Abstract: Apparatus and methods pertaining to a Certified Approval Service (CAS) are disclosed and enabled. The apparatus may include a Personal Computing Device (PCD) implementing a CAS Device to interact with an end user and a server implementing a CAS provider. The various embodiments operate without the end user and the CAS provider to engage in an authenticated login session between themselves.

Abstract: The present invention relates to a shift register protected against physical attacks, comprising a coding module, a decoding module, a plurality of basic shift registers of which the respective inputs receive the bits of a codeword supplied by the coding module using an input bit at each clock cycle, and of which the respective outputs are connected to the decoding module in order to supply an output bit, with the codewords being chosen in such a way as to have the same non-zero Hamming weight and two successive codewords having a constant non-zero Hamming distance. The codewords are generated using an internal state machine and/or an external state machine to the coding module.

Abstract: A method, apparatus and computer program product for use in identifying and blocking operation of compromised or potentially compromised IoT device(s) on a network, such as a local network behind a router or firewall. To this end, the technique provides for automated and seamless on-boarding of a “guard” system for IoT devices, preferably as those devices join (or re-join) into the network via a Dynamic Host Configuration Protocol message exchange. In operation, and in response to receipt of a DHCP discover message that includes a network location, a DHCP server uses the network location to locate and retrieve a set of flow attributes for the device. Those attributes are then associated with the IP address to be assigned to the IoT device in a network control device. The network control device then selectively identifies and/or blocks operation of the IoT device when the IoT device is compromised or potentially compromised, thereby protecting the network (or network resources) from damage or misuse.

Abstract: A method of authenticating a transponder in communication with a server. The method includes the steps of defining a word in the transponder with a previous state of a counter of the transponder, incremented by a random number generated in the transponder, calculating a one-time password in the transponder with the aid of an HOTP algorithm and of a secret key on the basis of the word, transmitting the word and the one-time password to the server, calculating another one-time password in the server with the word received from the transponder by the HOTP algorithm and with one and the same secret key, and checking whether the passwords are identical so as to authenticate the transponder and authorize access to a site determined by the server.

Abstract: A package management system generates a signature for a software package and generates an indication of the signature that includes a Merkle Tree root. The package management system then initiates a transaction in a blockchain system. The transaction comprises an indication of the signature for the software package and is to be stored in a blockchain. The package management system distributes the software package to a computing device with an indication of a location of the signature in the blockchain.

Abstract: A method and apparatus for identifying computer virus variants are disclosed to improve the accuracy of virus identification and removal, and may relate to the field of internet technology. The method includes running a virus sample to be tested and recording an API call sequence produced during running of the virus sample. The method further includes obtaining a characteristic API call sequence for each one of a plurality of virus families, matching the API call sequence produced during running of the virus sample to be tested with the characteristic API call sequences of the virus families, and obtaining a matching result. The method also includes determining the virus sample to be tested is a virus variant by extent of a match between the API call sequence produced by the virus sample and any characteristic API call sequence of any one of the virus families.

Abstract: Client fingerprints can be used to detect and defend against malware and hacking into information systems more effectively than using IP addresses. A unique client fingerprint can be based on data found in the client's SSL client hello packet. SSL version, cipher suites, and other fields of the packet can be utilized, preferably utilizing individual field values in the order in which they appear in the packet. The ordered values are converted to decimal values, separated by delimiters, and concatenated to form an identifier string. The identifier string may be mapped, preferably by a hash function, to form the client fingerprint. The client fingerprint may be logged, and whitelists and blacklists may be formed using client fingerprints so formed.

Abstract: A principal database is described in which each entry includes one principal identity, and one or more alias identities that may each have an authorization scope. Principal identity attributes include a principal identifier and login credentials, and alias identity attributes include an authorization scope and login credentials. Responsive to successfully authenticating the user for a first application (a multiple-identity application), based on the alias identity login credentials, an access token containing both the alias identity attributes and the principal identity attributes is transmitted to the first application, causing the first application to grant a scope of access based on the authorization scope. Responsive to a request to authenticate the user for a second application (a single-identity application), the access token is transmitted to the second application without re-authenticating the user, causing the second application to grant a scope of access based on the principal identifier.

Abstract: Passwords are used in various system access applications in order to ascertain that the user seeking access to a system resource is indeed the person with said access. Passwords are usually supposed to be entered through a keyboard and are a combination of alphanumeric values. With the advent of devices equipped with visual displays and touch inputs, it is possible to create a system which utilizes a person's visual memory to authenticate the person. A system and method is described which uses multiple images to perform authentication. This system does not require its user to input a text value as a password. The password is created by user's actions. These actions are in the form of selecting a segment on a displayed image. Few different systems are described. One system is capable of creating variable passwords which by design keep changing from one authentication attempt to another. Another system uses one high resolution image to effectively hide the password in an image with lots of detail.

Abstract: The disclosed computer-implemented method for fingerprinting devices may include (i) detecting that a new device has attempted to connect to a network gateway, (ii) attempting to fingerprint the new device as an instance of a known candidate device type by (a) transmitting to the new device, from a security application, a set of network messages that mimic network messages that a second application is configured to transmit to instances of the known candidate device type and (b) confirming, by the security application based on a response from the new device to the set of network messages, that the new device is the instance of the known candidate device type, and (iii) performing a security action to protect a network corresponding to the network gateway based on confirming that the new device is the instance of the known candidate device type. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A system for performing de-duplication of findings includes a non-transitory computer readable medium and a processor. The non-transitory computer readable medium stores normalized findings of application code performed by at least one software security analysis tool. Each normalized finding is identifiable by a fingerprint. The processor receives a first finding in a first vendor-provided format from a first software security analysis tool that performs a scan of application code. The processor receives a second finding in a second vendor-provided format from a second software security analysis tool. The processor normalizes the findings to a standardized taxonomy. The processor determines a first fingerprint and a second fingerprint that respectively identify the normalized first and second findings.

Abstract: Disclosed are various examples for providing access to a clipboard based at least in part on one or more policies. Data is received from a client application. A permission associated with the client application is checked, the permission specifying that the client application is authorized to store data in a clipboard provided by an operating system of the computing device. In response, the data received from the client application is stored in the clipboard.

Abstract: A biometric signature system holds a first template indicating a result of transforming, by predetermined transformation, first biometric information acquired from a predetermined part of a user; and a second template indicating a result of transforming, by predetermined one-way transformation, second biometric information acquired from the predetermined part of the user, identifies a parameter for which a similarity between the first template of the person to be authenticated corrected, generates a second template of the person to be authenticated from each piece of corrected second biometric information, and determines whether authentication of the person to be authenticated is successful by comparing each generated second template with the second template.

Abstract: An electronic device that performs authentication of a user where the electronic device improves the convenience of user authentication that employs an LDAP server. An electronic device is configured to connect and communicate with a server storing a plurality of types of authentication information in association with a user for a plurality of users. The electronic device includes an information cache storage that stores user authentication information that is at least a part of the authentication information stored on the server, and an authentication controller that runs a user authentication process on the basis of authentication information entered by a user, and the authentication information acquired from the server. The authentication controller updates the user authentication information stored in the cache information storage after the user authentication process on the basis of the authentication information entered by the user or the authentication information acquired from the server.

Abstract: The present disclosure relates to a communication technique for converging a 5G communication system for supporting a higher data rate beyond a 4G system with an IoT technology, and a system therefor. The present disclosure provides a method and a device for enhancing data security. The method includes when a request message including information related to a first privacy level is received from a user device, authenticating the user device. The method also includes verifying the information related to the first privacy level. The method further includes transmitting, to the terminal, an image processed on the basis of the first privacy level among images processed on the basis of a plurality of privacy levels.

Abstract: Embodiments of the disclosure enable single sign-on for secure network services. In one embodiment, a method is provided. The method comprises providing, by a processing device of a first server, a prompt for first login information associated a second server. An authentication request is transmitted on behalf of a client to the second server to authenticate the first login information received from the client. An authentication ticket is provided to the client in view of the first login information. The authentication ticket is received from the second server in response to authentication of the first login information. A service request comprising the authentication ticket and a request to access a service associated with the first server is received from the client. Thereupon, access to the service by the client is enabled by applying the authentication ticket, without prompting the client for entry of second login information.

Abstract: Methods and systems are described for enhanced-security database encryption via cryptographic software, where key management is carried out, without exporting or exposing cleartext keys, using an independent key manager coupled to a cryptographic hardware security module (HSM).

Abstract: The disclosed exemplary embodiments include computer-implemented systems, apparatuses, and processes that manage cryptographically secure exchanges of data using a permissioned distributed ledger. For example, an apparatus obtains parameter values characterizing an exchange of data and transmits the parameter values to a first computing system, which executed instructions included within a distributed ledger. The executed additional instructions cause the first computing system to access rules data recorded onto the distributed ledger and establish a consistency between the parameter values and at least a portion of the accessed rules data. The apparatus receives, from the first computing system, confirmation data indicative of the established consistency, and based on the confirmation data, transmit a request to execute the data exchange in accordance with at least the portion of the parameter values to a second computing system.

Abstract: A client computing device accesses license and authentication management services provided by a license and authentication management server, which communicates with an authentication server and an application server. The client computing device authenticates a user and validates a license for a client application (e.g., a signature application) executing on the client computing device. The license and authentication management server provides an authentication API configured to manage communications between the client application and an authentication server to authenticate a user of the client application. The license and authentication management server also provides a subscription API configured to manage communications between the client application and an application server to validate a license associated with the client application.

Abstract: A method may include dividing code into trusted and untrusted components, and identifying a dynamic invocation in a first component of the code. The first component may be an untrusted component. The method may further include extracting dynamic information from the dynamic invocation, and identifying, using the dynamic information and metadata describing a dynamic behavior of the code, a target for the dynamic invocation. The target may correspond to a second component of the code. The method may further include determining that the target matches the dynamic invocation, and in response to determining that the target matches the dynamic invocation, adding, to a call graph generated from the code, an edge from the dynamic invocation to the target.