Abstract: An apparatus and method include generating a trusted computing base (TCB) component identifier (TCI) of a current component of a computing system, generating a compound device identifier (ID) (CDI) of the current component from a CDI of a previous component of the computing system and the TCI of the current component, and determining a size of the TCI of the current component. The system and method further include summing the size of the TCI of the current component and the cumulative size of the TCIs of previous components of the computing system to generate a current cumulative size, combining the current cumulative size and the CDI of the current component, and including the combined current cumulative size and the CDI of the current component in a chain of measurements for attestation of the computing system.

Abstract: Described embodiments provide systems, methods, non-transitory computer-readable medium for using a single sign-on (SSO) to access an application. A client application on a client device in communication with an identity provider and an application on a remote computing device. The client application can authenticate a user via an identity provider to establish an authentication session. The client application can identify a request to access a uniform resource locator (URL) of the application hosted on the remote computing device. The client application can determine that a configuration of the client application identifies a remapped URL for the URL is available. The client application can access the remapped URL instead of the URL to cause the user to use the authentication session of the identity provider and be redirected from the identity provider to a link of the application on the remote computing device.

Abstract: Dynamic-PKI social Certificate Authority (CA) systems and methods are provided, which generate and issue certificates at time of device deployment instead of time of manufacture. The provided systems and methods utilize an interface to initiate a Certificate Signing Request (CSR), and which then generates and signs the CSR with a public key. The signed CSR is then securely transmitted to a Certificate Signing Request Processor (CSRP), which undergoes an optional verification process and is then processed to return a signed certificate. The signed certificate is then directly or indirectly provided to the device for provisioning into the network.

Abstract: Security system for protecting a vehicle electronic system by selectively intervening in the communications path in order to prevent the arrival of malicious messages at ECUs, in particular at the safety critical ECUs. The security system includes a filter which prevents illegal messages sent by any system or device communicating over a vehicle communications bus from reaching their destination. The filter may, at its discretion according to preconfigured rules, send messages as is, block messages, change the content of the messages, request authentication or limit the rate such messages can be delivered, by buffering the messages and sending them only in preconfigured intervals.

Abstract: A computing system and method has a pre-boot operating system stored in an encrypted form according to a first key on a first portion of a non-volatile data storage drive and a main operating system stored in an encrypted form according to a second key on a second portion of the non-volatile data storage drive. A system built in operating system (BIOS) chip is configured to initiate a first authentication process, obtain the first key after successful completion of the first authentication process, load and decrypt the pre-boot operating system into dynamic memory, and cause the pre-boot operating system to run. The pre-boot operating system is configured to initiate a second authentication process, obtain the second key after successful completion of the second authentication process, load and decrypt the main operating system into dynamic memory, and cause the main operating system to run.

Abstract: Blockchain technology is used to provide distributed authentication, entitlements and trust among different virtual Radio Access Network (vRAN) elements. An enterprise blockchain with interfaces enables multi-vendor vRAN deployment across multiple service providers. In another embodiment, a method is provided for authenticating entities in a virtualized radio access network to ensure various entitles are in fact entitled to participate in various radio access network operations.

Abstract: Techniques for measuring firmware at the point and time of execution are described. Hardware logic can be implemented in a processing unit that is tasked with executing firmware code to make on-the-fly measurements of the instructions being executed by the processing unit. For example, an instruction register that stores instructions being executed by the processing unit can be monitored to obtain a set of instructions corresponding to the firmware being executed. Firmware verification circuitry can be implemented to compute a cryptographic measurement of the instructions being executed to verify the authenticity of the firmware.

Abstract: A pairing apparatus according to an exemplary embodiment of the present invention includes: a noise filtering part for filtering a noise on a power line; and a processor for pairing with a pairing target device and performing an authentication by generating a secret key using the filtered noise and by using the generated secret key.

Abstract: This document describes, among other things, security hardening techniques that guard against certain client-side attack vectors. These techniques generally involve the use of an intermediary that detects and handles identity service transactions on behalf of a client. In one embodiment, the intermediary establishes a resource domain session with the client in order to provide the client with desired resource domain content or services from a resource domain host. The intermediary detects when the resource domain host invokes a federated identity service as a condition of client access. The intermediary handles the identity transaction in the identity domain on behalf of the client within the client's resource domain session. Upon successful authentication and/or authorization with an IdP, the intermediary connects the results of the identity services domain transaction to the resource domain.

Abstract: Presented herein are techniques to facilitate secure communications with an Application Function (AF) for a client device that does not support Authentication and Key Management for Applications (AKMA) functionality. In one example, a method includes obtaining, by a user plane function (UPF), a first uplink data packet from a client device, wherein the first uplink data packet is to be communicated to an application; determining, by the UPF based on the first uplink data packet, whether the client device supports AKMA functionality; based on determining that the client device does not support the AKMA functionality, buffering at least the first uplink data packet by the user plane function and determining whether the application supports the AKMA functionality; and based on determining that the application supports the AKMA functionality, performing AKMA functionality by the UPF for the client device for data communications between the client device and the application.

Abstract: A method includes sending, to a compute device and via a private channel, a public key for asymmetric encryption. The method also includes concurrently authenticating the compute device and generating a traffic key for symmetric encryption, based at least in part on the public key. The method further includes sending a message to the compute device, the message being encrypted using the traffic key via the symmetric encryption.

Abstract: A method comprising: receiving a request from a second application to access information from a first application, said first and second applications installed on a user equipment, and in response to said request, determining whether said second application is operating in accordance with at least one rule.

Abstract: A method for use with a public cloud network is disclosed. The method includes setting up at least one private cloud routing server (PCRS) and at least one smart device client on the side of the PCRS in a client server relationship. It also includes setting up at least another smart device client on the side of the PCCBS in a client server relationship with the at least one private cloud call-back server (PCCBS). The private cloud call-back server acts as a middleman to relay communication between the smart device client on the side of the PCCBS and the private cloud routing server. The PCCBS will call back the private cloud routing server on demand based on the smart device client request. The at least one private cloud call-back server includes a first message box associated therewith.

Abstract: A method for a computer or microchip with one or more inner hardware-based access barriers or firewalls that establish one or more private units disconnected from a public unit or units having connection to the public Internet and one or more of the private units have a connection to one or more non-Internet-connected private networks for private network control of the configuration of the computer or microchip using active hardware configuration, including field programmable gate arrays (FPGA). The hardware-based access barriers include a single out-only bus and/or another in-only bus with a single on/off switch.

Abstract: An image forming apparatus includes: a processor configured to: execute a linking application for a linkage with a specific service, to receive a linkage request from a user through the specific service; and perform an authenticating process that authenticates a user who uses the image forming apparatus, using user information on the user who uses the specific service linked as a result of an approval of the received linkage request.

Abstract: Described herein is a system, method, and non-transitory computer readable medium related to a service provider using a third party identity provider to authenticate a user with improved security. An authentication token is received from the identity provider, and can be verified against internal configuration information. The internal configuration information includes data that is not included in the authentication token, and therefore, is not vulnerable to some security attacks, such as a man-in-the-middle attack. After the authentication token is verified, the internal configuration information and authentication token may be used to create a custom identifier, referred to as an identity ID. The identity ID may be used by the service provider to verify user access to resources.

Abstract: A verification server comprising a memory and a processor programmed to execute instructions stored in the memory. The instructions include receiving a link registration request including a third-party link to a third-party server, validating the third-party server as a result of receiving the link registration request, generating a unique code as a result of validating the third-party server, and generating a custom link that includes the unique code.

Abstract: Techniques for deperimeterized access control are described. A method of deperimeterized access control may include receiving, by a controller of a deperimeterized access control service, a single packet authorization (SPA) request for a session ticket from an agent on a electronic device, wherein the agent sends the request for the session ticket in response to intercepting traffic destined for a service associated with the deperimeterized access control service and determining that the agent does not have a session ticket for the service, authorizing the SPA request, providing a session ticket to the agent based on the request, receiving, by a gateway of the deperimeterized access control service, a request to initiate a session with a service, the request including the session ticket, validating the session ticket, and providing session parameters to the agent to be used to initiate the session between the electronic device and the service.

Abstract: Security system for protecting a vehicle electronic system by selectively intervening in the communications path in order to prevent the arrival of malicious messages at ECUs, in particular at the safety critical ECUs. The security system includes a filter which prevents illegal messages sent by any system or device communicating over a vehicle communications bus from reaching their destination. The filter may, at its discretion according to preconfigured rules, send messages as is, block messages, change the content of the messages, request authentication or limit the rate such messages can be delivered, by buffering the messages and sending them only in preconfigured intervals.

Abstract: In an authentication system (120) of an organization that is another organization different from a first organization that a first user belongs to, a management device (200) accepts a registration transaction for a client certificate of the first user. Then, the management device registers the client certificate of the first user in a client certificate blockchain. When the first user accesses a service of another organization from a user terminal of the first organization, an authentication device (300) authenticates the first user using the client certificate of the first user in the client certificate blockchain.