A method for device authentication comprises receiving, by processing hardware of a first device, a message from a second device to authenticate the first device. The processing hardware retrieves a secret value from secure storage hardware operatively coupled to the processing hardware. The processing hardware derives a validator from the secret value using a path through a key tree, wherein the path is based on the message, wherein deriving the validator using the path through the key tree comprises computing a plurality of successive intermediate keys starting with a value based on the secret value and leading to the validator, wherein each successive intermediate key is derived based on at least a portion of the message and a prior key. The first device then sends the validator to the second device.

The present application is directed to transparent execution of secret content. A device may be capable of downloading content that may include at least one secret portion, wherein any secret portions of the content may be directed to a secure workplace in the device not accessible to device operating system components, applications, users, etc. The device may then present the content in a manner that allows secret portions of the content to be executed without direct access. For example, the device may download content, and a director module in the device may direct any secret portions of the downloaded content to a secure workspace. During execution of the content, any inputs required by the secret portions may be provided to the secure workspace, and any resulting outputs from the secret portions may then be used during content presentation.

According to one embodiment, a path obfuscation system includes first and second hardware devices, and first and second interfaces configured to provide communication between the first and second hardware devices using a security protocol and data model (SPDM) protocol. The first hardware device comprises computer-executable instructions to receive a message to be transmitted to the second hardware device, segment the message into multiple groups of packets, and randomly select either the first or second interface to transmit each group of packet to the second hardware device.

Methods and systems for secure display of sensitive content are described herein. A server may receive, from a first computing device, a request for content. The content may include at least one portion that is marked as sensitive content. The server may determine that the first computing device does not satisfy an authorized device criterion, and send a modified version of the content to the first computing device. The modified version of the content may include the at least one portion that is obfuscated. The server may send an unmodified version of the content to a second computing device that satisfies the authorized device criterion. The second computing device may display the unmodified version of the content at least partially overlaid on top of the modified version of the content being displayed on the first computing device.

Embodiments of the present invention provide a system for dynamic masking of data in a network. The system is configured for receiving, via a graphical user interface, a data access request for accessing data from a user associated with an entity, determining that the data comprises sensitive information, determining that the user is not authorized to access the data, dynamically performing non-scramble masking of the data based on determining that the data comprises sensitive information and that the user is not authorized to access the data, and displaying masked data to the user, via the graphical user interface.

A mechanism for probabilistically determining the contents of an encrypted file is provided, such that a transfer of the encrypted file can be restricted according to rules associated with an unencrypted version of the file. Embodiments generate a file size table of a subset of files, where each entry of the file size table includes a size information regarding the unencrypted file. Embodiments compare the size of the encrypted file against the file sizes and compressed file size ranges to determine whether the encrypted file has a match. If the size of the encrypted file has a single match in the table, then there is a high probability that the file associated with the matching entry is the unencrypted version of the encrypted file. Rules associated with restricting access of the file related to the matching entry can be used to control transfer of the encrypted file.

Described are implementations directed to protecting secret data against adversarial attacks by obfuscating the secret data during storage and communication. Obfuscation techniques include, among other things, splitting secret data into a plurality of portions, performing rotation of secret data, splitting secret data into a plurality of shares, modifying shares of secret data in view of the values of the shares, and various other protection mechanisms.

The described embodiments relate to data protection methods, systems, and computer program products. A process-based encrypted data access policing system is proposed based on methods of encrypted data file management, process authentication and authorization, Trojan detection for authorized processes, encryption key generation and caching, and encrypted-file cache management. The process-based encrypted data access policing system may be implemented as a kernel level file system filter and a user-mode filter companion application, which polices the reading/writing of encrypted data in either a server system or an endpoint computer and protects data from data breaches and known or unknown attacks including ransomware and/or phishing attacks.

Examples include a system and computer-implemented method to receive a notification from an application programming interface (API) of creation of a just in time (JIT) grant, the JIT grant defining a request for a user to be authorized to access a cluster according to a JIT policy; determine if access to the cluster by the user is authorized according to the JIT policy; grant access to the user to the cluster when access is authorized according to the JIT policy; and send a notification to the API that access by the user to the cluster is granted.

A computer-implemented method includes receiving, by a processing unit, an input-value of an operand used by a computer-executable instruction. The method further includes generating, by the processing unit, an encrypted-value by encrypting the input-value, and storing the encrypted-value in a memory. In response to a request to execute the computer-executable instruction, the processing unit decodes the computer-executable instruction into a machine-executable code and decrypts the encrypted-value for use by the machine-executable code. Upon executing the machine-executable code, the processing unit generates an encrypted-result by encrypting a result of the execution, stores the encrypted-result in the memory.