Abstract: Disclosed herein is a method of connection of home appliance to a network, a network-connection system for home appliances, and an apparatus related to a network-connection setting for home appliances. The network connection method of home appliance includes operations in which a terminal device receives an input of an authentication key of an access point (AP) apparatus and the terminal device or the AP apparatus verifies and authenticates the authentication key; a home appliance is set to be in a state of communicating with the terminal device; the home appliance is interconnected to the terminal device and the terminal device transmits an identification number and the certificated authentication key of the AP apparatus to the home appliance; and the home appliance is connected to the AP apparatus based on the identification number and the authentication key of the AP apparatus.

Abstract: An apparatus computing scalar multiplication of a point on an elliptic curve by a scalar value includes an estimation unit configured to estimate a pre-computation amount based on the scalar value, a pre-computation unit configured to perform pre-computation based on the point on the elliptic curve by using the estimated pre-computation amount, a generating unit configured to generate an internal representation of the scalar value by using the estimated pre-computation amount, and a computation unit configured to output a result of the scalar multiplication of the point based on the result of the pre-computation and the internal representation.

Abstract: Methods and systems for the direct-addressing of data and the indirect-addressing of data are disclosed using pointers based on two or more hash digests generated in different ways using the same data and the same hash algorithm along with a modulo of a prime number.

Abstract: One embodiment provides a key transfer system and method based on a shared security application. During operation, an application executing on a terminal device receives an application key comprising at least a service key from a management server of the application and forwards the application key to a management server of a shared security application residing in a secure element in the terminal device, thereby facilitating the management server of the shared security application to deliver the application key to the shared security application. The application invokes the application key stored in the shared security application to perform services associated with the application. The application key is isolated from other application keys associated with other applications stored in the shared security application.

Abstract: Share values for use in a cryptographic operation may be received and the cryptographic operation may be performed based on the share values. A pseudorandom number that is to be used by the cryptographic operation may be identified and the pseudorandom number may be generated based on a portion of the share values that are used in the cryptographic operation. The cryptographic operation may then be performed based on the generated pseudorandom number.

Abstract: An identity authentication method and apparatus, where the method includes receiving a network access request from a user terminal, returning a portal authentication page to the user terminal, where the portal authentication page includes indication information, receiving an access token that is generated by an open social platform and used to obtain user identity information, generating a portal authentication request including a terminal identifier of the user terminal and the access token, sending the portal authentication request to an authentication server, and receiving a portal authentication response returned by the authentication server, where the portal authentication response includes the terminal identifier and an authentication result. Therefore, the identity authentication may be directly performed on the user terminal using the user identity information stored on the open social platform, and a user does not need to register with a portal authentication system in advance.

Abstract: There is provided a system comprising a first device of a user and a second device of a user, in which a user carries out a secure transaction utilising a user interface of the second device, wherein the secure transaction process sends a request to a user interface of the first device, and authorises or authenticates the transaction in dependence on a response to the request which is not transmitted from a user interface of the second device.

Abstract: In one implementation, a method for providing security on externally connected controllers includes receiving, at a reporting agent that is part of a security middleware layer operating on a controller, an indication that a process has been blocked; obtaining, by the reporting agent, trace information for the blocked process; determining, by the reporting agent, a code portion in an operating system of the controller that served as an exploit for the blocked process; obtaining, by the reporting agent, a copy of malware that was to be executed by the blocked process; generating, by the reporting agent, an alert for the blocked process that includes (i) the trace information, (ii) information identifying the code portion, and (iii) the copy of the malware; and providing, by the reporting agent, the alert to a network interface on the controller for immediate transmission to a backend computer system.

Abstract: A plurality of authentication devices form and manage a self-organizing mobile peer-to-peer mesh network to provide robust authentication of mobile peers, humans and or mobile devices such as drones, cars, satellites, robots etc. The mesh network may supplement traditional fixed point of entry authentication to combat social engineering penetrations or be used in situations where fixed-point authentication is not viable. Network efficiency can be enhanced by using two-level encryption, a first level of encryption based on permissions to join a mesh network and a simpler second level of encryption based on knowledge shared with members of the network for communication. Making the permissions a function of location can make the network more robust. Re-authenticating member peers based on the occurrence of defined events can further enhance security.

Abstract: A system and method for provides unverified users an ability to act upon private records known to them while protecting user privacy by not reflecting private information back to the unverified user. As an unverified user inputs information related to their identity into an interface, the system searches an indexed database which may include both registered users and/or unregistered customers indexed from a single data source or from disparate data sources.

Abstract: Provided herein are methods and systems for multi-person authentication and validation systems for sharing of images. The multi-person authentication and validation system may identify the respective representations of one or more individuals captured in an image, and request authorization for sharing the image from the one or more individuals captured in the image. In some instances, the multi-person authentication and validation system may provide a different image version for sharing if at least one of the one or more individuals denies authorization.

Abstract: Endpoint security systems and methods include a distance estimation module configured to calculate a travel distance between a source Internet Protocol (IP) address and an IP address for a target network endpoint system from a received packet received by a network gateway system based on time-to-live (TTL) information from the received packet. A machine learning model is configured to estimate an expected travel distance between the source IP address and the target network endpoint system IP address based on a sparse set of known source/target distances. A spoof detection module is configured to determine that the received packet has a spoofed source IP address based on a comparison between the calculated travel distance and the expected travel distance. A security module is configured to perform a security action at the network gateway system responsive to the determination that the received packet has a spoofed source IP address.

Abstract: Systems, methods, and apparatuses can protecting a secret on a device with limited memory, while still providing tamper resistance. To achieve the lower memory usage, embodiments can apply a memory-hard function MHF to the secret S to obtain a result Y, which can be used in an encoding process to obtain a code C. After applying the MHF, a prove function can generate a proof value that is used in a decoding (e.g., a verification of computation process) of the code C. The code C can include the proof value, the secret S, and the result Y, and can be sent to a decoding device that verifies the code C as part of a decoding process.

Abstract: A method includes obtaining an incoming event log, splitting the incoming event log into a set of tokens, and identifying a subset of the tokens as anchor tokens. The method also includes utilizing an ordered list of the anchor tokens to traverse through a set of anchor token trees and, responsive to identifying a path from (i) a root node of a given one of the anchor token trees to (ii) a given leaf node of the given anchor token tree corresponding to the ordered list of the anchor tokens, selecting a given parser associated with the given leaf node. The method further includes extracting data from the incoming event log utilizing the given parser, detecting one or more security threats affecting at least one asset in an enterprise system based on the extracted data, and applying at least one remediation action to mitigate the detected security threats.

Abstract: In one embodiment, a process on a computer for dynamic application component auditing is disclosed, the process includes automatically identifying, by an agent, all application components in an application. The process includes determining, by the agent, manifest information for the identified application components. The process includes accessing, by the agent, an alias file to convert the determined manifest information to align with corresponding information in a vulnerability database. The process includes using a Web service to query the vulnerability database to search for a match with the converted manifest information. The process includes responsive to the query, creating an audit report of the application components.

Abstract: Embodiments are directed to managing resources over a network. Objects that each correspond to a separate key container may be provided such that each separate key container includes a region key, a shard key, a nonce key. A data center and a data store may be determined for each object based on the region key and the shard key included in each separate key container such that a value of the region key corresponds to the data center and a value of the shard key corresponds to the data store.

Abstract: Multiple data sources encrypt data using encryption key data received from a first system; a second system does not have access to the encryption key data. The second system receives the encrypted data from the multiple data sources. Because the encryption is additively homomorphic, the second system may create encrypted summation data using the encrypted data. The second system may send the encrypted summation data to the first system, which may then decrypt the encrypted summation data to create unencrypted summation data.

Abstract: An approach to exchanging data and identity between devices, securely, is provided. The approach includes data encryption, device management, a voting mechanism, message queuing, and encrypted data storing. Using the approach, a user can provide their identity to and share data with an external software or device in a secure manner. Also the user can decide where to store their encrypted data.

Abstract: One embodiment provides a method for facilitating network security, the method comprising: receiving, by a server from an application associated with a user, a first data packet which includes a first set of verification information and a first command; and in response to determining that the first set of verification information does not satisfy a first predetermined condition: generating a verification code destined for a first computing device associated with the user; in response to not successfully authenticating the verification code, discarding the first data packet; and in response to successfully authenticating the verification code, transmitting the first command to an end device, which causes the end device to execute the first command.

Abstract: A mobile wallet for storing a digital asset, the mobile wallet may include a communication unit; a programmable logic device (PLD), a main controller, a secure element, and an anti-tamper unit that comprises one or more anti-tamper sensors. The secure element may be configured to store the digital asset. The communication unit may be configured to receive ingress traffic from outside the mobile wallet and to output egress traffic not blocked by the PLD. The PLD may be configured to monitor ingress traffic and egress traffic, and to determine whether to pass or block ingress messages of the ingress traffic and egress messages of the egress traffic. At least one of the main controller and the anti-tamper unit may be configured to detect a tamper attempt based on outputs of the one or more anti-tamper sensors. The main controller may be configured to assist in responding to a detected tamper attempt.