Abstract: Techniques for intelligently deciding the optimal authenticator(s) from amongst those supported by an electronic device are described. The authentication system according to some embodiments may include a dynamic machine learner that incorporates the attributes of: (i) user behavior attributes (e.g., preferred authenticator); (ii) device attributes (e.g., hardware and software specifications, applications, etc.); and (iii) operating environment attributes (e.g., ambient light, noise, etc.), as well as the interplay between the aforementioned attributes over time to make the decision. In some embodiments, the authentication activities and patterns of other users of similar type (e.g., users exhibiting similar behavior across different operating environments) can also be learned and employed to improve the decision making process over time.

Abstract: Methods, systems, and devices for data processing are described. Some systems may support data processing permits and cryptographic techniques tying user consent to data handling. By tying user consent to data handling, the systems may comply with data regulations on a technical level and efficiently update to handle changing data regulations and/or regulations across different jurisdictions. For example, the system may maintain a set of data processing permits indicating user consent for the system to use a user's data for particular data processes. The system may encrypt the user's data using a cryptographic key (e.g., a cryptographic nonce) and may encrypt the nonce using permit keys for any permits applicable to that data. In this way, to access a user's data for a data process, the system may first verify that a relevant permit indicates that the user complies with the requested process prior to decrypting the user's data.

Abstract: A method for performing data access management of a memory device with aid of randomness-property control and associated apparatus are provided. The method may include: receiving a plurality of host commands from a host device and performing data access on the NV memory according to the plurality of host commands, for example, in response to at least one host write command, programming data into at least one single level cell (SLC) block to be first stored data corresponding to a data reception stage; and performing a seed-aware garbage collection (GC) procedure to collect valid data among the first stored data of the at least one SLC block into at least one non-SLC block to be second stored data corresponding to a data storage stage, for example, performing a randomness-property checking operation on multiple seeds to selectively determine respective data of multiple pages within the SLC block as target data.

Abstract: The invention provides, in some aspects, a system for implementing a rule derived basis to display anonymized image sets. In various embodiments of the invention, users with the appropriate permission can launch a function inside a system in order to anonymize and export the currently loaded study or studies, or one or more studies identified by a search criteria. The data from the studies that were identified is then anonymized on the system using predefined rules. In an embodiment of the present invention, the data from selected studies is anonymized on a server, and only then transmitted to another network device thus minimizing the risk that protected health information can be inadvertently disclosed. In an alternative embodiment of the present invention, the data from selected studies is anonymized on a server, and only the anonymized data is stored to the hard disk or other media of a user viewing the study.

Abstract: This disclosure relates to building and finalizing an operating system (OS) image package in a way that allows for flexibility and customization of OS images while preventing certain runtime modifications after deployment of the OS image package on one or more target devices (e.g., embedded devices). For example, the systems described herein can build an OS image package based on information from an OS manifest that provides a declarative summary of a target OS. The systems described herein can further finalize the OS image package by performing one or more actions on the OS image package that prevent an end-user from performing various runtime modifications to the target OS after deployment of the OS image package. This finalization process provides an improved pipeline for implementing OS updates while providing safeguards against a variety of security risks associated with deploying OS image packages on a large scale.

Abstract: It is detected whether a next-to-last raw data block in a raw data segment has been written into an input buffer. If so, the next-to-last raw data block is read from the input buffer for encryption immediately after a current raw data block is read from the input buffer for encryption. Reading continues for a subsequent raw data block after the current raw data block is read from the input buffer for encryption, after the next-to-last raw data block is read from the input buffer for encryption. Encryption is performed, using Advanced Encryption Standard (AES) processing and a CipherText Stealing (XTS) working mode, on a last raw data block in the raw data segment by providing an intermediate encrypted data block, where the intermediate encrypted data block is obtained by encrypting the next-to-last raw data block, and the last raw data block is read from the input buffer.

Abstract: A computer-implemented system, method and computer program product for providing access to a network of computing nodes that includes: requesting, by a client, access into a host node in the network, preferably a private network; selecting a digital certificate issuer; verifying, by the digital certificate issuer, the identity of the client's token; adding, by the certificate issuer, a nonce to a distributed ledger; and granting the client access to the host node in the network. The computing nodes in an embodiment are ranked based upon CPU capacity, and computing nodes with highest CPU capacity ranking are selected to participate in a proof-of-capacity consensus to solve for the nonce.

Abstract: The present application relates to a method and apparatus for intelligent wireless protocol optimization including storing, in a memory, a first customer key and a second customer key, receiving, by a processor, a secret key, decrypting, by the processor, the secret key using a first customer key to extract a master key, provisioning, by the processor, an electronic control unit in response to the master key, and deleting, by the processor, the second customer key in response to the provisioning of electronic control unit in response to the master key.

Abstract: Examples of scheduled and on-demand volume encryption suspension are described. In some examples, volume encryption is to be suspended for a client device. A suspension limit is identified for a volume encryption suspension for the client device. A suspend encryption command is generated to include instructions for the client device to apply the volume encryption suspension according to the suspension limit. The suspend encryption command is transmitted to the client device for execution.

Abstract: The present invention discloses an intelligent cloud server for cloud storage information management and encryption. In some embodiments, the intelligent cloud server can save and store documents without the need of first saving them in a local drive for upload. Upon storage, the document can be scanned and classified in a security level according to pre-determined settings and parameters. In some embodiments, depending on the classification, the system can encrypt portions of the document in order to facilitate the sharing and access of information in a secure way. Encryption keys and access to the encrypted portions are only provided upon authentication of the user, network, and/or need, according to corresponding protocols for the information.

Abstract: There is provided an encryption method which comprises, by at least one server including a processing unit and memory, obtaining data, encrypting the data to obtain encrypted data, the encrypting comprising generating encryption keys using a plurality of seeds and a set of encrypting functions, processing the data using at least the encryption keys to generate the encrypted data, generating encrypted data DS,Enc informative of at least some of the plurality of seeds and transmitting the encrypted data and DS,Enc to a host different from the server, thereby enabling decryption of the encrypted data by the host. Corresponding decryption method is provided.

Abstract: Data transformation workflows may be generated to transform data objects. A source data schema for a data object and a target data format or target data schema for a data object may be identified. A comparison of the source data schema and the target data format or schema may be made to determine what transformations can be performed to transform the data object into the target data format or schema. Code to execute the transformation operations may then be generated. The code may be stored for subsequent modification or execution.

Abstract: Methods and systems for identifying personally identifiable information (PII) are disclosed. In some aspects, frequency maps of fields storing known PII information are generated. The frequency maps may count occurrences of unique bigrams in the PII fields. A field of interest may then be analyzed to generate a second frequency map. Correlations between the first frequency maps and the second frequency map may be generated. If one of the correlations meets certain criterion, the disclosed embodiments may determine that the field of interest does or does not include PII. Access control for the field of interest may then be based on whether the field includes PII. In some aspects, a storage location of data included in the field of interest may be based on whether the field includes PII.

Abstract: This document describes techniques for rotating keys used to tokenize data stored in a streaming data store where data is stored for a maximum time [W]. In some embodiments, a data layer of such a data store can encrypt arriving original data values twice. The original data value is first encrypted with a first key, producing a first token. The original data value is encrypted with a second key, producing a second token. Each encrypted token can be stored separately in the data store. A field may be associated with two database columns, one holding the value encrypted with the first key and the second holding the value encrypted with the second key. Keys are rotated after time [K], which is at least equal to and preferably longer than [W]. Rotation can involve discarding the older key and generating a new key so that two keys are still used.

Abstract: A computer system, processor, and/or method for changing the mode of operation of a computer without rebooting includes: a processor having a configuration register, the configuration register having a privilege entry (PRVS) register field for each of one or more privilege levels, each PRVS register field for each privilege level having one or more control aspect entries; and an enforce below (ENFB) register field, each ENFB register field for each privilege level having one or more control aspect entries, the PRVS register field control aspects being equal in number to and corresponding to the ENRB register field control aspects. The PRVS register fields and the ENFB register fields are used to change the processor from a secure mode to a performance mode while running software applications.

Abstract: A method, apparatus, and system for storing memory encryption realm key IDs is disclosed. A method comprises accessing a memory ownership table with a physical address to determine a realm ID associated with the physical address, accessing a key ID association structure with the realm ID to determine a realm key IS associated with the realm ID, and initiating a memory transaction based on the realm key ID. Once retrieved, the realm key ID may be stored in a translation lookaside buffer.

Abstract: In a method to utilize a secure public cloud, a computer receives a domain manager image and memory position-dependent address information in response to requesting a service from a cloud services provider. The computer also verifies the domain manager image and identifies a key domain key to be used to encrypt data stored in a key domain of a key domain-capable server. The computer also uses the key domain key and the memory-position dependent address information to encrypt a domain launch image such that the encrypted domain launch image is cryptographically bound to at least one memory location of the key domain. The computer also encrypts the key domain key and sends the encrypted domain launch image and the encrypted key domain key to the key domain-capable server, to cause a processor of the key domain-capable server to create the key domain. Other embodiments are described and claimed.

Abstract: Embodiments are directed towards real time display of event records with an indication of previously provided extraction rules. A plurality of extraction rules may be provided to the system, such as automatically generated and/or user created extraction rules. These extraction rules may include regular expressions. A plurality of event records may be displayed to the user, such that text in a field defined by an extraction rule is emphasized in the display of the event record. The same emphasis may be provided for text in overlapping fields, or the emphasis may be somewhat different for different fields. The user interface may enable a user to select a portion of text of an event record, such as by rolling-over or clicking on an emphasized part of the event record. By selecting the portion of the event record, the interface may display each extraction rule associated with the selected portion.

Abstract: A memory system includes a nonvolatile memory and a controller that controls the nonvolatile memory. The controller is configured to generate information relating to encryption and decryption of data based on a location of the memory system and to enable at least one process of encrypting data to be written to the nonvolatile memory or decrypting data read from the nonvolatile memory by using the information.

Abstract: The present disclosure relates to methods and systems for protecting cloud resources. The methods and systems may use a virtual gatekeeper resource to enforce secure access controls to cloud resources for a list of privileged operations. The cloud resources and the virtual gatekeeper resource may be in different security domains within a cloud computing system and the cloud resources may be linked to the virtual gatekeeper resource. A request may be sent to perform a privileged operation on the cloud resource. Access may be provided to the virtual gatekeeper resource in response to approval of the request and the access to the virtual gatekeeper resource may be used to perform the privileged operation on the cloud resource.

Abstract: An apparatus that includes a processor and a memory. The processor and the memory are configured to provide a first software process configured to execute at a first privilege level; and a second software process configured to execute at a second privilege level, wherein the first privilege level is more restrictive than the second privilege level. The processor is configured to, initialize, at the first privilege level, a memory pool within the memory, allocate, at the first privilege level, a block of memory, send a request to write protect the block of memory to the second software process, and to write protect, at the second privilege level, the allocated block of memory.

Abstract: A method and apparatus of a device searches encrypted objects stored in a secure virtual storage space is described. In an exemplary embodiment, the device receives a search query that includes a set of tokens and encrypts the set of tokens. The device further creates a hashed set of encrypted tokens using a second hash function. In addition, the device sends the hashed set of encrypted tokens to a first search server as a query. Furthermore, the device receives, from the first search server, a first set of encrypted object names as a search result. The device additionally determines a set of client-side indexes to search by hashing at least some of the first set of encrypted object names using a first hash function. The device further decrypts the set of encrypted object names. The additionally searches the set of client-side indexes using the set of decrypted object names.

Abstract: Methods, apparatus and computer program products implement embodiments of the present invention that include collecting data packets transmitted between multiple entities over a network, and grouping the packets at least according to their source and destination entities and their times, into connections to which the packets belong. Pairs of the connections are identified having identical source and destination entities and times that are together within a specified time window, and sets of features are generated for the identified pairs of the connections. The features in the pairs are evaluated in order to detect a given pair of connections indicating malicious activity, and an alert is generated for the malicious activity.

Abstract: A system includes a central processing unit (CPU) to process data with respect to a virtual address generated by the CPU. A first memory management unit (MMU) translates the virtual address to a physical address of a memory with respect to the data processed by the CPU. A supervisory MMU translates the physical address of the first MMU to a storage address for storage and retrieval of the data in the memory. The supervisory MMU controls access to the memory via the storage address generated by the first MMU.

Abstract: Storage devices include a memory array comprised of a plurality of memory devices. These memory devices are programmed with a modified distribution across the available memory states within the devices. The modified distribution of memory states attempts to minimize the use of memory states that are susceptible to negative effects. These negative effects can include read and write disturbs as well as data retention errors. Often, these negative effects occur on memory states on the lower and upper states within the voltage threshold range of the memory device. The distribution of memory states can be modified though the use of a modified randomization seed configured to change the probabilities of programming of each page within the memory device. This modification of the randomization seed can yield desired distribution of memory device states that are configured to reduce exposure to negative effects thus prolonging the overall lifespan of the storage device.

Abstract: Memory devices, systems including memory devices, and methods of operating memory devices and systems are provided, in which at least a subset of a non-volatile memory array is configured to behave as read-only memory by not implementing erase or write commands. In one embodiment of the present technology, a memory device is provided, comprising a non-volatile memory array, and circuitry configured to store one or more addresses of the non-volatile memory array, to compare an address of a received command to the one or more addresses, and at least in part based on the comparison, determine not to implement the received command. The circuitry can be further configured to return an error message after determining not to implement the received command.

Abstract: This disclosure relates to a non-intrusive method of detecting security flaws of a computer program APP. The method comprises a step of installing and executing an executable and non-instumentalized version of the program APP in a computer system 1, the computer system 1 comprising at least one cryptographic function able to be called by the program APP. It also comprises, in the course of the execution of the program, a step of recording in a tracing file the modalities of calls to the cryptographic function and, after the execution of the program, a step of analyzing the tracing file so as to devise a data structure of the states taken by the cryptographic object manipulated in the course of the execution of the program. The data structure is analyzed to detect calls to the cryptographic function that are liable to form a security flaw.

Abstract: Methods, apparatus, systems and machine-readable storage media of an edge computing device which is enabled to access and select the use of local or remote acceleration resources for edge computing processing is disclosed. In an example, an edge computing device obtains first telemetry information that indicates availability of local acceleration circuitry to execute a function, and obtains second telemetry that indicates availability of a remote acceleration function to execute the function. An estimated time (and cost or other identifiable or estimateable considerations) to execute the function at the respective location is identified. The use of the local acceleration circuitry or the remote acceleration resource is selected based on the estimated time and other appropriate factors in relation to a service level agreement.

Abstract: A method of checking the authenticity of at least a first portion of the content of a non-volatile memory of an electronic device including a microcontroller and an embedded secure element is disclosed. The method includes starting the microcontroller with instructions stored in a first secure memory area associated with the microcontroller and starting the secure element. The secure element has a plurality of decipher keys, each associated with a portion of the content of a second reprogrammable non-volatile memory area associated with the microcontroller. The secure element performs a signature check on a first portion of the content of the second area. If the signature is verified, the secure element sends the decipher key associated with the first portion to the microcontroller. If the signature is not verified, the secure element executes a signature check on another portion of the content of the second memory area.

Abstract: Systems and methods for controlling data access through the interaction of a short-range transceiver, such as a contactless card, with a client device are presented. Data access control may be provided in the context of creating and accessing a secure memory block in a client device, including handling requests to obtain create and access a secure memory block via the interaction of a short-range transceiver, such as a contactless card, with a client device such that, once the secure memory block is created in memory of the client device, personal user data may be stored in the secure memory block, and access to the stored personal user data may only be provided to users authorized to review the data.

Abstract: A method includes encoding a sector of data to be written to a data storage device with a single error correcting code (ECC). The sector of data is divided into N individually readable and writeable portions, with N?2. The individually readable and writeable portions of the sector of data are separated with a space between the portions of the sector of data in a pattern.

Abstract: Disclosed are systems, methods, and non-transitory computer-readable media for a customizable cloud-based software platform. A customizable cloud-based software platform provides functionality that enables a user (e.g., individual user, organization, etc., that has created an account with the customizable cloud-based software platform) to modify a base version of a cloud-based software application to the specific user's needs. For example, the customizable cloud-based software platform provides a base version of a cloud-based software application that includes a base set of functionalities, settings, user interfaces, etc., which a user may modify to meet the user's specific needs A user may therefore use a client device to interact with the customizable cloud-based software platform to access their customized instance of the cloud-based application.

Abstract: Users access content using a variety of formats, where some formats provide stronger encryption or protections than others. Content transmitted over open protocols may expose content to unauthorized third parties or enable unauthorized use of the content. The content may be protected by converting the content to a set of instructions on a user device, where the instructions correlate characters to identifications and outlines of the characters with instructions for rendering the characters. Different segments of content may have different mappings between characters, identifications, and outlines to add time or resource use to attempts to reverse engineer the instructions.

Abstract: Methods, systems, and apparatuses embodied herein control and track access to secured data independent of the asset storing the secured data. In this regard, some embodiments organize volumes including one or more datasets and attach one or more assets to each volume. Some embodiments further receive data permissions of use information, for example from a data steward device, for the volume and datasets, which are registered with the volume and the datasets. Some embodiments further receive a set of restrictions, retrieve the dataset permissions of use information for one or more dataset identifiers, and determine the restrictions do not conflict with the dataset permissions of use information. Some embodiments further generate, and subsequently store, an indication the set of restrictions is valid when the dataset permissions of use information does not conflict. Permissions of use information may be organized into persona data objects assigned to various user profiles.

Abstract: A computing device sends a request for an attestation certificate to an attestation service along with information regarding the hardware and/or software of the device. The attestation service processes the request and verifies the information received from the device. After verifying the information, the attestation service selects a public/private key pair from a collection of reusable public/private key pairs and generates an attestation certificate for the device and public key of the public/private key pair. This attestation certificate is digitally signed by the attestation service and returned to the device. The private key of the selected public/private key pair is also encrypted to a trusted secure component of the device, ensuring that the key cannot be stolen by malware and re-used on another device, and is returned to the device. The device uses this attestation certificate to access relying parties, and optionally generates additional public/private key pairs and attestation certificates.

Abstract: Disclosed herein are methods, systems, and processes for source side classification of five and active data. Operating system calls associated with files being accessed or files recently accessed by an endpoint computing device are intercepted. A list including the files is generated and sent to a server computing device. A confirmation is received that a request to classify the files has been received from the server computing device.

Abstract: Embodiments described herein enable the interoperability between processes configured for pointer authentication and processes that are not configured for pointer authentication. Enabling the interoperability between such processes enables essential libraries, such as system libraries, to be compiled with pointer authentication, while enabling those libraries to still be used by processes that have not yet been compiled or configured to use pointer authentication.

Abstract: At least a portion of a software image may be executed on a first instance of a computing platform. A first sequence of multi-dimensional execution states may be measured that the first instance of the computing platform passes through when executing the portion of the software image. The portion of the software image may then be executed on a second instance of the computing platform. A second sequence of multi-dimensional execution states may be measured that the second instance of the computing platform passes through when executing the portion of the software image. The integrity of the second instance of the computing platform may be verified with respect to the first instance of the computing platform by comparing the first sequence of multi-dimensional execution states with the second sequence of multi-dimensional execution states.

Abstract: Described herein are methods and devices for forensic access control of an electronic device, including encryption and decryption of access keys of an electronic device. Two pairs of asymmetric key pairs (AKP) are created, e.g., created by more than one organization. An encrypted access key is configured to be decrypted by another organization possessing the private key of the first AKP and the private key of the second AKP. In some embodiments, the private key of the second AKP is encrypted. The encrypted private key of the second AKP is configured to be decrypted using the private key of the first AKP. The encrypted access key may be decrypted using the decrypted private key of the second AKP.

Abstract: The present invention relates to a system for rendering a content, the rendering of which is subject to conditional access security conditions. A system is described, comprising a host device and a detachable security device, the security device configured to decrypt the encrypted content, re-encrypt it under a local key and to deliver the re-encrypted content to the host device while ensuring that the host device applies or otherwise enforces any conditions associated with the rendering of the content.

Abstract: Disclosed are programs, systems, and methods which are capable of using an application program previously used without modification and improving a security counter-measure when a data file is browsed and edited in a user terminal without installing a new security counter-measure program. An information control program has a function of adding a predetermined modification to transmitted/received information, which is transmitted and received between an OS and an application which is capable of generating a data file and saving the data file to an arbitrary information storage area. A save restriction function of restricting saving of the file not encrypted using a predetermined encryption key, a storage destination restriction function of restricting an area other than a predetermined area from being designated as the file storage destination, and a decrypting function of decrypting the file stored in the predetermined area using the predetermined encryption key are provided.

Abstract: A method for creating a smart contract detailing an ordered set of events is disclosed. A smart contract can include information about multiple events and responses for each event. The events and response can be arranged in a predefined order. The responses can include adding new records to a blockchain.

Abstract: A method of facilitating an anonymous message board may include receiving a secret key share associated with a published public key. An initial table state may be generated by encrypting, via the public key, an initial table including a table index and table initial values. A user post encrypted via the public key may be received, the user post including a message and a message index value. The initial table state may be updated to an updated table state by replacing an initial table value of the initial table values with the message. In response to a time interval associated with a predetermined length of time expiring after generating the initial table state, the updated table state may be partially decrypted via the first secret key share as a partially decrypted table. The partially decrypted table may be broadcast.

Abstract: Apparatuses, methods, systems, and program products are disclosed for distributed license encryption and distribution. An apparatus includes a processor and a memory that stores code executable by the processor. The code is executable to select a license token from a pool of available license tokens associated with available digital licenses in response to a license request from a first device. The license token includes information identifying second devices where segments of a digital license associated with the license token are stored. The segments are encrypted using encryption keys for one or more participants. The code is executable to re-encrypt the segments of the digital license for the selected license token using an encryption key for the first device and send the license token to the first device where it is used to request the segments from the second devices, decrypt the segments, and reconstruct the digital license.

Abstract: A first computing device may authenticate itself to a second computing device by providing a verifier value based on a private key. The verifier value may be sent to the second computing device, and a session key may be determined based on the private key. A secure message may comprise routing information associated with the first computing device and a hash value based on the routing information and the session key, and the first computing device may communicate with the second computing device using the session key.

Abstract: Disclosed herein are systems and methods to ensure that data collected from remote sensors sent to cloud-based storage, as well as commands sent to remote actuators from cloud-based control systems remain in a highly encrypted, redundant and resilient form at all times other than in volatile memory (e.g., while in use). Device to device automated sensing and control is also considered and addressed by this focus. Data from industrial sensors requires validation in both the “root of trust” within the sensor/actuator itself to ensure that the data is being transmitted or received from a valid device as well as ensuring that the data has not been manipulated or altered or viewed while in transit.

Abstract: A networking system includes a pluggable security device comprising at least one port interface that is insertable into at least one physical port, memory that stores a security key used to provide security over a network link, and processing circuitry coupled with the at least one port interface and with the memory. The processing circuitry utilizes the security key to verify security of a point-to-point connection established over the network link and after verifying the security of the point-to-point connection, provides a data integrity check function for data packets received at the at least one port interface.

Abstract: A System on Chip includes at least two hardware masters, a security circuit, and a communication infrastructure for communication between the hardware masters and the security circuit, the communication infrastructure being based on a given interface communication protocol. Each hardware master is configured to send a request to the security circuit for execution of the request by the security circuit through the communication infrastructure, each request comprising at least one service identifier identifying a service.

Abstract: A method of sending blocks of data from a client to be stored at a storage server, wherein for each block compression and encryption is performed at the client, and deduplication is performed at the server. Security is thus enhanced as the block is compressed and encrypted when it is sent over an unsecured network and when it is stored in potentially a third-party backup system. Provisions are made to enable addition of new compression algorithms and for retirement of old compression algorithms, while ensuring that a client would not receive a block which was compressed using an unsupported, e.g., retired, compression algorithm. In some examples a compression algorithm ID is tied to an encryption key version to enable refresh of blocks compressed with old algorithm.

Abstract: A replication system for data of mobile devices is disclosed. The data of a mobile device is uploaded to stations in an area. Metadata associated with the objects is stored in a centralized or decentralized system. The metadata can be accessed to identify the stations storing the device's objects and the data of the mobile device can then be retrieved from the stations and reconstructed.