Abstract: Disclosed are systems and methods for passively authenticating users of a native application running on a mobile communications device. The user may be applying for a service, product, access, etc. from a provider computing system. A unique device identifier of the device may be acquired and provided to a first computing system. A mobile telephone number associated with the device may be received at the device. User information may be accepted from the user via a user interface of the device for entry into a set of fields. The mobile telephone number may be verified by determining, via a second computing system that is different from the first computing system, that the mobile telephone number is associated with the user information. The service/product/access for the user may be approved in response to verification of the mobile telephone number. The user may be authenticated without challenge questions.

Abstract: A method for controlling access to data displayed by an information services portal on a user device is provided. The method includes receiving a candidate login input corresponding to a user. The method further includes comparing the candidate login input to a list of login entries stored in the memory, each of the stored login entries having a corresponding code segment, each code segment defining a bounding area defining a geographic area. The method further includes retrieving from the memory a selected code segment corresponding to the stored login entry matching the candidate login input, and applying a geographic restriction to the data set by processing the selected code segment. The method further includes transmitting a data subset of the data set to the user computing device for display, the data subset including data satisfying the geographic restriction.

Abstract: A communication device according to the present invention includes: a memory; and at least one processor coupled to the memory. The processor performs operations. The operations includes: storing device information that is information stored commonly in one or more communication devices; generating clock information representing timing by using a periodic clock signal; selecting at least a part of the device information according to the clock information; generating selection information that is different information for each piece of the clock information from at least a part of the device information selected; generating an encryption key by using at least the clock information and the selection information generated; and executing at least one of encryption processing and decryption processing on communication data by using the encryption key generated.

Abstract: A processor includes a decode unit to decode an SM3 two round state word update instruction. The instruction is to indicate one or more source packed data operands. The source packed data operand(s) are to have eight 32-bit state words Aj, Bj, Cj, Dj, Ej, Fj, Gj, and Hj that are to correspond to a round (j) of an SM3 hash algorithm. The source packed data operand(s) are also to have a set of messages sufficient to evaluate two rounds of the SM3 hash algorithm. An execution unit coupled with the decode unit is operable, in response to the instruction, to store one or more result packed data operands, in one or more destination storage locations. The result packed data operand(s) are to have at least four two-round updated 32-bit state words Aj+2, Bj+2, Ej+2, and Fj+2, which are to correspond to a round (j+2) of the SM3 hash algorithm.

Abstract: A method of software article protection and transformation includes: retrieving a software article; identifying control flow addressing associated with the software article; removing at least a portion of the control flow addressing; and saving the at least a portion of the control flow addressing from the software article, wherein removing the at least a portion of the control flow addressing comprises replacing call and return functions with protected execution instructions, wherein the protected execution instructions replace call functions by: identifying, in a lookup table, an entry associated with a current instruction; and pushing a return address associated with the current instruction to a secure return stack; and wherein the protected execution instructions replace return functions by: popping the return address from the secure return stack; encrypting the at least a portion of the control flow addressing; and saving the at least a portion of the control flow addressing to a separate software articl

Abstract: In some implementations, a system may generate information that identifies a passphrase to be used as a biometric input. The system may receive a voice input of a user speaking the passphrase. The system may generate one or more cryptographic keys based on the voice input. The system may generate a digital identifier based on the one or more cryptographic keys. The system may generate one or more biometric templates for the user. The system may encrypt the one or more biometric templates using the one or more cryptographic keys and to generate one or more encrypted biometric templates. The system may store in a secure storage associated with the user, at least one of the digital identifier, a public key of the one or more cryptographic keys, a phone number associated with the user, or the one or more encrypted biometric templates. Numerous other aspects are provided.

Abstract: An authentication system is provided with: a user device; user side assistance device(s) to assist user authentication that authenticates a user of the user device, and apparatus authentication that authenticates the user device; and an apparatus authentication server device to perform apparatus authentication in association with the user device. The user side assistance device(s) use distributed shares of verification information to perform multi-party computation for user authentication in association with the user device, and use distributed shares of a secret key generated by the user device, to perform multi-party computation for apparatus authentication in association with the user device.

Abstract: The traditional authentication mechanism of using a public username and a constant secret password needs to be improved upon. A framework and a method is described which allows for much more secure authentication compared to the traditional username/password method. The method is useful for first party authentication as well as non-repudiation of digital information. The non-repudiation is achieved as a by-product of high entropy of the authentication method. The method relies on generation of high entropy tokens (called flakes) as a by-product of authentication. Since these tokens do not exist before being created, and their creation relies on user input, they are non-persisted proofs of user presence.

Abstract: A system protects documents at rest and in motion using declarative policies and encryption. A document at rest includes documents on a device such as the hard drive of a computer. A document in motion is a document that is passing through a policy enforcement point. The policy enforcement point can be a server (e.g., mail server, instant messenger server, file server, or network connection server).

Abstract: Disclosed are example methods, systems, and devices that allow for generation and maintenance of a central identity databank for a user's digital life. The identity databank may include identity elements with payload values and metadata values corresponding immutable attributes of the user. A multifactor identity authentication protocol allows service provider devices to more reliably validate transactions with user devices via an identity system. The identity databank may include passwords, which may be generated by the identity system linked to user accounts and/or service providers. The passwords may be provided to service provider devices, eliminating the need for users to conceive of a multitude of varying passwords for the user's accounts.

Abstract: A producer communicates over a network with a user application in an infrastructure-as-a-service (IaaS) and an IaaS node. The producer encrypts content with first encryption using a first key and second encryption using a second key, to produce twice encrypted content. The producer encrypts the second key with attribute-based encryption and symmetric encryption using an IaaS key, to produce a twice encrypted second key. The producer provides to the user application the twice encrypted content, the twice encrypted second key, and key information configured to remove the first encryption from the twice encrypted content. The producer provides to the IaaS node the IaaS key to enable the IaaS node to remove the symmetric encryption from the twice encrypted second key, such that the user application and the IaaS node are constrained to exchange with each other key-related information and intermediate decryption results in order to recover the content.

Abstract: A method is provided to control the flow of packets within a system that includes one or more computer networks comprising: policy rules are provided that set forth attribute dependent conditions for communications among machines on the one or more networks; machine attributes and corresponding machine identifiers are obtained for respective machines on the networks; and policy rules are transformed to firewall rules that include machine identifiers of machines having attributes from among the obtained machine attributes that satisfy the attribute dependent policy rules.

Abstract: Exemplary embodiments relate to techniques for anonymizing information in an end-to-end (E2E) encrypted environment; the information may include, for example, statistical data about unique page/message views, view counts, view time, what users selected on the message or page, etc. Exemplary embodiments may prevent an E2E system server from being able to identify which user is associated with which record. Various examples are described, including an embodiment in which an originating client generates the data, encrypts it, and sends it to a random contact. The contact decrypts the data, re-encrypts it, and sends it to another random contact. The procedure continues for a set amount of time or for a set number of hops. Other embodiments relate to wrapping the data in various layers of encryption and sending the data to clients in a chain. The encrypted layers prevent clients along the chain from being able to view the anonymized data.

Abstract: Embodiments of the present invention include determining whether a cryptographic certificate can be trusted. A cryptographic certificate is received at a client device. The client device performs a first check on a first set of attributes of the cryptographic certificate. In addition, the client device sends the cryptographic certificate to a central verification server, which performs a second check on a second set of attributes of the cryptographic certificate. In the case that the first set of attributes passes the first check, and the second set of attributes passes the second check, the client device determines that the cryptographic certificate can be trusted.

Abstract: An example method includes monitoring execution of one or more applications on a runtime computing system that includes a plurality of processing units, receiving, from the runtime computing system during execution of the applications, monitoring information that includes at least one of function call data or application programming interface call data associated with operations performed by the plurality of processing units during execution of the applications, importing the monitoring information into a risk model, analyzing the monitoring information within the risk model to determine one or more potential vulnerabilities and one or more impacts of the one or more vulnerabilities in the runtime computing system, and outputting, for display in a graphical user interface, a graphical representation of the one or more potential vulnerabilities and the one or more impacts within the risk model.

Abstract: Method and apparatus for allowing the changing of security values and consent data is provided. The security values allow for dynamically changing the security level and ease of access associated with performing specific transactions on specific accounts. The consent data may be pushed or pulled and when stored, may be used for future transactions, of both the same or a different type. The changing of security levels and consent data may be accomplished over the internet using mobile devices over both secure and non-secure networks.

Abstract: Methods, systems, and computer program products are included for authenticating computing devices. An exemplary method includes associating a security key with an operating system of a first computing device, wherein the security key is generated from a serial number corresponding to the first computing device. A token corresponding to the security key is sent to a second computing device. The token is accessed by the second computing device to authenticate the first computing device. An authenticated session is established between the first computing device and the second computing device. Within the authenticated session, a connection is provided between the first computing device and the second computing device.

Abstract: A system for monitoring actual access to data elements in an enterprise computer network and providing associated data, the system including an at least near real time data element audit subsystem providing audit output data including at least one of a time stamp, identification of an accessor, user depository stored data regarding the accessor, accessed data element data, affected data element data, type of access operation, source IP address of access and access outcome data, in at least near real time, relating to actual access to data elements in the enterprise computer network, and an additional data providing subsystem receiving in at least near real time at least a part of the audit output data and utilizing the at least part of the audit output data for providing additional data which is not part of the audit output data.

Abstract: A method of binding a device to an authority comprising reading pre-determined data corresponding to characteristics of the device. The method includes obtaining a pseudo-random number and combining it with the pre-determined data to generate a base number. The method includes downloading an application that performs a cryptographic function on the base number to generates a secure identifier of the device, and storing the secure identifier in a memory of the device. The method includes providing the secure identifier of the device to the authority to bind the device to the authority.

Abstract: Provided are methods and systems for invalidating user security tokens. An example method may include providing, by one or more nodes in a cluster, a list of revoked security tokens. The method may include receiving, by the one or more nodes, an indication of invalidating a user security token associated with a user device. The indication may include a request from the user to invalidate the user security token. The method may further include, in response to the receiving, adding, by the one or more nodes, the user security token to the list of revoked security tokens. The user security token can be added to the list of revoked security tokens prior to the expiration time of the user security token. The method may further include replicating, by the one or more nodes, the list of revoked security tokens between further nodes of the cluster.