Abstract: Various systems and methods of establishing a trusted pairing relationship between IoT devices, through the exchange of authentication service proof of possession tokens, are described herein. In an example, a trusted pairing relationship is established between IoT devices, through access control and credential resources based on communication via intermediary devices and services. The IoT devices may request or receive access to or information from a resource based on the trusted relationship.

Abstract: Techniques are disclosed relating to a computer system accessing a client credential set to authenticate with a destination computer system. A computer system may, subsequent to receiving an indication to make available an application for a particular user, retrieve configuration data specifying a reference to a key value. The computer system may maintain a data object that includes a client credential set for the particular user. In response to an occurrence of an event associated with the application, the computer system may access the client credential set of the particular user from the data object using the key value and an indication of the particular user. The computer system may then send a request including the client credential set to a destination computer system for authentication with the destination computer system and receive a response indicating whether the computer system has been authenticated.

Abstract: Apparatuses, methods, systems, and program products are disclosed for secure data handling and storage. An apparatus includes a lock module that receives a request to decrypt encrypted data that is stored in a data repository, the encrypted data encrypted using a first encryption key, and unlocks an encryption engine in response to the request. An encryption engine may be unlocked using a master key that is generated based on combination of a plurality of keys held by a plurality of key holders. An apparatus includes a decryption module that decrypts encrypted data using an encryption engine. Encrypted data may be decrypted using a first encryption key. An apparatus includes an encryption module that re-encrypts decrypted data using an encryption engine. Decrypted data may be re-encrypted with a second encryption key that is different than a first encryption key and stored in a data repository.

Abstract: Methods and systems are described for verifying an identity of a user through contextual knowledge-based authentication. The system described uses contextual knowledge-based authentication. By verifying an identity of a user through contextual knowledge-based authentication, the verification is both more secure and more intuitive to the user. For example, by relying on confidential and/or proprietary information, the system may generate verification questions, the answers to which are known only by the user.

Abstract: Techniques are described for providing a multi-service storage layer in a cloud provider network for applications and workloads that are highly sensitive to outages affecting “mission critical” data or other resources. A multi-service storage layer is designed to provide additional resiliency against various types of correlated failures among existing geographic regions by enabling the storage of data using a plurality of separate storage services and storage resource types and across a plurality of regions of the cloud-provider network. A multi-service storage layer provides an application programming interface (API) with actions for storing, retrieving, and querying data stored in a highly available storage resource across a selection of underlying storage services.

Abstract: The systems and methods described herein can enable the indirect transmission of session data between different domains. The system can pass the session data through a hashing function so that the data from a given domain remains private and secure to the specific domain. The system can generate clusters of associated domains for a given client device that the system can use to maintain a session between the client device and the domain.

Abstract: A method for facilitating credential management in a Structured Query Language (SQL) Server Integration Services (SSIS) environment is provided. The method includes identifying a credential update trigger event; accessing a user credential at an electronic password vault (EPV) in response to the credential update trigger event, the user credential including at least one string; parsing the user credential to identify a username and a password that are associated with the user credential; splitting the user credential into the username and the password; updating the password; and storing the updated password in a SSIS database.

Abstract: A system and method for retrieving and extracting security information is provided. The method includes (i) extracting seed Uniform Resource Locators (URLs) from social media based on keywords that are identified for each sub-domain, (ii) crawling a security related content in the extracted seed URLs to determine relevant URLs that are related to a security domain from the extracted seed URLs, (iii) classifying the security related content into sub-domains of security to obtain domain coverage, (iv) extracting text that include acronyms from the relevant URLs, (v) automatically evolving a security ontology based on extracted text using a Long Short-Term Memory (LSTM) deep Learning model, (vi) ranking search results by accessing credibility of the URLs that include the security related content based on domain relevance and (vii) providing the ranked search results that includes trends.

Abstract: An electronic device for providing geolocation independent content rights management includes a non-transitory storage medium and a processing unit. The processing unit executes instructions stored in the non-transitory storage medium to receive a request for content from a content access device and, if the content access device is registered to an account associated with a geolocation, provides access to the content. In some implementations, the processing unit may determine if the content access device is registered using a token corresponding to the request. In various implementations, the processing unit may verify that one or more digital rights management and/or persistence policies allow the access, such as where access may be provided to one copy of the content at a time.

Abstract: A communication system is provided, the communication system including an authenticating unit that authenticates a plurality of communication terminals based on a single user ID, and keeps the plurality of communication terminals logged into an information providing service. A storing unit that stores therein provider registration information including a plurality of pieces of provider information that indicate providers of respective pieces of data being displayed on each communication terminal among the plurality of communication terminals. A receiving unit receives designation information that designates the provider registration information. A transmitting unit transmits each piece among the plurality of pieces of provider information to each communication terminal among the plurality of communication terminals so as to cause each communication terminal among the plurality of communication terminals to display data provided by a provider indicated by a plurality of pieces of provider information.

Abstract: The present disclosure relates to a communication technique and system for combining 5G communication systems with IoT technologies to achieve a higher data rate beyond 4G systems. The present disclosure can be applied to intelligent services (e.g., smart homes, smart buildings, smart cities, smart or connected cars, healthcare, digital education, retail businesses, and security and safety related services) on the basis of 5G communication technologies and IoT related technologies. As an embodiment of the present specification, there is provided a method of signal transmission and reception for a user equipment (UE) in a mobile communication system. The method may include: receiving first information for providing a service from a service providing server; receiving second information for managing a session associated with the service from the service providing server; and sending a signal to the service providing server on the basis of the first information and the second information.

Abstract: Examples described herein may include a playback device receiving, from a control device, a validation-key that includes an application identifier corresponding to a controller application. The playback device may create a session identifier and transmit the session identifier to the control device. The playback device may receive, from the control device, a playback request comprising the session identifier and a playback command. The playback device may determine that the session identifier is valid and then execute the playback command. A computing system may receive identification information related to a controller application and generate the validation-key based on the controller application meeting at least one quality-control metric. The controller application may receive the validation-key from the computing system.

Abstract: A mounting machine management system in which a management server, a terminal device, and a mounting machine are connected via a communication network such that communication is possible. The management server is provided with an authorization ID transmitting device configured to transmit an authorization ID that allows operation required for adjustment of the mounting machine to the terminal device and the mounting machine. The mounting machine is provided with an authorization ID acquiring device configured to acquire the authorization ID that the terminal device received from the management server, and an operation permitting device configured to allow the operation required for adjustment of the mounting machine in a case in which the authorization ID acquired by the authorization ID acquiring device matches the authorization ID that the mounting machine received from the management server.

Abstract: Techniques are provided for authentication using pairwise secrets constructed from partial secrets. One method comprises obtaining, by a first entity of a communication between the first entity and a second entity, partial secrets associated with the first and second entities; generating a constructed secret for the communication by applying a cryptographic function to the partial secrets associated with the first and second entities; and authenticating the communication using the constructed secret. A control entity may assign a substantially unique partial secret to each of multiple first and second entities and distribute at least a subset of the assigned partial secrets to at least some of the first and second entities. A communication between given first and second entities can be authenticated using a pairwise constructed secret for the given communication generated by applying the cryptographic function to the partial secrets associated with the first and second entities.

Abstract: A method and an apparatus for generating information are provided. The method may include determining identity-related information corresponding to at least one account identification according to historical upload information; determining an account relationship matrix between the at least one account identification based on the identity-related information corresponding to the at least one account identification; obtaining a probability transfer matrix according to the account relationship matrix; calculating importance degree information of the at least one account identification based on the probability transition matrix and a predetermined initial importance degree vector. This embodiment determines the importance degree of each of the plurality of account identities based on the identity-related information.

Abstract: A method, a non-transitory computer readable medium, and a system are disclosed for user registration with mirrored identities to achieve federation without on-premises identities. The method including: forwarding, from a computer processor, a password-based authentication request for a user to an active directory for access to cloud services; receiving, on the computer processor, a cloud authentication from the active directory for the user; piggybacking, on the computer processor, the cloud authentication for the user from the active directory with a FIDO2 registration to an authentication server; requesting, by the computer processor, an application or service from a cloud provider with the cloud authentication for the user from the FIDO2 registration; and receiving, on the computer processor, the application or service from the cloud provider.

Abstract: A security system includes a physical sensor for determining presence of a first number of users within a detecting region, short-range readers for determining presence of a second number of authorized smart devices in response to ephemeral tokens, wherein the users may remain anonymous to the short-range readers, authentication servers for determining ephemeral tokens for smart devices in response to identifiers of the readers and the smart devices, a physical output device configured to provide a user detectable output, and a processor for determining whether the first number of users is different from the second number and for directing the physical output device to provide the user detectable output.

Abstract: In one embodiment, a computer-implemented method of a DP accelerator performing an encryption or decryption operation includes receiving, by the DP accelerator, a command and input data for the DP accelerator to encrypt or decrypt. The command is one of: encrypt the input data or decrypt the input data. The method further includes encrypting, or decrypting, by the DP accelerator, the input data according to the command; and providing the encrypted or decrypted input data to the host device. The host device and DP accelerator may exchange one or more keys and such keys can be used to establish a secure link between the host device and DP accelerator and/or to use for encryption or decryption. One or more of the keys may be based upon a root key or key pair of the DP accelerator and can be stored in a secure storage of a security unit of the DP accelerator.

Abstract: A system and method for transforming input data in a data graph is structured in such a way that it does not destroy embedded contextual data yet also keeps the number of edges in the data graph sufficiently small in number that computation with respect to the data in the data graph is feasible with existing computational resources on extremely large graph sets. Incoming data is represented as a collection of “cliques” rather than placing each data object into its own node in the graph database. Maintaining the clique structure though the graph build pipeline dramatically reduces the exponential increase in the number of edges in the graph, while also maintaining all of the contextual data presented on the input record.

Abstract: A single sign-on system using blockchain is disclosed. The single sign-on system may interconnect various organization systems over a peer-to-peer network, with each organization system having a blockchain node and an application programming interface (API). The blockchain node invokes and uses a smart contract to write registration credentials to the blockchain during a registration process. During a login process, the blockchain node invokes the smart contract to determine whether login credentials match stored login credentials in the blockchain. In response to matching login credentials, the API may generate a single sign-on token that can be used by a user device to access one or more organization systems connected over the network.

Abstract: Techniques for authentication for online content using an access token are described. According to various embodiments, online content (e.g., webpages and other types of web content) can be served across a variety of different online resources. According to one or more embodiments, an access token is leveraged to enable a user to authenticate with multiple different distributed content resources for access to online content, and without requiring the user to input authentication credentials for each of the content resources.

Abstract: A remote access control system includes a remote access control apparatus and a communication relay apparatus. The remote access control apparatus is configured to establish a predetermined communication session with the communication relay apparatus through predetermined connection target information obtaining processing performed by active connection to the remote access control apparatus from the communication relay apparatus, to transmit a secure communication connection start command to the communication relay apparatus, to receive a secure communication connection request from the communication relay apparatus to perform processing for establishing a first secure communication session, and to receive a secure communication connection request from the user apparatus based on the result of the establishment of the first secure communication session to perform processing for establishing a second secure communication session.

Abstract: Disclosed herein is an identity network that can provide a universal, digital identity for users that can be used to authenticate the user by an identity provider for relying parties. The identity network receives a request from a relying party that includes deep linking to an identity provider selected by the user. The request specifies the user as well as any other information about the user the relying party is requesting. A service of the identity network launches the application for the identity provider on the user's device using a software development kit. The user can log into the identity provider's application, which validates the user and provides the user authentication/validation and information about the user to the identity network. The identity network can then provide the indication of the user's authentication and the user information to the relying party.

Abstract: Systems and methods for building a device graph for cooperative device identification are disclosed. Various information is received at a computing system over a communications network, include information defining a relationship between (i) a unique identifier associated with a first device of a user and (ii) a unique identifier associated with the user, and information defining a relationship between (i) a unique identifier associated with a second device of the user and (ii) the unique identifier associated with the user. The unique identifiers associated with the devices are each mapped to the platform-wide identifier based at least in part on the unique user identifier. A device graph comprising a plurality of device nodes is constructed, with related device nodes connected by one or more edges. Nodes representing the devices are linked based on a relationship identified between them using the platform-wide identifier.

Abstract: Techniques for secure mobile device recognition are disclosed. An IOT edge device determines, based on a network message received at the IOT edge device, that a mobile device is not recognized. The IOT edge device transmits a token request to the mobile device. In response, the IOT edge device receives an encrypted token from the mobile device. The IOT edge device transmits the encrypted token to a server. The server is configured to determine an identifier corresponding with the mobile device, based on the encrypted token. A recognition task is initiated for the mobile device, based on the determined identifier.

Abstract: A risk management system deploys an anomaly detection method for a target data instance without explicitly storing data processing architectures in memory. The anomaly detection method determines whether the target data instance is an anomaly with respect to a reference set of data instances. In one embodiment, the anomaly detection method mimics traversal through one or more trees in an isolation forest without explicitly constructing or storing the trees of the isolation forest in memory. This allows the risk management system to avoid unnecessary storage and retrieval of parts of each tree that would not be traversed if the tree were constructed. Moreover, the anomaly detection method allows anomaly detection to be efficiently performed within memory-constrained systems.

Abstract: Systems and methods for transforming an API authorization to a UX session are provided. An authorization server receives, from a third-party application developed by a third-party, a request to access a user experience (UX) session on behalf of a user. The request comprises an access token previously granted by the authorization server to the third-party application in response to consent, by the user, to allow the third-party application to perform actions on behalf of the user. In one embodiment, this previous authorization comprises an Open Authorization (OAuth). In response to receiving the request the authorization server transforms the access token into a single sign on (SSO) link with a session token. The authorization server then returns the SSO link that includes the session token the third-party application hosted by the third-party. The SSO link causes the third-party application to redirect the user to the UX session corresponding to the SSO link.

Abstract: Embodiments of the prevent disclosure provide a network access authentication method and device. The method includes: receiving an authentication request message sent by a first serving network, the authentication request message carrying a user equipment alias identifier generated by user equipment; determining whether a local user equipment alias identifier is asynchronous with the user equipment alias identifier generated by the user equipment; and when the determination result is positive, obtaining an encrypted International Mobile Subscriber Identification Number IMSI for performing network access authentication on the user equipment.

Abstract: An image processing apparatus receives, in a case where a plurality of cloud services is managed in association with one input confirmation code, an input of a display name to be display in the image processing apparatus and an input of an identification code for each cloud service at a time when the cloud service is selected to be used in the image processing apparatus, and stores a display name and an identification code in association with each other for each cloud service.

Abstract: A system provides cloud-based identity and access management. The system receives a request for an identity management service, authenticates the request, and forwards the request to a microservice configured to perform the identity management service, where the microservice is implemented by a microservice virtual machine provisioned by a provisioning framework, and the forwarding is according to routing information configured based on metadata information stored in a registry by the provisioning framework. The system then performs the identity management service by the microservice.

Abstract: In an implementation of identifying related computing devices for automatic user account login, a login request to a user account that includes a unique identification (ID) of a user computing device and an internet protocol (IP) address of the user computing device are received. One or more user computing devices that have logged in to the user account using a same IP address as the user computing device are identified based on a user ID of the user account and the unique ID of the user computing device. Whether one or more unique IDs corresponding to the one or more user computing devices that have logged in to the user account are correlated with the unique ID of the user computing device is determined. If yes, data corresponding to login information used by the one or more user computing devices to log in to the user account to the user computing device for automatic account login are sent.

Abstract: Systems and methods are provided that may be implemented during a pre-boot environment to authenticate a user in the basic input/output system (BIOS) of an information handling system, and to securely provision a resulting authentication token to post-boot operating system (OS) login components of the system. In addition, single sign-on user authentication may be performed during a pre-boot BIOS environment and then extended to the post-boot OS environment without requiring exchange of pins or other intermediary authentication factors between the OS and pre-boot authentication (PBA) for the user to gain access to the information handling system or other network resources.

Abstract: Systems and methods provide multilevel authorization of workspaces using certificates, where all of the authorization levels may be authorized separately or may instead be authorized at once. A measurement of an IHS (Information Handling System) is calculated based on the identity of the IHS and based on firmware of the IHS. A measurement of the configuration of the IHS is calculated based on information for configuring the IHS for supporting workspaces and also based on the IHS measurement. A measurement of a workspace session is calculated based on properties of a session used to remotely support operation of the workspace by the IHS and also based on the configuration measurement. Workspace session data may by authorized at all three levels by evaluating the session measurement against a reference session measurement.

Abstract: A computer system having a host in communication with a data storage device is coupled to the host via a peripheral bus and a host interface. The data storage device has a controller, non-volatile storage media; and firmware containing instructions configures the operations of the controller. The host transmits a sequence of commands to the storage device to read data items from, or write data items to, the non-volatile storage media. The storage device examines a subset of the commands to determine whether or not data items identified in the subset are addressed sequentially and optimizes processing of at least a portion of the sequence of commands based on a result of a determination of whether or not data items identified in the subset are addressed sequentially.

Abstract: Systems and methods for sharing authentication between applications include receiving a request to share authentication from a first application with a second application. An account identifier and identity token for a user are obtained from the first application. Access to a communication application associated with the account identifier is verified as available. The account identifier and identity token are sent to a second application server for verification with a first application server. A verification message is received in the communication application from the second application server. The verification message is determined to contain confirmation information and authentication is shared from the first application with the second application. Related systems and methods include retrieving information associated with an operating system to facilitate sharing authentication between applications.

Abstract: A system including: a transceiver; a boot processor configured to: capture an image of a container of the system, determine whether the system container image has been modified, and post, to a node of a distributed ledger network, a first attestation based on a determination of whether an anomaly exists in the system container image; a system processor; and a memory storing instructions that instruct the system processor to: receive a request to connect to an external device, request a second attestation from a node of the distributed ledger network as to whether an anomaly exists in the external device container image, determine whether an anomaly exists in the external device container image, and either: establish, in response to determining that an anomaly does not exist, a connection with the external device, or deny the request to connect to the external device in response to determining that an anomaly exists.

Abstract: An approach is disclosed that enforces a privacy legal framework filesystem along with an operating system (OS) to enforce the privacy legal framework. An access of a datum in a selected file in the filesystem includes accessing a metadata associated with the selected file where the metadata includes a privacy state and an owner consent-based access policy. The owner consent-based access policy is enforced by the OS via special-purpose support requiring usage of the metadata to access the selected file.

Abstract: A system and method for issuing an authorization token and performing real time multi-factor authentication using a unique device or devices to enable authorization to perform secure services for an online service based on desired on demand level of assurance. The level of assurance of the authentication may be on a distributed and dynamic authenticated system. This dynamic system delivers on-demand level of assurance depending on the Relying Party's (RP) requirements, orchestrated by policies set by the RP and/or the consumer (or user agent), and possibly augmented by other regulatory requirement based on a fine-grain control requirement of the authentication token(s). The level of assurance throttles up and down depending each transaction authentication requirement.

Abstract: In one embodiment, a method includes receiving an OSPF hello message including an attestation token from a second network apparatus, determining that the attestation token is valid for the second network apparatus at a current time, establishing an adjacency to the second network apparatus in response to the determination, computing, based at least on the attestation token, a trust level for a first link from the first network apparatus to the second network apparatus and a trust level for first prefixes associated with the first link, and sending an LSA comprising the trust level for the first link and the trust level for the first prefixes to neighboring network apparatuses, where the trust level for the first link and the trust level for the prefixes are used by the network apparatuses in the network to compute a routing table of the network.

Abstract: A token relay system is provided that enables a client requester to acquire a properly scoped access token issued by a token issuer authority in a secure manner. The client requestor may be a non-confidential client (e.g., a JavaScript application). The token relay system is a trusted and confidential client of the token issuer authority. Upon receiving an access token request from a client, the token relay system is configured to send a request to the token issuer authority (e.g., OAuth server) requesting an access token on behalf of the requestor. The token issuer authority may then respond by issuing an access token with the appropriate scope to the token relay system. The token relay system may then forward the access token received from the token issuer to the requesting client, who may then use the access token to access a protected resource (e.g., a REST resource).

Abstract: Embodiments are directed to monitoring network traffic using network monitoring computers (NMCs). Networks may be configured to protect servers using centralized security protocols. Centralized security protocols may depend on centralized control provided by authentication control servers. If a client intends to access protected servers it may communicate with the authentication control server to obtain keys that enable it to access the requested servers. NMCs may monitor network traffic the centralized security protocol to collect metrics associated with the control servers, clients, or resource servers.

Abstract: A proxy server receives a synchronization request from an application program resident on a user device. The proxy server determines that the user device requires removal of application program data and synchronizes the application program resident on the user device with a null account that is associated with application program.

Abstract: This document describes, among other things, security hardening techniques that guard against certain client-side attack vectors. These techniques generally involve the use of an intermediary that detects and handles identity service transactions on behalf of a client. In one embodiment, the intermediary establishes a resource domain session with the client in order to provide the client with desired resource domain content or services from a resource domain host. The intermediary detects when the resource domain host invokes a federated identity service as a condition of client access. The intermediary handles the identity transaction in the identity domain on behalf of the client within the client's resource domain session. Upon successful authentication and/or authorization with an IdP, the intermediary connects the results of the identity services domain transaction to the resource domain.

Abstract: Embodiments of the present disclosure relate to methods and devices for an authentication of an identity of a user. In example embodiments, the client device reads a digital tag associated with a service to be accessed, the digital tag being encoded with an identifier associated with a service provider that provides the service. The client device then decodes the digital tag to obtain the identifier. Further, the client device determines an authentication proxy associated with the service provider, and sends, to the associated authentication proxy, the identifier and a first request for an authentication of an identity of a user associated with the client device. In this way, the security of the authentication of the identity of the user may be significantly improved.

Abstract: An information processing device according to the present invention includes: a memory storing instructions; and at least one processor configured to execute the instructions to perform: acquiring a first time; generating, based on the first time, a term of validity of a first access token, and generating a policy including the first access token, the term of validity, and identification information of a receiver of the first access token; generating a digital signature, based on the policy; generating a second access token including the policy and the digital signature; and transmitting the second access token to another device.

Abstract: A method, system, and computer program product for implementing computer resource provisioning is provided. The method includes receiving a first request for identification credentials associated with a user. In response, resource identification credentials for the user are generated and a second request for generating a first computer resource is received in response to analyzing the resource identification credentials. The resource identification credentials are validated with respect to a local ID cache structure and it is determined if the resource identification credentials are available for usage by the user. In response, a resource implementation process is executed.

Abstract: A command to load or unload data at a storage location is received. In response to the command, a storage integration object associated with the storage location is identified. The storage integration object identifies a cloud identity object that corresponds to a cloud identity that is associated with a proxy identity object corresponding to a proxy identity granted permission to access the storage location. The data is loaded or unloaded at the storage location by assuming the proxy identity.

Abstract: Disclosed are various approaches for workflow service back end integration. In some examples, an event is detected. The event is associated with an enterprise. A workflow action to perform is identified based on event. A user account is identified using at least one of the workflow action and the event. A command to present the workflow action is transmitted to a client device. A user indication to perform the workflow action is identified. Authentication data for the network service is identified based on a single sign-on (SSO) token associated with the user account. The workflow action is automatically performed using the network service. An authentication with the network service is completed based on the authentication data.

Abstract: Disclosed are various approaches for workflow service back end integration. In some examples, a data request is received. The request is associated with a network service. A single sign-on (SSO) token is received. The SSO token represents a user account authenticated with an identity manager. Authentication data for the network service is identified based on the SSO token. The authentication data can specify an authentication site of the network service. A navigation action is automatically performed on the authentication site. The requested data is received. A command to present on a client device the data is transmitted to the client device.

Abstract: The invention discloses a managing system and managing method for managing authentication for a cloud service system. When a user operates a data processing apparatus to execute an unprotected start-up procedure to start up a browser application to access from an unprotected space of a data storage unit and transmits an authentication data including no characteristic data associated with a protected space of the data storage unit to the cloud service system through the browser application, the cloud service system redirects the authentication data to an authentication server. The authentication server judges if the authentication data has the characteristic data associated with the protected space, and if NO, the authentication server transmits an alert message representative of refusal of login to the cloud service system. The cloud service system redirects the alert message to the browser application.