Abstract: A device may process a message associated with an account to identify a first identifier that identifies a third party. The device may identify a match between the first identifier and transaction information related to an individual associated with the account. The transaction information may include a set of first identifiers that identify a respective set of third parties. The transaction information may facilitate identification of one or more messages that is likely to include account information. The device may tag the message with a second identifier based on the match. The device may receive, from another device, the message based on the message being tagged with the second identifier. The device may process the message to identify the account information related to another account. The device may extract identified account information from the message. The device may perform an action related to extracted account information or the message.

Abstract: During a boot-up processing of a computing device, such as an augmented reality wearable device, a static image and a bootup process progress bar may be encoded in a single image file, such as a bitmap image, and displayed in conjunction with updates that are applied to a hardware gamma table at various stages of the bootup process to create the effect of an animated progress bar.

Abstract: Described herein is a system and method for validating media integrity using asymmetric key cryptography utilizing a public/private cryptographic key pair. The private key is kept secret and is known to an originator and/or publisher of a media file. The public key is added to the media file and is used to validate integrity of the media file, that is, that content of the media file (e.g., portion(s), frame(s)) has not been altered since publication of the media file. By validating integrity of the media file, strong proof that the media file came from an owner of the keypair (e.g., had possession of the private key) can be obtained, for example, resolving issues of trust and/or authenticity common in altered content. In some embodiments, information regarding an origin of the content can further be determined.

Abstract: Techniques for configuring a device with a security context using a security context distribution service are provided. One embodiment receives, from a first device operating on a first network, a request for a security context for the first device, where the request includes a public certificate for the first device. The request is decrypted, and the public certificate is validated. A set of device requirements are determined based on a unique identifier for the first device and device claim information associated with the first device. Embodiments generate a response message that contains at least one Transport Layer Security (TLS) certificate associated with the first network, based on the set of device requirements, where the response message is encrypted using a public key associated with the first device. The response is message is transmitted to the first device.

Abstract: Systems, methods, circuits and computer-readable mediums for message authentication with secure code verification are provided. In one aspect, a system includes a client device storing a code and a security device coupled to the client device. The security device is configured to receive a property of the code generated by the client device, verify correctness of the property of the code based on information associated with an authorized code to determine that the code is authorized, the information being stored within the security device. In response to determining that the code is authorized, the security device enables to access data stored within the security device and generate a property of a message based on the data.

Abstract: A pattern detector circuit is provided in a security chip, wherein the pattern detector circuit monitors accesses of a plurality of configuration registers, each of the plurality of configuration registers having a corresponding address. In response to receiving from a host a predefined sequence of accesses of the plurality of configuration registers for one or more operations to the plurality of configuration registers, a processor in the pattern detector circuit determines a value indicative of a current version of a netlist for the security chip. The determined value is made available to be obtained by a read operation by the host at a specific configuration register address.

Abstract: A system for link device authentication includes a computing device configured to acquire, from an originating device, an identifier of an endpoint device, obtain an endpoint device authentication code corresponding to the identifier, determine, as a function of the identifier, a location of the endpoint device, identify a plurality of link devices, select, from the plurality of link devices, at least a probabilistically verified link device as a function of the location of the endpoint device, and transmit, to the at least a probabilistically verified link device, the endpoint device authentication code.

Abstract: A secure integrated circuit comprises a lower logic layer, and one or more memory layers disposed above the lower logic layer. A security key is provided in one or more of the memory layers for unlocking the logic layer. A plurality of connectors are provided between the one or more memory layers and the lower logic layer to electrically couple the memory layer(s) and lower logic layer.

Abstract: Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. The secure circuit is configured to generate a key pair having a public key and a private key, and to issue, to a certificate authority (CA), a certificate signing request (CSR) for a certificate corresponding to the key pair. In some embodiments, the secure circuit may be configured to receive, via the mailbox mechanism, a first request from an application executing on the processor to issue a certificate to the application. The secure circuit may also be configured to perform, in response to a second request, a cryptographic operation using a public key circuit included in the secure circuit.

Abstract: A method for validating a digital user certificate of a user by a checking device is provided. The user certificate is protected by a digital signature with an issuer key of an issuance location which issues the user certificate. The method has the steps of: receiving the user certificate in the checking device, checking the user certificate using a certificate path positive list with at least one valid certificate path which is provided to the checking device by at least one positive path server, and confirming the validity of the user certificate if the issuer key of the user certificate can be traced back to a root certificate according to one of the valid certificate paths of the certificate path positive list. Also provided is a system, a checking device, a user device, a positive path server, and a computer program product which are designed to carry out the method for validating a digital user certificate.

Abstract: In various embodiments, a system, method, and computer readable medium (collectively, the “System”) for authenticating a mobile device configured to initiate payments is provided. The System may be configured to perform operations and/or steps comprising receiving, by the processor and in a secure environment, a secret element. The secret element may be transmitted to the processor (e.g., the issuer system) via a payment terminal. The System may further comprise comparing, by the processor and in the secured environment, the secret element to an issuer element. The issuer element may be linked with a flag that is associated with the transaction account. Moreover, the issuer element may be a data module that corresponds to be is not equal to the secret element. The System may also comprise authorizing, by the processor, a transaction initiated by the mobile device in response to the comparing being a satisfactory comparison.

Abstract: There are provided systems and methods for a payment information autofill mechanism that links a browser application with a user account such that a payment page at the browser application can be automatically filled based on the link. Specifically, the autofill mechanism establishes a link between a browser application running on a user device and a user account associated with the user that is stored at the server. When the user engages with the browser application to conduct a transaction on a merchant website, an application programming interface (API) call can be made to retrieve user virtual card information for automatically populating the payment data fields at the transaction page.

Abstract: This disclosure relates to, among other things, electronic device security systems and methods. Certain embodiments disclosed herein provide for protection of cryptographic keys and/or associated operations using both an operating system security service and a software-based whitebox cryptographic security service executing on a device. Leveraging operating system security services and software-based whitebox cryptographic security services may provide enhanced security when compared to using either service alone to protect cryptographic keys and associated operations. In additional embodiments, server-side cryptographic security solutions may be further used to enhance device security implementations.

Abstract: A method includes sending, by a trusted application (TA) entity, a certificate of the TA entity and a private key signature of the TA entity to a target security domain (SD). The certificate and the private key signature enable the target SD to perform trust verification via a server, obtaining, by the TA entity, a first key of the target SD when the trust verification of the TA entity succeeds, and establishing, by the TA entity, a trust relationship with the target SD.

Abstract: The exemplary embodiments described herein relate to systems and methods for identifying and authenticating a mobile platform. One embodiment relates to a method comprising receiving, by a mobile platform, a digital certificate from an integrated circuit card (“ICC”) via close-proximity radio communication, verifying the digital certificate with a digital signature stored on the mobile platform, and booting the mobile platform upon verification of the digital certificate of the ICC. A further embodiment relates to a mobile platform, comprising a non-transitory computer readable storage medium storing a digital signature, and a processor receiving a digital certificate from an integrated circuit card (“ICC”) via close-proximity radio communication between the ICC and the mobile platform, verifying the digital certificate with the digital signature, booting the mobile platform upon verification of the digital certificate of the ICC.

Abstract: Methods and content consumption devices are disclosed that enable a revocation list to be securely enforced and managed, in terms of enforcing version control and providing granular control of individual capabilities, for example. Aspects also relate to enhanced enforcement control of content consumption control information more generally, for example by enforcing version control of activation messages, and/or granular management of individual capabilities.

Abstract: A method of activating a smart card includes issuing a smart card in a deactivated state such that the smart card is incapable of performing a transaction; receiving an authentication token from a mobile device via a wireless communication of the authentication token from the smart card in the deactivated state to the mobile device; extracting data from the authentication token; confirming the extracted data corresponds to stored data regarding a customer who was issued smart card; and in response to confirming the extracted data, enabling the smart card for a subsequent transaction.

Abstract: Implementations of this disclosure provide for certificate application operations. An example method includes sending, from a terminal device, a subscription topic name to a gateway to establish a data transmission channel between the terminal device and the gateway; receiving by the terminal device, via the data transmission channel, a certificate installation instruction from a certificate server; generating, by the terminal device, a user certificate request based on the certificate installation instruction; sending the user certificate request to the certificate server; and receiving, via the data transmission channel, a user certificate from the certificate server.

Abstract: Technology is described for a device registration service for a local computing environment. The device registration service may provide one or more computing hubs within the local computing environment with robust means to authenticate or verify the authority of a computing device (e.g., a computer, a server, a mobile device, smart phone, a tablet), and/or other devices requesting to access to the local computing environment. The device registration service provided by the one or more computing hubs may be used in addition to, in place of, or as a backup to a device management and provisioning services provided remotely from the local computing environment using a service provider environment.

Abstract: Systems and methods for programmatic access of external financial service systems. An application proxy instance is created that simulates an application of an external financial service system. A normalized account request is received for financial data of the external financial service system for a specified account. The normalized account request is provided by an external financial application system by using a financial data API of the financial platform system. Responsive to the normalized account request, communication is negotiated with the external financial service system by using the application proxy instance to access the requested financial data from the external financial service system by using a proprietary Application Programming Interface (API) of the external financial service system. The financial data is provided to the external financial application system as a response to the normalized account request.

Abstract: Implementations of this disclosure provide for certificate application operations. An example method includes sending, from a terminal device, a subscription topic name to a gateway to establish a data transmission channel between the terminal device and the gateway; receiving by the terminal device, via the data transmission channel, a certificate installation instruction from a certificate server; generating, by the terminal device, a user certificate request based on the certificate installation instruction; sending the user certificate request to the certificate server; and receiving, via the data transmission channel, a user certificate from the certificate server.

Abstract: Implementations of this disclosure provide for certificate application operations. An example method includes sending, from a terminal device, a subscription topic name to a gateway to establish a data transmission channel between the terminal device and the gateway; receiving by the terminal device, via the data transmission channel, a certificate installation instruction from a certificate server; generating, by the terminal device, a user certificate request based on the certificate installation instruction; sending the user certificate request to the certificate server; and receiving, via the data transmission channel, a user certificate from the certificate server.

Abstract: An aspect includes a computer system with a network encryption device and a trusted container within firmware or hardware and/or within a virtual machine running on the computer system. The network encryption device includes a key store for storing secret encryption keys and a network traffic encryption engine for negotiating and/or storing encryption keys in the key store and/or for encrypting and/or decrypting network traffic using the encryption keys from the key store. The trusted container includes a flow analyzer for analyzing network traffic received from the network encryption device.

Abstract: In a machine-to-machine/Internet-of-things environment, end-to-end authentication of devices separated by multiple hops is achieved via direct or delegated/intermediated negotiations using pre-provisioned hop-by-hop credentials, uniquely generated hop-by-hop credentials, and-or public key certificates, whereby remote resources and services may be discovered via single-hop communications, and then secure communications with the remote resources may be established using secure protocols appropriate to the resources and services and capabilities of end devices, and communication thereafter conducted directly without the overhead or risks engendered hop-by-hop translation.

Abstract: Certain aspects of the present disclosure provide techniques for managing data in a plurality of nodes of a distributed system. Embodiments include storing, by a node of the plurality of nodes, sensitive data in a block of a hash chain. Embodiments further include determining, by the node, that the sensitive data should not be distributed to other nodes of the plurality of nodes. Embodiments further include distributing, by the node, a limited version of the block to the other nodes. The limited version of the block may comprise a hash and a pointer to a previous block of the hash chain, and the limited version of the block may not contain the sensitive data.

Abstract: Embodiments provide a method and an apparatus for managing an application identifier. The method includes: receiving, by an identifier management apparatus, an application identifier certificate application request sent by a user, and acquiring a user identifier and an application identifier of the user according to the application identifier certificate application request. The method also includes acquiring a feature identifier of the user according to the user identifier, generating an application identifier certificate according to the application identifier and the feature identifier of the user, and sending the application identifier certificate to the user.

Abstract: Systems, methods, and computer-readable media for personalizing program credentials are provided. For example, a program credential (e.g., loyalty pass) associated with a program provider (e.g., an issuer) subsystem may be customized using personal data. The personal data can be collected from an electronic device before provisioning the customized program credential on the electronic device for use in a suitable transaction. However, such personal data may not be collected unless an administration entity subsystem is first able to validate the program provider subsystem. The administration entity subsystem can generate tracking data that may be used during the validation and/or provisioning in order to track when program credentials are personalized.

Abstract: Provided are a system and method for routing messages in a multi-tenant cloud computing environment based on digital certificates. In one example, a server includes a network interface configured to receive a request and a digital certificate from a network object, where the digital certificate includes a plurality of attributes. The server also includes a processor configured to determine whether the digital certificate is valid, and in response to determining the digital certificate is valid, detect tenant information from an attribute among the plurality of attributes included in the digital certificate. For example, the detected tenant information may identify a tenant of the multi-tenant cloud computing environment. The network interface may be further configured to transmit the request to the multi-tenant cloud computing environment based on the detected tenant information.

Abstract: Embodiments of the disclosure implement techniques to create secure Original Equipment Manufacturer (OEM) identifiers. In one embodiment, a processing system is disclosed. The processing system includes a memory to store an Original Equipment Manufacturer (OEM) key and a processing device, operatively coupled to the memory. The processing device is to receive the OEM key for an OEM system as input to a cryptographic hash function. A device key is produced by applying the cryptographic hash function to the OEM key and a global key associated with a vendor of the OEM system. The device key is provided to a security firmware device to authenticate the OEM system.

Abstract: Disclosed herein are systems, devices, and methods for provisioning a local analytics device to interact with a remote computing system on behalf of an asset that is coupled to the local analytics device and that is associated with a particular customer account hosted by the remote computing system.

Abstract: During secure communications between two parties, the identity of the message creator is not always certain. In many cases, the signature of the message is automatically generated by the computer of the sending party. On the other hand, the signature of the received message from the sender indicates only form whose account the message comes, but it may not be the sender himself sending the message. In this patent, we propose the use of a personal attribute to be included in the secure message protocols. This personal attribute could be the personal typing rhythm (keystroke dynamics) of the message originator. This patent defines a methodology and algorithms for two different cases: when the information is encrypted, and when it is not. Also included in this methodology are the cases where a Rhythm Certification Agency (RCA) is used to validate rhythm information, or without an RCA.

Abstract: A firmware includes a firmware module for copying a digitally signed binary file that includes a firmware globally unique identifier (GUID), tool GUIDs, and feature GUIDs to an Advanced Configuration and Power Management interface (ACPI) table (the Firmware Enabled Tool Registry (FETR) table). If the FETR table is stored in memory, a firmware tool determines whether a digital signature of the signed binary file can be verified. If the digital signature can be verified, the firmware tool determines if the firmware GUID stored in the FETR table matches a firmware GUID stored in another ACPI table. If the firmware GUIDs match, the firmware tool determines whether its tool GUID matches a tool GUID stored in the FETR table. The firmware tool can continue to execute if the tool GUIDs match. Firmware tool features are enabled if feature GUIDs in the FETR table match feature GUIDs of the firmware tool.

Abstract: Systems and methods of providing a secure access layer in a mobile phone and a computer system coupled to the mobile phone to provide authentication for transmitting data between the phone and the computer system.

Abstract: It is disclosed a method and a constrained resource device (502, 70, 90) for establishing a secret first key between a client device (506) and the constrained resource device. The invention also relates to a method and an authorization server (504, 60, 80) for enabling establishing a secret first key between a client device (506) and the constrained resource device. Based on a secret second key shared (508) between the constrained RD and the AS, the secret first key shared between the constrained resource device and the client device can be established. Devices having constrained resources cannot use protocols with which additional messages are required to share a secure identity. Embodiments of the present invention have the advantage that a secret identity can be established within an authentication protocol and that no additional messages are required to establish the secret identity.

Abstract: An information handling system includes a trusted platform module (TPM) and a storage device, the TPM provides boot authentication for the information handling system such that, during a pre-boot phase, the TPM can access a platform configuration register (PCR). During a first instance of the pre-boot phase, the information handling system provides a public/private key pair including a public key and a private key, stores the private key to an encrypted storage of the TPM, seals the private key in the encrypted storage to the PCR, and stores the public key to the storage device. During an operating system phase that is after the first instance of the pre-boot phase, the information handling system retrieves the public key from the storage device, encrypts transfer data using the public key, and stores the encrypted transfer data to the storage device.

Abstract: In a case in which information about authorization that is identified based on an authorization token issued in an old authentication system satisfies a condition, the old authorization token is updated with a new authorization token.

Abstract: The disclosed embodiments related to a first electronic device (such as a cellular telephone) that includes a secure element. In response to a challenge and a request for a secure-element identifier associated with the secure element, which are received from a second electronic device (such as a trusted services manager that loads content onto the secure element), the secure element provides to the second electronic device: the secure-element identifier, a certificate associated with a provider of the secure element, and a digital signature. The digital signature may include a signed version of the challenge and the secure-element identifier, which are encrypted using an encryption key associated with a provider of the secure element. In this way, the second electronic device may certify the secure element.

Abstract: The product unit disclosed herein has identification data that are stored internally in memory. This stored identification data can be viewed as the product unit's “digital nameplate,” in that the data can represent the product unit's identifier, brand, and so on. Each data set is digitally signed while on the production line by using an encryption technique. The digitally signed data set is then written into the product unit's memory where it can be used for verification. A first digitally-signed data set can be used to control the use of one or more software modules that are provided by a software owner. The data that are undergoing signature contain at least one globally-unique identifier, which can be used to identify cloning attempts. Additionally, more than one digital signature can be used, in order to protect and control the use of features other than the software, such as the product brand.

Abstract: In one embodiment, a device and a services provisioning system establish an over-the-air connection with each other, and perform device posture validation to obtain a unique identification (ID) of the device at the provisioning system. The device and provisioning system then participate in device and user authentication in response to a confirmed unique ID by a backend access control system, where the device generates a secure key pair after successful user authentication. In response to the device being approved for services (e.g., checked by the provisioning system via a registration system), the provisioning system provides a root certificate to the device, and the device sends a certificate enrollment request back to the provisioning system. In response to a certificate authority signing the certificate request, the provisioning system returns a valid certificate to the device, and the valid certificate is installed on the device.

Abstract: Applications are stored on removable storage of a mobile device in an encrypted form to provide isolation and piracy protection. In one implementation, each application is encrypted using its own associated encryption key that is generated based on an identifier of the application and a master key that is associated with a trusted platform module of the mobile device. In another implementation, each application is encrypted using two associated encryption keys. One key is used to encrypt binary data associated with the application such as source code, and the other key is used to encrypt application data such as graphics and configuration files. The encryption keys are each generated using the identifier of the application, the master key, and identifiers of the folders where the corresponding data types are stored on the mobile device. The removable storage includes SD cards formatted using the FAT or exFAT file systems.

Abstract: An apparatus and method for authenticating a Non-Volatile Memory (NVM) device are provided. A host device that authenticates the NVM device transmits challenge information for authentication to the NVM device, receives pieces of authentication information in response to the challenge information from the NVM device, and authenticates the NVM device using the pieces of authentication information by the host device. The pieces of authentication information are generated based on the challenge information and secret key information stored in the NVM device.

Abstract: A method and apparatus for providing an automated key distribution to enable communication between two networked devices. A monitoring device receives a request from a network device to send a certificate using a second secure connection prior to an expiration of a timeout period, wherein the second secure connection was created using a known port in response to determining that a request to create a first secure connection was rejected. The monitoring device sends the certificate to the network device using the second secure connection, and establishes the first secure connection with the network device in response to the network device receiving the public key of the monitoring device from a server system by using the certificate.

Abstract: A method relating generally to generating a boot image, as performed by an information handling system, for an embedded device is disclosed. This method includes a public key obtained by a boot image generator. A first hash for the public key is generated by the boot image generator. The first hash is provided to a signature generator. A first signature for the first hash is generated by the signature generator. A first partition for the boot image is obtained by the boot image generator. A second hash for the first partition is generated by the boot image generator. The second hash is provided to the signature generator. A second signature for the second hash is generated by the signature generator. The boot image generator and the signature generator are programmed into the information handling system. The boot image includes the public key, the first signature, and the second signature. The boot image is output from the information handling system.

Abstract: An authentication device includes circuitry that holds L (L?2) secret keys si (i=1 to L) and L public keys yi that satisfy yi=F(si) with respect to a set F of multivariate polynomials of n-th order (n?2). The circuitry also performs with a verifier, an interactive protocol for proving knowledge of (L?1) secret keys si that satisfy yi=F(si). The circuitry receives L challenges from the verifier, arbitrarily selects (L?1) challenges from the L challenges received. The circuitry also generates, by using the secret keys si, (L?1) responses respectively for the (L?1) challenges selected, and transmits the (L?1) responses generated.

Abstract: An information processing system including a medium where a content to be played is stored; and a playing apparatus for playing a content stored in the medium; with the playing apparatus being configured to selectively activate a playing program according to a content type to be played, to obtain a device certificate correlated with the playing program from storage by executing the playing program, and to transmit the obtained device certificate to the medium; with the device certificate being a device certificate for content types in which content type information where the device certificate is available is recorded; and with the medium determining whether or not an encryption key with reading being requested from the playing apparatus is an encryption key for decrypting an encrypted content matching an available content type recorded in the device certificate, and permitting readout of the encryption key only in the case of matching.

Abstract: A method and an apparatus for controlling a lock state of an electronic device, and a system therefor are provided. The method includes signing a lock state update request by using a unique key loaded in a confidence region of the electronic device when a lock state change is requested, generating a lock state control request message including the lock state update request, the signed lock state update request, and a certificate of the electronic device, transmitting the generated lock state control request message to a service provider server, and authenticating a lock state update command in a communication processor of the electronic device and updating a state of the communication processor according to the lock state update command when the lock state update command is received from the service provider server.

Abstract: A method of anonymous access to a service, comprising the allocation, by at least one certifying entity, of a plurality of certificates to a user entity, the certificates being calculated on the basis of at least one attribute associated with the user entity, the calculation, by the user entity, of an aggregated certificate on the basis of a plurality of certificates among the certificates allocated to the user entity, the calculation, by the user entity, of a proof of knowledge of the aggregated certificate and a verification, performed by a verifying entity, of at least one of these certificates by means of said proof of knowledge, the access to the service being provided by the verifying entity to the user entity as a function of the result of this verification.

Abstract: A web server authenticates a user with a web client using a database user table and provides a list of new applications, suspended application sessions, and running application sessions. In response to a request for a new application session, a connection is made from an agent server to an application server hosting the requested application, and connection information including a unique session_ID is added to a database session table such that the client can send a user selection for a session_ID to the web server, which associates the requested session_ID to an existing suspended or running application session using the connection database. For additional security, the client is determined to be trusted or untrusted, and if untrusted, connections to the client are made through a forwarding host, which makes connections to the agent server, and the agent server maintains persistent connections from the agent server to the application server.

Abstract: A user authentication method and system. A computing system receives from a user, a first request for accessing specified functions executed by a specified software application. The computing system enables a security manager software application and connects the specified software application to a computing apparatus. The computing system executes first security functions associated with the computing apparatus. The computing system executes second security functions associated with additional computing apparatuses. The computing system determines if the user may access the specified functions executed by the specified software application based on results of executing the first security functions and the second security functions. The computing system generates and stores a report indicating the results.

Abstract: A computer system receives a request to access a server. The request includes a first device tag set. When the first device tag set matches a previously assigned device tag set, the computer system allows access to the server without requesting full access credentials of a user. The computer system invalidates the first device tag set, and sends a second device tag set. When the first device tag set does not match the previously assigned device tag set, the computer system requests full access credentials from the user.