Abstract: A method and system are provided for transferring digital assets in a digital asset network. Network users can be centrally enrolled and screened for compliance. Standardized transfer processes and unique identifiers can provide a transparent and direct transfer process. Digital assets can include sufficient information for ensuring that a value will be provided, including one or more digital signatures, such that value can be made immediately available to recipients.

Abstract: A method for handling biometric templates is disclosed for an authenticating device applying biometric authentication. The method comprises acquiring a set of biometric data associated with a prospect user, and acquiring a decryption key (associated with an encrypted biometric template associated with an enrolled user of the authenticating device) from a key carrying device external to the authenticating device responsive to the key carrying device being in a vicinity of the authenticating device. The method also comprises retrieving, from a storage medium, at least a part of the encrypted biometric template associated with the enrolled user, decrypting the retrieved part of the biometric template using the acquired decryption key and performing an attempt to authenticate the prospect user as the enrolled user based on a comparison between the acquired set of biometric data and the decrypted part of the biometric template.

Abstract: An embodiment of the present invention is directed to a Channel Dynamic Multifactor Authentication. This solution provides the capability to select a multifactor authentication channel (e.g., email, SMS, etc.) dynamically based on multiple sources of risk scoring input data. The risk decision engine may determine an optimal lowest risk delivery channel for delivery of a one-time passcode and/or implement an additional or alternative mechanism for user authentication or verification.

Abstract: A system includes circuitry for cryptographic data share controls for distributed ledger technology based data constructs. The system may support placement of compute data on to a distributed ledger technology based data construct. The compute data may have multiple layers of encryption to support permissions and coordination of processing operations for application to the compute data. The multiple layers of encryption may include a homomorphic layer to allow sharing of the compute data for processing by a compute party without divulging the content of the compute data with the compute party. While in the homomorphically encrypted form, the homomorphic compute data supports the application of processing operations while maintaining the secrecy of the underlying data.

Abstract: Some aspects of the disclosure generally relate to providing single sign on features in mobile applications in a secure environment using a shared vault. An application may prompt a user to provide user entropy such as a passcode (e.g. a password and/or PIN). The application may use the user entropy to decrypt a user-entropy-encrypted vault key. Once the vault key is decrypted, the application may decrypt a vault database of the shared vault. The shared vault may store shared secrets, such as server credentials, and an unlock key. The application may store the unlock key, generate an unlock-key-encrypted vault key, and cause the shared vault to store the unlock-key-encrypted vault key, thereby “unlocking” the vault. The application may then use the unlock key to decrypt the vault database without prompting the user to provide user entropy again.

Abstract: A communication device capable of performing encrypted communication with other communication device with use of a common key, obtains, from the other communication device, a certificate including a public key and identification information on the other communication device, verifies validity of the certificate on a basis of the identification information on the other communication device included in the certificate, and transmits the common key encrypted by the public key to the other communication device to perform the encrypted communication in a case where the certificate is valid as a result of the verification.

Abstract: The invention relates to a computer-implemented method, system and computer program for tokenization of a physical object. The method comprises generating or receiving object identification data based on an inspection of the physical object, the object identification data comprising at least one cryptographic hash value as a collision-resistant virtual representation of the physical object; and generating a non-certified token being assigned to the physical object and representing the object identification data. The invention further relates to a computer-implemented method, system and computer program of certifying a token including object identification data. Moreover, the invention relates to a computer-implemented method, system and computer program of tokenization of a process.

Abstract: Key processing methods and apparatuses, storage media, and processors are disclosed. A method includes: a security chip receiving a dynamic measurement request for a cryptographic operation; and the security chip generating a child key of a platform measurement root key based on the platform measurement root key and a random number, wherein the child key of the platform measurement root key is used for encrypting a loading process and an execution process measured by a dynamic measurement module, and the dynamic measurement module is a module used for measuring a firmware that performs cryptographic operations. The present disclosures solves the technical problems that existing key processing methods cannot guarantee the integrity of cryptographic operation algorithm firmware and the credibility of cryptographic operation execution environments during a cryptographic operation process.

Abstract: The technology disclosed herein provides a proof-of-work key wrapping system for verifying device capabilities. An example method may include: receiving a wrapped key and a cryptographic attribute for the wrapped key, wherein the wrapped key encodes a cryptographic key; deriving, by a processing device, the cryptographic key in view of the wrapped key and the cryptographic attribute, wherein the deriving consumes computing resources for a duration of time; using the cryptographic key to access program data; executing, by the processing device, the program data, wherein the executed program data evaluates a condition related to the duration of time; and transmitting a message comprising an indication of the condition.

Abstract: A method may include obtaining a secret key, a user device secret key, and a server secret key based on the secret key and the user device secret key. The method may include dividing the user device secret key into a plurality of user device shares and the server secret key into a plurality of server shares. The method may include distributing the plurality of user device shares to a plurality of user devices and the plurality of server shares to a plurality of service providers. The method may include obtaining a public key based on the secret key. The method may also include publishing the public key. The method may include obtaining a recovery authority secret key and a recovery vault secret key such that a user may recover an account if the user devices and/or the service providers are compromised.

Abstract: Techniques are disclosed for encrypting internet-of-things (IoT) data of an IoT network only once at its inception until its final consumption without intervening encryption/decryption stages/cycles. The present encrypt-decrypt-once design thus eliminates potential exposure of the IoT data in its plaintext form of a traditional approach employing intervening encryption/decryption cycles. The present design is also efficient and reduces the burden on IoT resources by eliminating the need for encrypting and decrypting the data multiple times. To accomplish these objectives, a number of schemes for device enrollment, authentication, key distribution, key derivation, encryption and encoding are disclosed. The devices employ authenticated encryption because it provides confidentiality, integrity, and authenticity assurances on the encrypted data. The final consumption of the IoT data may be at a designated gateway or a corporate system.

Abstract: In embodiments of the present invention, a framework for an extensible, file-based security system is described for determining an appropriate application, application environment, and/or access or security control measure based at least in part on a file's reputation. In response to the selection of a file, an application controller may be used to select a software application from two or more software applications to open the selected file, based at least in part on the selected file's reputation. If launched, a software application may be configured to open the file in an environment, such as a virtual machine, quarantined environment, and the like, that is appropriate for the file based at least in part on the reputation information. A software application may be a secure software application configured to manage secure files, or an insecure software application configured to manage insecure files.

Abstract: The invention relates to client-side credential control to allow remote access to a second device by a first device, including: storing a private key of a key pair in a secure storage device of a first device, generating data related to a command executable by the second device, checking in the secure storage device, whether the data corresponds to at least one user credential related to the command executable by the second device stored in the secure storage device, signing a data block derived from the data using the private key, and transmitting a data packet generated from the data block to a gateway of the second device.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to verify encrypted handshakes. An example apparatus includes a message copier to clone a client introductory message, the client introductory message is included in a first handshake for network communication between a client and a server, a connection establisher to initiate a second handshake between the apparatus and the server based on the cloned client introductory message, and a decrypter to, in response to the second handshake, decrypt a certificate sent by the server.

Abstract: A technique includes determining relations among a plurality of entities that are associated with a computer system; and selectively grouping behavior anomalies that are exhibited by the plurality of entities into collections based at least in part on the determined relations among the entities. The technique includes selectively reporting the collections to a security operations center.

Abstract: Provided are systems, methods, and computer-program products for providing network deceptions using a network tunnel. In various implementations, a network device on a first network can be configured as a projection point. A projection point can be configured as one endpoint of a network tunnel. The other end of the network tunnel can terminate at a deception farm. The deception farm can host a second network, where the second network includes network devices configured as deception mechanisms. By assigning a deception mechanism a network address from the first network, the network address and the network tunnel enable the deception mechanism to appear as a node in the first network.

Abstract: A method for recovering data. The method including collecting identity factors at a user device, wherein hashes of the identity factors are configured to be stored at a server. The method including generating at the user device a dynamic password based on the identity factors and a Salt configured to be generated by the server and configured to be delivered to the user device. The method including generating at the user device a data key and encrypting the data key using the dynamic password to generate an encrypted data key configured to be stored at the server. The method including encrypting at the user device data items using the data key to generate encrypted data items configured to be stored at the server. As such, the data items are recoverable by presenting the identity factors to the server.

Abstract: Embodiments of the invention are directed to a method. The method may comprise receiving a second biometric template of a user, and providing an authentication request message comprising an electronic identity and a derivative of the second biometric template of the user to a resource provider computer to conduct an interaction. The authentication request may be forwarded to a processing server computer by the resource provider computer, and the user device may receive an authentication response message comprising an authentication result from the processing server computer. The authentication result may be determined by the processing server computer based on a comparison of the derivative of the second biometric template to a derivative of a first biometric template accessible to the processing server computer. The authentication result may also be based on the validity of the electronic identity.

Abstract: Various embodiments relate to a dynamic biometric enrollment system. The dynamic biometric enrollment includes a processor and instructions stored in non-transitory machine-readable media. The instructions are configured to cause the server system to receive at least one biometric authentication sample from the user. The at least one tokenized biometric enrollment sample has been generated by tokenizing at least one biometric enrollment sample captured from a user associated with a unique user identifier. At least one biometric authentication sample captured from the user is retrieved. The at least one tokenized biometric enrollment sample is detokenized to retrieve the at least one biometric enrollment sample. The at least one biometric enrollment sample is processed using a biometric processing algorithm to generate a dynamic biometric reference template. It is determined whether the at least one biometric authentication sample matches with the dynamic biometric reference template.

Abstract: Methods for intelligent information protection based on detection of emergency events are disclosed. A method includes: applying, by a computing device, a safety tag to each of a plurality of data files; detecting, by the computing device, risk factors in a data stream indicating an unsafe situation; determining, by the computing device, a risk score based on the risk factors; and in response to the risk score exceeding a predetermined threshold, the computing device performing a security action on each of the plurality of data files based on the safety tag applied to each file.