive user experience. We disclose foundational embodiments that include methods to properly record, store, communicate and display information in digital form; computational verification and validation of information; and foundational concepts in human-information interaction. The invention teaches that by using unique digital objects, numerous difficulties and inefficiencies in state-of-the-art information exchange are overcome, and the next stage of digital transformation is enabled.

Abstract: A system is a system including: a cloud server configured to perform a machine learning process; and a client apparatus configured to communicate with the cloud server. The client apparatus includes: a generating unit that generates one or a plurality of reference data from a plurality of data used for the machine learning and that generates a plurality of difference data, wherein the reference data is a reference for at least a part of the plurality of data, and each difference data indicates a difference between each of the plurality of data and corresponding reference data out of the one or the plurality of reference data; and a storage unit that stores the plurality of difference data in a storage apparatus of the cloud server.

Abstract: A method for transmitting a boot code, with improved data security, from a programming device to a microcontroller, including: a) creating a first public key, a first private key, and a password; b) generating a bootloader binary for execution on the microcontroller, c) estimating a tolerable total processing time, which consists of the processing times of steps d) to f); d) transmitting the bootloader binary from the programming device to the microcontroller; e) executing, by the microcontroller, the bootstrap loader code, the decryption routine, and the decrypted bootloader routines; f) transmitting at least the second public key from the microcontroller to the programming device; g) if the actual processing times of steps d) to f) are outside the tolerable total processing time, terminating the method; and h) otherwise, encrypting, by the programming device, the boot code by the second public key and transmitting an encrypted boot code to the microcontroller.

Abstract: A system accesses a task log comprising text that is confidential information. The system selects a first portion of the task log. The system compares each word in the first portion with keywords that are known to be confidential information. The system determines that a word in the first portion is among the keywords. The system determines a hierarchical relationship between the word and neighboring words. The system determines that the word is associated with the neighboring words based on the hierarchical relationship. The system generates a template pattern comprising the word and one or more words associated with the word. The system obfuscates the template pattern.

Abstract: A compute in memory device comprises a memory array including a plurality of data lines for parallel access to memory array data, and an input/output interface. Data path circuits between the memory array and the input/output interface include a page buffer, each buffer cell of the page buffer including a plurality of storage elements. A plurality of computation circuits is provided connected to respective buffer cells. The computation circuits execute a function of data in the storage elements of the respective buffer cells and can be configured in parallel to generate a results data page including operation results for the plurality of buffer cells. A data analysis circuit is connected to the data path circuits to execute a function of the results data page to generate an analysis result. A register can be provided to store the analysis result accessible via the input/output interface.

Abstract: A method is provided to dynamically encode data at runtime with a tagged data element in a program associated with an obfuscation algorithm randomly selected during runtime. Instructions for invoking the obfuscation algorithm are generated when a compiler encounters the tagged variable in the source code. At runtime, unencoded data is encoded by the obfuscation algorithm when the unencoded data is copied to the tagged data element; encoded data is re-encoded by the obfuscation algorithm when the encoded data is copied from a differently tagged data element to the tagged data element, wherein the differently tagged data element is associated with a different obfuscation algorithm; and encoded data is decoded by the obfuscation algorithm when the encoded data is copied from the tagged data element to an untagged data element.

Abstract: A method is provided that permits user to submit a password to the private key that is to be used to decrypt files either at the time of user account setup or at the time of submitting the files. The password is stored securely in the system, permanently or temporarily, and is used later to decrypt the files right before the system is ready to process the files.

Abstract: Disclosed herein are techniques for protecting web applications from untrusted endpoints using remote browser isolation. In an example scenario, a browser isolation system receives a request from a client browser executing on a client device to connect with a remote application accessible via a private network. A surrogate browser is provided to facilitate communications between the client browser and the remote application. A security policy is enforced against the communications.

Abstract: Aspects relating to machine learning includes receiving, by a first trusted node, a first target data set sent by a first participant, wherein the first target data set is obtained via encrypting, by the first participant, a data set provided by the first participant based on a first preset encryption mode; decrypting the first target data set, determining first training data, and performing model training for a preset machine learning model based on the first training data to obtain a first intermediate training result; acquiring an encrypted second intermediate training result sent by at least one second trusted node; and performing federated learning for the preset machine learning model based on at least the first intermediate training result and the decrypted second intermediate training result, to update model parameters of the preset machine learning model and obtain a learning completed target model.

Abstract: The present disclosure relates to secure storage, in a non-volatile memory, of initial data encrypted using a second data, including selecting a pointer aimed at an initial address of a memory cell of an initial part of the non-volatile memory, and encrypting the pointer using the second data; and-storing the encrypted pointer in the non-volatile memory.

Abstract: An orchestrator device may receive a request from a first module deployed in a second cloud platform in a second jurisdiction, wherein the request is compliant with a jurisdictional characteristic of the second jurisdiction. The orchestrator device may process the request in order to identify a second module deployed in the first cloud platform to which to forward the request. The orchestrator device may forward the request to the second module to enable fulfillment of the request. The orchestrator device may receive a response from the second module, wherein the response is compliant with a jurisdictional characteristic of the first jurisdiction. The orchestrator device may process the response, to identify a third module deployed in the second cloud platform to which to forward the response. The orchestrator device may forward the response, to the third module.

Abstract: A system and method reduces use of restricted operations in a cloud computing environment during cybersecurity threat inspection. The method includes: detecting an encrypted disk in a cloud computing environment, the encrypted disk encrypted utilizing a first key in a key management system (KMS); generating a second key in the KMS, the second key providing access for a principal of an inspection environment; generating a snapshot of the encrypted disk; generating a volume based on the snapshot, wherein the volume is re-encrypted with the second key; generating a snapshot of the re-encrypted volume; generating an inspectable disk from the snapshot of the re-encrypted volume; and initiating inspection for a cybersecurity object on the inspectable disk.

Abstract: In an aspect, the present application may describe a method. The method may include: receiving, from a remote computing device, a first indication of consent for an authenticated entity to share data with a first third party server, the first indication of consent associated with a first sharing permission defining a first sharing scope; in response to receiving the first indication of consent: configuring a server to share data for the authenticated entity with the first third party server based on the sharing permission; identifying a first safety score, the first safety score associated with the first third party server; and updating a risk score for the authenticated entity based on the first safety score and the first sharing permission; and sending the updated risk score for the authenticated entity to the remote computing device for display thereon.

Abstract: The invention discloses a digital signature system. The digital signature system comprises an electronic device and a data storage device. The electronic device generates a specific data by executing a specific operation, and calculates the specific data via a hash algorithm to generate a hash data. The data storage device comprises a controller, a plurality of flash memories, and a data transmission interface. The electronic device transmits the hash data to the data storage device via the transmission interface. The controller comprises a firmware. The firmware reads an unclonable function, and generates a private key according to the unclonable function, and encrypts the hash data by the private key to obtain a digital signature. The data storage device transmits the digital signature to the electronic device via the transmission interface.

Abstract: Devices and techniques for efficient host assisted logical-to-physical (L2P) mapping are described herein. For example, a command can be executed that results in a change as to which physical address of a memory device corresponds to a logical address. The change can be obfuscated as part of an obfuscated L2P map for the memory device and written to storage on the memory device. The change can then be provided a host from the storage.