Patents and Publications

Provided is a method, a computer program product, and a system for providing perfect forward secrecy in virtual machines. The method includes receiving a secure memory allocation function from an application, including a connection secret to be stored in memory. The method further includes allocating memory for the connection secret according to the memory size parameter and storing an entry relating to the connection secret in a secure database. The memory information includes a memory location and a memory size of the memory. The method also includes monitoring an operation state relating to the virtual machine. The method further includes receiving, from the application, a secure deallocation function relating to the connection secret and retrieving the memory information from the secure database. The method also includes deleting the connection from the memory and sanitizing the memory location logged by the memory information.

Transport Layer Security (TLS) connection establishment between a client and a server for a new session is enabled using an ephemeral (temporary) key pair. In response to a request, the server generates a temporary certificate by signing an ephemeral public key using the server's private key. A certificate chain comprising at least the temporary certificate that includes the ephemeral public key, together with a server certificate, is output to the client by the server, which acts as a subordinate Certificate Authority. The client validates the certificates, generates a session key and outputs the session key wrapped by the ephemeral public key. To complete the connection establishment, the server applies the ephemeral private key to recover the session key derived at the client for the new session. The client and server thereafter use the session key to encrypt and decrypt data over the link. The ephemeral key pair is not reused.

A similarity score between a profile of an email sender and one or more profiles associated with one or more respective recipients of the email being sent by the email sender is calculated. In response to determining that the calculated similarity score between the profile of the email sender and at least one profile of the one or more profiles associated with a respective recipient of the one or more respective recipients does not exceed a first threshold value, a relevance score between a context of the email and each of the one or more recipients of the email is calculated. Responsive to determining that the calculated relevance score between the context of the email and each of the one or more recipients of the email does not exceed a second threshold value, a distribution list of the email is updated. The email is transmitted using the updated distribution list.

A method, a computer program product, and a system for removing padding oracles in encryption techniques. The method includes padding a plaintext message using a padding scheme producing a padded plaintext message. The method also includes encrypting the padded plaintext message using a block cipher generating an encrypted data block of fixed-size as well as a hash value. The method further includes randomly generating an ephemeral key and an initialization vector. The method also includes prepending the hash value, the ephemeral key, and the initialization vector to the encrypted data block. The method includes performing an encryption technique to the encrypted data block prepended with the hash value, the ephemeral key, and the initialization vector.

A method, a computer program product, and a system for embedding a message in a random value. The method includes generating a random value and applying a hash function to the random value to produce a hash value. Starting with the hash value, the method further includes reapplying the hash function in an iterative or recursive manner, with a new hash value produced by the hash function acting as an initial value that is applied to the hash function for a next iteration, until a bit sequence representing a message is produced in a message hash value. The method further includes utilizing the message hash value as a new random value that can be used by an encryption algorithm.

Extending the useful life of finite lifetime asymmetric cryptographic keys by referencing the number of uses of the keys in conjunction with or instead of the elapsed time since generation of the finite lifetime keys. By integrating asymmetric cryptographic keys into a limited use security scheme, the lifetime of finite lifetime asymmetric cryptographic keys is based on the practical risk of security breach during use rather than an arbitrary duration in which the keys are valid.

Technology for using a Certificate of Authority and key based encryption in connection with legal Power of Attorney (POA) documents to control access to the POA so that security and/or immutability is enhanced. In some embodiments, PKI (public key infrastructure) is used to enhance privacy and immutability of POA data.

An analyzer system inputs parameter values from trace files of a software application into an autoencoder. The analyzer system adjusts weights of the edges between nodes in the autoencoder until reconstruction errors in outputs are minimized. The analyzer system receives a selection of a parameter represented in an autoencoder. In response, the analyzer system identifies hidden layer nodes connected to an output node corresponding to the selected parameter and identifies other output nodes connected to the hidden layer nodes. The analyzer system retrieves weights assigned to edges between the hidden layer nodes and the other output nodes. The analyzer system calculates correlation values between the output node corresponding to the selected parameter and each of the other output nodes and outputs the correlation values. A user can use the correlation values to better direct the root cause analysis.

A method, a computer program product, and a system for transport layer security protocol functions in separate instances. The method includes receiving, by a handshake processor instance, a TLS connection request from a client to a server. The method further includes establishing a TLS connection including connection secrets by the handshake processor instance. Once established, the method proceeds by transmitting the connection secrets to a connection processor instance. The method further includes deleting the connection secrets stored on the handshake processor instance and processing application data by the connection processor instance.

Provided is a method, a computer program product, and a system for providing request messages with zero round trip time in a Transport Layer Security (TLS) session. The method includes establishing a TLS session between a server and a client by performing a TLS handshake between the server and the client. The method further includes generating a session ticket associated to the client. The method also includes transmitting the session ticket to the client and receiving an early request message from the client during the TLS session. The early request message includes a request message that is to be sent to the client upon resuming the TLS session with the client. The method further includes associating the early request message with the session ticket and processing the early request message. The data related to the early request message can be sent upon resumption of the TLS session.

A computer-implemented method for identity authentication in a data processing system, including: receiving, by the processor, an authentication request from a user; receiving, by the processor, real-time data from one or more Internet of Things (IoT) devices associated with the user; generating, by the processor, one or more questions based on the real-time data; receiving, by the processor, one or more responses to the one or more questions from the user; comparing, by the processor, the one or more responses from the user with one or more correct answers identified by the processor. If the one or more responses match the one or more correct answers, providing, by the processor, the user with a successful identity authentication.

A source code and architecture information for at least one data processing environment in which a first executable program code compiled from the source code is to be configured to be executed can be received. The source code can be compiled to generate the first executable program code. The compiling the source code can include selecting, using a processor, from a plurality of source code transformations, a source code transformation to apply to compile a portion of the source code based on a plurality of sets of benchmark data, each of the sets of benchmark data comprising data indicating an efficiency of a portion of another executable program code compiled using a respective source code transformation at executing in the at least one data processing environment. The compiling the source code also can include compiling the portion of the source code using the selected source code transformation.

A method, computer system, and a computer program product for secure transport of data is provided. The present invention may include defining a trust relationship based on a secret. The present invention may also include associating a trusted transport key identity (TTKI) based on the defined trust relationship. The present invention may then include receiving a trusted transport key (TTK), wherein the TTK is digitally signed and encrypted with the TTKI. The present invention may further include verifying the digitally signed TTK. The present invention may also include enveloping the secret with the TTK.

Techniques for authentication using a blockchain hash value as a moving factor. The techniques include retrieving, by an authenticating device and from a blockchain, a current hash value of the blockchain, where the authenticating device and an authenticator server share a secret key value and each have access to the blockchain. The techniques further including generating, by the authenticating device, a secure token based on the secret key value and the current hash value. The techniques further including transmitting the secure token to the authenticator server and receiving an indication of authentication from the authenticator server.

A method, computer system, and a computer program product for blockchain based authentication is provided. The present invention may include receiving a request packet. The present invention may also include adding the request packet to a blockchain. The present invention may then include creating a hash based on the added request packet and the blockchain. The present invention may further include transmitting the hash to a user. The present invention may also include receiving a verifier packet, wherein the verifier packet includes an authentication token generated by the user that incorporates the transmitted hash.

Secure password lock and recovery is provided. A user password is received to access a secure resource protected by a data processing system. It is determined whether a match exists between a retrieved user password verification string corresponding to a valid user password from a storage of a software token and a generated user password verification string corresponding to the user password. In response to determining that a match does not exist between the retrieved user password verification string and the generated user password verification string, it is determined whether a defined number of user password authentication attempts has been exceeded. In response to determining that the defined number of user password authentication attempts has been exceeded, the retrieved user password verification string is set to a preestablished sequence of values locking the valid user password on the storage of the software token. Access to the secure resource is denied.

A computer program product for secure data storage. The present invention may include completing a registration process by sending, by the client device, a connection request to the server. The present invention may include generating, by the server, an authentication session identification (ID). The present invention may include sending, by the server, a stored salt and the generated authentication session ID to the client device. The present invention may include sending, by the server, the generated authentication session ID, the server encryption key and user data to the third-party device. The present invention may include sending, by the client device, the generated authentication session ID and user data to the third-party device. The present invention may include generating, by the third-party device, a decryption key. The present invention may include determining the user data received by the client device and the decrypted user data received by the server is authenticated.