Abstract: Features described herein generally relate to systems and methods for generating and managing tokens for authenticated assets. In some aspects, generating a token is performed according to one or more rules and includes generating metadata that links the token to a representation of an asset. In some other aspects, tracking token access includes monitoring a blockchain for token access events and generating a token based on a modified historian and received feedback. In other aspects, validating a token for an authenticated asset includes matching representations of the authenticated asset.

Abstract: Systems, devices, methods, and computer readable media are provided in various embodiments having regard to authentication using secure tokens, in accordance with various embodiments. An individual's personal information is encapsulated into transformed digitally signed tokens, which can then be stored in a secure data storage (e.g., a “personal information bank”). The digitally signed tokens can include blended characteristics of the individual (e.g., 2D/3D facial representation, speech patterns) that are combined with digital signatures obtained from cryptographic keys (e.g., private keys) associated with corroborating trusted entities (e.g., a government, a bank) or organizations of which the individual purports to be a member of (e.g., a dog-walking service).

Abstract: Embodiments provide systems and methods for logging events. A computer-implemented method comprises receiving input for selecting one or more event types to receive from an event collector, receiving, based on the one or more event types, a plurality of security events from the event collector, transforming each of the plurality of security events to a standard format to generate a plurality of formatted security events and transmitting the plurality of formatted security events to a security information and event management (SIEM) server.

Abstract: A UDM sends a protection request message to a first AUSF; and the UDM receives a response message that is of the protection request message and that is sent by the first AUSF, and sends terminal parameters update information via an AMF corresponding to a first serving network, where the protection request message requests to protect the terminal parameters update information, and the protection request message carries the terminal parameters update information and information about the first serving network.

Abstract: Methods and systems disclosed herein describe tokenizing data to generate a secure token that is limited in scope (e.g., directed to a specific recipient) and limited in time (e.g., valid for only a specified period of time). A detokenization process may be employed to recover encrypted data of the secure token without the need for any relational database lookup processes, thereby reducing cost while maintaining robust protection against unintended recipients that attempt to recover the encrypted data.

Abstract: Client devices can send access request messages to resource management computers to request access to a resource. A data security hub can provide centralized routing between different client devices, resource management computers, and authentication data processing servers. The data security hub can reduce the risk of sensitive authentication information from leaking (e.g., due to a breach) by limiting the amount or types of authentication information distributed to the data processing servers. The data security hub can limited the authentication information being distributed based on its sensitivity, the trust level of the client device, and the security level of the requested resource. The data security hub can also evaluate the client devices and data processing servers to identify security breaches and can cancel or reroute access requests accordingly. Thus, the data security hub can maintain resource security while better preserving the privacy of the client device's authentication information.

Abstract: One example may include receiving data, via a client device, from a virtual private network (VPN) server over a first connection of a first network, sending a request sent outside the VPN server, via the client device, to access a second network detected by the client device while the client device is communicating with the VPN server over the first network, responsive to receiving a captive portal from the second network, forwarding, via the client device, authentication information over a second connection to the second network, and receiving additional data, by the client device, from the VPN server over the first connection provided by the first network and a second connection provided by the second network after the authentication information is approved.

Abstract: A computer-implemented method includes identifying behavioral characteristics of a user related to operation of a computing device prior to an online account session. The method includes comparing the behavioral characteristics to a behavioral profile previously developed based on prior behavioral characteristics of the user, and determining an appropriate mark difficulty level based on a variation between the behavioral characteristics and the behavioral profile. The method includes selecting, from a plurality of prompts stored in a prompt database, a prompt that comprises instructions to draw a mark having the appropriate mark difficulty level, where other prompts of the plurality of prompts comprise instructions to draw other marks different from the mark, and providing the prompt to the user as part of a logon process for the online account session.

Abstract: A method includes a server computer receiving, from a first data provider computer, encrypted data derived from first identity data and a cryptographic key or derivative thereof stored at the first data provider computer. The server computer transmits, to a second data provider computer, the encrypted data and/or the cryptographic key or derivative thereof. The server computer receives, from the second data provider computer, intermediate data derived from second identity data stored at the second data provider computer. The server computer determines if the first identity data and the second identity data are duplicates while the first identity data and the second identity data are encrypted. The server computer removes one of encrypted first identity data, derived from the first identity data, and encrypted second identity data, derived from the second identity data, from a memory in the server computer.

Abstract: Various embodiments employ technology solutions to enable isolated client device interaction with building automation and control (BAC) networks, for example including configuration of a third-party application access framework which enables access to physical devices in a built environment. For example, a data exchange gateway interfaces a system with a BAC (Building Automation and Control) network, wherein the BAC network provides via the gateway, on a periodic basis, data values presented by each of a plurality of physical devices on the BAC network. A data exchange module receives periodic data values and causes recording of those values in a BAC database isolated from the BAC network. A permissions rules module control access to data in the BAC database. An API request handling module handles requests from third-party software platforms via an API.

Abstract: Methods are provided for generating an electronic signature, for authenticating said electronic signature, for authenticating integrity of a content signed with said electronic signature, and for authenticating an identity of a signatory who signed said electronic signature, along with systems, computer systems and computer programs suitable for performing said methods.

Abstract: In a relay system, an authentication device determines whether a registered identifier of a registered terminal possessed by a user in a vehicle matches an identifier of a first communication terminal received from a relay base station via a base station, generates a permission signal indicating whether to permit relay of wireless communication between the first communication terminal and the base station, depending on the result of determination, and sends the generated permission signal to the relay base station via the base station. The relay base station relays wireless communication between the first communication terminal and the base station when the permission signal indicates that the relay of wireless communication is permitted. The relay base station omits to relay the wireless communication for the communication terminal when the permission signal indicates that the relay of wireless communication is not permitted.

Abstract: Dynamic-link verification process between a mobile phone and a controlled resource. The process begins with engagement by a mobile phone with an initiator that is linked with a specific verification event that triggers a text message to auto-populate on the mobile phone. The mobile phone sends the auto-populated message to initiate the verification of the user for access to a resource controlled by a third party. Approval or denial of access to a controlled resource is sent to the mobile device and the third party.

Abstract: A method includes: obtaining at least one real-time console log from a compute instance; tagging the at least one real-time console log with at least one log category based on at least one entry within the at least one real-time console log; generating at least one categorized console log; generating at least one encrypted categorized console log based on a public encryption key; publishing the at least one encrypted categorized console log to a log bus; communicating the at least one encrypted categorized console log over at least one multi-port secure tunnel to a user terminal device of a subscribed user; and publishing a private encryption key to the user terminal device of the subscribed user wherein the private encryption key facilitates decrypting the at least one encrypted categorized console log.

Abstract: A device implementing a digital credential revocation system includes at least one processor configured to maintain a valid digital credential list, a revocation list, and a synchronization counter value. The at least one processor is configured to transmit a request to synchronize the valid digital credential list with an electronic device, the request including the valid digital credential list and the revocation list.

Abstract: Embodiments of the present application provide a processing method and apparatus for defending against shared storage side channel attacks, an electronic device and a computer-readable storage medium, and relate to the technical field of computers. In the embodiment of the present application, first time information is acquired by a clock thread, and the first time information is obfuscated to obtain second time information; and, the second time information is transmitted to an attack thread by a clock thread. Since the second time information acquired by the attack thread is obfuscated, that is, the second time information is inaccurate, the attack thread cannot successfully complete a side channel attack when it performs side channel attacks based on the inaccurate time information, so that the system can be protected.

Abstract: Methods, systems, apparatus, and computer-readable storage devices for anonymous device authentication. A method includes: accessing, by the electronic device, data stored by the electronic device that identifies authentication keys the electronic device accepts as valid; sending, by the electronic device to a second electronic device, an authentication request that identifies a set of authentication keys including at least some of authentication keys the electronic device accepts as valid; and receiving, by the electronic device, response data that the second electronic device provides in response to the authentication request. The response data (i) identifies a particular authentication key from the set of authentication keys identified by the authentication request, and (ii) includes a signature generated using the particular authentication key.

Abstract: Embodiments of the disclosure are directed to methods, apparatuses, computer-readable media, and systems for network monitoring of communication requests for authorization to an access device. One embodiment is directed at dual message model in a distributed environment with an electronic access device receiving a cancellation signal and generating and sending a reversal message with cancellation information embedded in the data elements of the reversal message to a processor computer, where the cancellation data may be read and saved by the processor computer before the authorization request message is forwarded to be authorized by an authorization entity. The method further comprises generating a cancellation message after the reversal message has processed, where the cancellation message is sent via a transport computer to clear and reconcile the authorization status of the cancelled authorization request with any necessary authorizing or regulatory entities in the network.

Abstract: A key broker monitors network traffic metadata and determines which decryption keys are required at one or more packet brokers in order to decrypt relevant traffic required by various network monitoring devices. The key broker retrieves the required keys from a secure keystore distributes them, as needed, to the network packet brokers, and dynamically updates the decryption keys stored in the network packet brokers in response to changes in network traffic.

Abstract: A system and method provide streamlined restricted access to a secure server through a communications network. A client identifier parameter value is established and uniquely associated with a user registering with an authentication server, and is stored in at least first and second predetermined storage forms within a data storage system, the first form readable exclusively by a client device of the user and the second form readable by the authentication server. The client device then authenticates by retrieving the client identifier parameter value from the data storage system and providing it to the authentication server, which independently retrieves the client identifier parameter value from the data storage system for comparison, and initiates an interactive communication session between the client device and the secure server responsive to the comparison. Between comparisons, the client identifier parameter values are stored exclusively on the data storage system and deleted from all other devices.