Disclosed herein are an apparatus and method for authenticating an IoT device. The method, performed by the IoT device authentication apparatus, includes transmitting, by the IoT device authentication apparatus, a random number to the IoT device and encrypting, by the IoT device authentication apparatus, the random number using a previously registered first white-box cryptography value through a white-box cryptography method; generating, by the IoT device, a first device response value from a previously registered first device challenge value using a Physical Unclonable Function (PUF) and encrypting, by the IoT device, the random number, received from the IoT device authentication apparatus, using the first device response value; and performing, by the IoT device authentication apparatus, authentication of the IoT device by checking whether the random number encrypted using the white-box cryptography method matches the random number encrypted using the PUF, which is received from the IoT device.

A system and method for operating a terminal such as an automated teller machine or other type of self-service terminal having a primary partition of a hard disk encrypted with a disk encryption key (DEK). At the initial installation and after every boot, a pre-boot manager encrypts the DEK with a new key encryption key (KEK) and then splits the encrypted DEK into a plurality of encrypted DEK parts. The pre-boot manager next stores the plurality of encrypted DEK parts in randomized storage locations on an unallocated portion of a hard disk and encrypts a list of the randomized storage locations of the plurality of encrypted DEK parts with the KEK and storing the encrypted list in a location on the unallocated portion of the hard disk. Finally, the pre-boot manager stores the KEK, optionally in an obfuscated format, in a location on the unallocated portion of the hard disk.

Decryption of an RSA encrypted message encrypted with a public RSA key by receiving encrypted key share components computed by generating a private RSA key d and a RSA modulus integer N, where N and d are integers; splitting the private key into key shares, encrypting with a fully homomorphic encryption (FHE) algorithm each key share component by using a Fully Homomorphic Encryption secret key ps associated with a set Ss to generate the encrypted key share components of said secure RSA key, computing an intermediate value YS for each set SS from said encrypted key share components, such that said computed intermediate value is a part of the RSA decrypted message, under FHE-encrypted form, and decrypting the encrypted message by combining said computed intermediate values for all sets.

An encryption system for performing encryption and decryption by a multi-input inner product functional encryption having a function hiding property includes a setup unit configured to generate, taking a vector length m and the number of arguments μ of an inner product function as input, a master secret key msk and a public parameter pp by using a setup algorithm of a single-input inner product functional encryption having a predetermined characteristic and having a function hiding property and a key generation algorithm of a common key encryption satisfying a predetermined condition, an encryption unit configured to generate, taking the master secret key msk, the public parameter pp, an index i of the arguments, and a vector x as input, a ciphertext ct.sub.i corresponding to the index i by using an encryption algorithm of the single-input inner product functional encryption and an encryption algorithm of the common key encryption.

A fully homomorphic white-box implementation of one or more cryptographic operations is presented. This method allows construction of white-box implementations from general-purpose code without necessitating specialized knowledge in cryptography, and with minimal impact to the processing and memory requirements for non-white-box implementations. This method and the techniques that use it are ideally suited for securing “math heavy” implementations, such as codecs, that currently do not benefit from white-box security because of memory or processing concerns. Further, the fully homomorphic white-box construction can produce a white-box implementation from general purpose program code, such as or C++.

Techniques are provided herein for coordinated data obfuscation. In one example, a first network device in a network obtains, from a controller in or having communication to the network, an obfuscation parameter that is further obtained by one or more second network devices in the network. Personally Identifiable Information (PII) of the first network device has a given logical relationship to PII of the one or more second network devices. Based on the obfuscation parameter, the first network device obfuscates the PII of the first network device to generate obfuscated PII of the first network device. The obfuscated PII of the first network device has the given logical relationship to obfuscated PII of the one or more second network devices. The first network device provides the obfuscated PII of the first network device to a server configured to collect the obfuscated PII of the one or more second network devices.

Cryptographic authentication is described to improve security in connected vehicle systems and other applications. Identity Based Cryptography and threshold cryptography are among techniques used in some embodiments.

Aspects of the disclosure relate to in-flight data masking and on-demand encryption of big data on a network. Computer machine(s), cluster managers, nodes, and/or multilevel platforms can request, receive, and/or authenticate requests for a big data dataset, containing sensitive and non-sensitive data, in a data store based on credentials received from a source. Profiles can be auto provisioned, and access rights can be assigned. Server configuration and data connection properties can be defined. A secure connection to the data store can be established. The sensitive information in the big data dataset can be redacted into a sanitized dataset based on one or more data obfuscation types. The encrypted data can be transmitted, in response to the request, to a source, a target, and/or another computer machine and can be decrypted back into the sanitized dataset.

A method, system and computer-usable medium for adaptively assessing risk associated with an endpoint, comprising: determining a risk level corresponding to an entity associated with an endpoint; selecting a frequency and a duration of an endpoint monitoring interval; collecting user behavior to collect user behavior associated with the entity for the duration of the endpoint monitoring interval via the endpoint; processing the user behavior to generate a current risk score for the entity; comparing the current risk score of the user to historical risk scores to determine whether a risk score of a user has changed; and changing the risk score of the user to the current risk score when the risk score of the user has changed.

A resource identifier to be encoded dynamically upon detection of a triggering event is identified. The resource identifier is allowed to remain not encoded prior to detection of the triggering event. The triggering event that will cause the resource identifier to be consumed by a web browser is detected. In response to detecting the triggering event, the resource identifier is encoded, and an encoded version of the resource identifier is provided for consumption by the web browser.