Abstract: Examples described herein relate to deferred authentication in secure boot systems. An untrusted component is identified in a boot sequence in a trusted execution environment. A secure boot authentication of the untrusted component is deferred for a predetermined period and access to hardware resources is restricted. An image digest and privilege rights including access to hardware resources associated with the untrusted component is obtained in an untrusted execution environment. A request including the image digest and the privilege rights is sent to a central node over a secure connection. A response including a signature based on image digest and approved privileges is received from the central node. The untrusted component is authenticated in the trusted execution environment using the signature before expiry of the predetermined period. Access to the hardware resources is provided to the untrusted component in the trusted execution environment based on the approved privileges.

Abstract: Systems and methods for attributing user behavior from multiple technical telemetry sources are provided. An example method includes determining that the user has logged into the computing device, in response of the determination, collecting log data from a plurality of telemetry sources associated with the computing device, extracting, from the log data, activity data concerning activities of the computing device, analyzing the activity data to determine that the activity data are attributed to the user, generating, based on the activity data, behavior attributes of the user, associating the behavior attributes with a unique identifier of the computing device, and estimating security integrity of the computing device based on a comparison of the behavior attributes to reference behavior attributes. The reference behavior attributes include further behavior attributes determined using log data of at least one further computing device associated with the user.

Abstract: A client device determines that a telephony outage is occurring. The client device connects to an on-premises telephony node using an encrypted password at the client device. The client device accesses a set of telephony services via the on-premises telephony node.

Abstract: A system and method for modifying functionality within a wireless network based on a provided passphrase is disclosed. The method includes defining a first and second set of network policies associated with a first and second passphrase, respectively, with the second passphrase being different from the first. The method also includes determining if the provided passphrase used by a client device while engaging in an authentication process with a mutable network device to secure a network connection matches one of the first or second passphrases. The method further includes configuring a traffic kernel module within the network device to provide the network connection to the client device, the connection defined by the set of network policies corresponding to the provided passphrase. Each network policy describes a functionality and governs the circumstances in which it is applied, the functionality being at least one of an access, a capacity, and a resource.

Abstract: A multi-device electronic access control application, method and system. Certain aspects of the present disclosure provide for an end user mobile application that inter-operates with various types of electronic locking devices in a simple, repeatable method to enable a user to unlock any make or model of electronic access control device, if they are authorized to do so at that site, time and purpose, from a single mobile application user interface. An end user mobile application may be communicably engaged with a remote application server to integrate with enterprise backend user/site data and alarm systems, such that the end user mobile application is configured to manage user authorization/authentication, site access protocols/permissions and alarm management. An electronic access control method may comprise one or more steps for authorizing a user; suppressing an alarm; and unlocking an electronic locking device with a specified method for the given access point.

Abstract: Systems and methods for providing updates to an electronic device are provided. Upon receiving an update statement, indicating availability of an update to an application on an electronic device, a determination is made as to whether an update notification threshold has been met at the electronic device based upon the indication of availability of the update to the application. When the update notification threshold has been met at the electronic device, a graphical indication of the availability of the update to the application is provided. However, when the update notification threshold has not been met, the graphical indication of the availability of the update to the application is not provided.

Abstract: Methods and systems disclosed herein describe tokenizing data to generate a secure token that is limited in scope (e.g., directed to a specific recipient) and limited in time (e.g., valid for only a specified period of time). A detokenization process may be employed to recover encrypted data of the secure token without the need for any relational database lookup processes, thereby reducing cost while maintaining robust protection against unintended recipients that attempt to recover the encrypted data.

Abstract: Scalable cloning and replication for trusted execution environments is described. An example of a computer-readable storage medium includes instructions for receiving a selection of a point to capture a snapshot of a baseline trust domain (TD) or secure enclave, the TD or secure enclave being associated with a trusted execution environment (TEE) of a processor utilized for processing of a workload; initiating cloning of the TD or secure enclave from a source platform to an escrow platform; generating an escrow key to export the snapshot to the escrow platform; and exporting a state of the TD or secure enclave to the escrow platform, the state being sealed with a sealing key.

Abstract: Methods, systems, apparatus, and computer-readable storage devices for anonymous device authentication. A method includes: accessing, by the electronic device, data stored by the electronic device that identifies authentication keys the electronic device accepts as valid; sending, by the electronic device to a second electronic device, an authentication request that identifies a set of authentication keys including at least some of authentication keys the electronic device accepts as valid; and receiving, by the electronic device, response data that the second electronic device provides in response to the authentication request. The response data (i) identifies a particular authentication key from the set of authentication keys identified by the authentication request, and (ii) includes a signature generated using the particular authentication key.

Abstract: A system and method for a dynamic-link verification process between an electronic device and a transaction or event. The first step is engagement by a mobile electronic device with an initiator that is linked with a specific verification event that triggers a text message to auto-populate on a mobile electronic device. The message comprising metadata about the user and the event or transaction. The second step is for the electronic device to send the auto-populated message to a message gateway thus initiating the verification of the user. The message gateway works with a management service and one or more databases to verify the identify and other aspects of the user based on instructions provided by the event host. Approval or denial of the transaction or request to gain entry is sent to the mobile device and the event host.

Abstract: Computer methods and devices for handling requests by using a distributed ledger database. An evaluation of a request is performed based on a first data item comprising first information about a state of a system and on a second data item comprising second information about a proposed action in response to the state of the system. The first and second data items are evaluated to establish whether, given the state of the system, the proposed action is appropriate. A third data item is provided and a fourth data item is accessed. The third data item comprises encrypted first information. The fourth data item comprises information for accessing encrypted information comprised in a first encrypted data item. The first data item is authenticated against the first encrypted data item to establish whether the information in the first data item is compatible with the in-formation in the first encrypted data item.

Abstract: Provided is a method for data transmission between at least one first network and at least one second network, wherein a) for at least one data transmission between the at least one first network and the at least one second network, at least one connection between the first network and the second network is established and a datum or data are directed by means of a resource allocation unit arranged between the networks, and b) for the establishment of the at least one connection, the resource allocation unit exclusively allocates at least one net access resource, e.g. network cards or network adapters, which can be coupled to the second net, and a one-way communication unit arranged upstream of the net access resource for establishing a feedback-free data transmission direction.

Abstract: An online authentication system allows a user to define their own logic for multistage authentication, which is provided to an online authentication center and stored as encrypted bytecode based on each user's password. Implementation logic can use third party information sources to provide additional authentication options.

Abstract: A method includes obtaining a first plurality of encrypted traffic flows traversing a communication network, performing a first classification, wherein a result of the first classification identifies a traffic type associated with each encrypted traffic flow of the first plurality of encrypted traffic flows, and wherein the first classification is based on a traffic pattern of the each encrypted traffic flow, performing a second classification, wherein a result of the second classification identifies a traffic type associated with each server name indication from which the first plurality of encrypted traffic flows is associated, and wherein the second classification is based on the result of the first classification, and performing a third classification identifying a traffic type associated with each encrypted traffic flow of the first plurality of encrypted traffic flows, wherein the third classification is based on a combination of the results of the first classification and the second classification.

Abstract: Systems, devices, methods, and computer readable media are provided in various embodiments having regard to authentication using secure tokens, in accordance with various embodiments. An individual's personal information is encapsulated into transformed digitally signed tokens, which can then be stored in a secure data storage (e.g., a “personal information bank”). The digitally signed tokens can include blended characteristics of the individual (e.g., 2D/3D facial representation, speech patterns) that are combined with digital signatures obtained from cryptographic keys (e.g., private keys) associated with corroborating trusted entities (e.g., a government, a bank) or organizations of which the individual purports to be a member of (e.g., a dog-walking service).

Abstract: A UE communicates with a network gateway to access a provisioning device via a provisioning network. The provisioning device uses identification data of the UE to authenticate the UE for a primary network, and provides primary network configuration data to the UE. Using the primary network configuration data, the UE communicates with the network gateway to access the primary network. The primary network configuration data can include data to enable the UE to establish communications with one or more private networks accessible via the primary network.

Abstract: One example may include forwarding a request sent outside a VPN server, via a client device, to access a second communication network detected by the client device, and the client device is communicating with the VPN server over a first communication network, responsive to receiving a captive portal, forwarding, via the client device, authentication information to obtain access to the second communication network, and the authentication information is not forwarded to the VPN server, and receiving data, by the client device, from a remote server over a bonded connection including a first connection provided by the first communication network bonded with a second connection provided by the second communication network to form the bonded connection.

Abstract: A method including receiving a record in a first timeframe; establishing a plurality of threat vectors for the record; merging the plurality of threat vectors to the record; generating a risk valuation for the record based on the plurality of threat vectors; merging the risk valuation to the record to form a risk event; and storing the risk event in a computer-readable data store.

Abstract: When a client requests a data import job, a remote storage service provider provisions a shippable storage device that will be used to transfer client data from the client to the service provider for import. The service provider generates security information for the data import job, provisions the shippable storage device with the security information, and sends the shippable storage device to the client. The service provider also sends client-keys to the client, separate from the shippable storage device (e.g., via a network). The client receives the device, encrypts the client data and keys, transfers the encrypted data and keys onto the device, and ships it back to the service provider. The remote storage service provider authenticates the storage device, decrypts client-generated keys using the client-keys stored at the storage service provider, decrypts the data using the decrypted client-side generated keys, and imports the decrypted data.

Abstract: A message authentication code, for a message transmitted and received over a communications network, is formed by applying inputs to an integrity algorithm acting on the message. The inputs comprise: an integrity key; a value indicating a transfer direction; and a frame-dependent integrity input, wherein the frame-dependent integrity input is a frame-dependent modulo count value that also depends on a random value and on a frame-specific sequence number.