Abstract: An apparatus and method for generating and verifying secure messages between vital equipment for controlling a railway network, wherein the apparatus includes control and/or processing components configured to carry out the following steps: a) generating a message body including information that may change the state of the railway network; b) generating a first pseudo-signature on the basis of the message body and a first cryptographic key; c) transmitting the first pseudo-signature to a second apparatus; d) receiving a second pseudo-signature from the second apparatus; e) generating a message signature on the basis of the second pseudo-signature and the first cryptographic key; f) generating a message by combining the message body and the message signature; g) sending the message to a recipient.

Abstract: A method may include obtaining input data for an application programming interface (API), and encrypting the input data for the API using a public key of a provider of the API. The method may also include transmitting, to an API management server, an API request that invokes the API, where the API request includes an API call for the API and the encrypted input data. The API request may be in a format such that the API management server is capable of performing API management services based on the API call but unable to decrypt the encrypted input data with the public key.

Abstract: The application includes a data processing device and method. In an embodiment, the data processing device includes a data collection unit, configured to collect data transmitted in a network, and divide the collected data, according to a predetermined feature, into known attack data and unknown attack data. The data processing device further includes a data conversion unit, configured to replace, according to a mapping database, at least a portion of the content included in the unknown attack data with corresponding identification codes. Therefore, the size of data transmitted in the network can be reduced.

Abstract: Disclosed herein are systems and methods for providing and using a decentralized network using a blockchain. A provider (and/or miner) may provide network coverage to one or more devices in return for tokens on the blockchain. The blockchain may employ a proof-of-coverage scheme to verify (and even guarantee) that the miners are honestly representing the wireless network coverage they are providing. In some instances, the proof of coverage may require the providers to prove coverage periodically, upon demand, and/or at random intervals.

Abstract: In a network system for wireless communication an enrollee accesses the network via a configurator. The enrollee acquires a data pattern that represents a network public key via an out-of-band channel by a sensor. The enrollee derives a first shared key based on the network public key and the first enrollee private key, and encodes a second enrollee public key using the first shared key, and generates a network access request. The configurator also derives the first shared key, and verifies whether the encoded second enrollee public key was encoded by the first shared key, and, if so, generates security data and cryptographically protects data using a second shared key, and generates a network access message. The enrollee processor also derives the second shared key and verifies whether the data was cryptographically protected and, if so, engages the secure communication based on the second enrollee private key and the security data.

Abstract: A secure communication network includes interconnected switches including a source switch, a destination switch, and an intermediate switch. Packets are transferred over the secure communication network from a start node to an end node. The source switch replaces an original payload of each packet with an encrypted payload that combines the original payload and a respective random pad for the packet. The source switch then discards the respective random pad. The source and intermediate switches forward each packet toward the destination switch. The destination switch replaces the encrypted payload of each packet with a decrypted payload, which combines the encrypted payload and the respective random pad so as to match the original payload, discards the respective random pad, and transmits the packet with the decrypted payload to the end node. A controller sends the respective random pad for each packet to the source and destination switches via secure management links.

Abstract: Aspects of the invention relate to systems and methods for securely retaining profile data and the use of such data for the targeted delivery of content. In one embodiment, a unique profile that represents the user location and is keyed to profile attributes selected from both a first set of data collected from the user location and the second set of profile data collected from an external source, is generated. The key does not allow a third party to identify the end-user location or a user associated with the end-user location. Electronic content transmitted to end-user locations may be encoded such that it may only be accessed by an authorized user and/or on a specific electronic device at the user location. A graphical user interface may be utilized to allow a third-party to provide selection criteria for determining user locations to receive targeted content. Further aspects of the invention relate to an electronic device configured to present targeted content to a user at a user location.

Abstract: The present disclosure generally relates to methods for enrolling a user of an electronic device and authentication the user of the electronic device. The electronic device comprising a biometry sensor for acquiring sensing signals representative of a biometric feature, and a processor for computing a verification representation based on said sensing signals. The electronic device further includes a secure module isolated from said processor for computing an encrypted representation of said enrollment representation.

Abstract: A computing device incorporating repetitive side channel attack (SCA) countermeasures can include a timer circuit and a capacitive delay circuit that notifies of a potential repetitive-based attack by sending an activity-detected signal that can be used to initiate an appropriate countermeasure response. Additionally, or independently, a computing device incorporating repetitive SCA countermeasures can include at least one storage unit that can store an incoming input signal, at least one comparator to compare the incoming input signal with another signal and indicate a match, and a counter that increments upon the match. When the counter reaches a specified limit, a limit-exceeded signal can be sent to notify of a potential repetitive-based attack and initiate an appropriate countermeasure response.

Abstract: The present invention relates to a block sequencing method based on a tree-graph structure, comprising of: linking all blocks into a tree-graph structure according to reference relationships; selecting one pivot chain from the tree-graph structure and taking all blocks in the pivot chain as pivot blocks; dividing all blocks into a plurality of Epochs according to a time sequence arrangement of the pivot blocks; sorting the blocks in the Epoch to obtain a set sequence of the Epoch in time sequence; and obtaining a global sequence of all blocks of the tree-graph structure based on all set sequences. The present invention also relates to a block sequencing system based on the tree-graph structure, a data processing terminal for sequencing blocks by the block sequencing method, and a P2P network using the data processing terminal.

Abstract: The disclosure is directed to a system for testing known bad destinations while in a production network. The system can include a source controller and a destination controller in a production network. The source controller and the destination controller can have a configuration of a predetermined set of one or more known bad external destinations to test a security control device of the production network intermediary to the source controller and the destination controller. The source controller can be configured to communicate test traffic generated to a known bad external destination. The test traffic can pass through the security control device with a network identifier of the known bad external destination. The destination controller can be configured to receive the test traffic forwarded by a network device of the production network.

Abstract: An authorization method by an application stored in a memory includes obtaining, by the application, a client identifier of a client that is generated by a user center; performing, based on the client identifier, permission verification on an authorization credential, in response to authorization information being received by the application, the authorization information includes the authorization credential, the authorization credential is sent by the user center to the client; and allowing access of the client to the application in response to the permission verification on the authorization credential succeeding.

Abstract: This specification describes techniques for processing service requests. An electronic credential request including a user identifier is received from a client. An electronic credential that corresponds to the user identifier and a user public key that corresponds to the user are retrieved. A hash operation is performed on the user public key and the electronic credential by using a hash algorithm to obtain a hash value that is signed within a predetermined time period. Server signature information is generated using the hashed credential, and transmitted with the electronic credential to the client. The server signature information is cryptographically verifiable by the client and enables the client to generate a two-dimensional barcode based on the electronic credential.

Abstract: One embodiment provides a method and system for identity verification. During operation, a digital identity client executing on a computer receives an identity-verification request comprising an identifier of a user, sends a query for available identity-verification services to identity-verification-service-publishing blockchain, determines an identity-verification server based on a result of the query, interacts with the determined identity-verification server to complete identity verification of the user, generates a public-private key pair comprising a public key and a private key corresponding to the identifier of the user, and stores, in identity-verification blockchain, identity-verification information associated with the user. The identity-verification information comprises at least a hash value of the public key, thereby facilitating subsequent identity verification of the user based on the identity-verification information stored in the identity-verification blockchain.

Abstract: An apparatus is provided including at least one platform; an intrusion prevention system configured to communicative couple with the at least one platform; a firewall configured to communicative couple with the at least one platform; at least one first data storage configured to communicative couple with the at least one platform; and at least one second data storage configured to communicative couple with the at least one platform. The at least one platform is configured to perform a plurality of operations that collective protect one or more networked devices.

Abstract: Systems and methods of authentication and encrypted communication between a server and client using independently-generated shared encryption keys are disclosed. Clients with arrays of physical-unclonable-function devices respond to server-issued challenges. The clients derive encryption keys from responses to those challenges generated by measuring PUF devices specified by the challenges. The clients send messages encrypted with the encryption keys to the server. The server independently reproduces the client-generated encryption keys using information about the PUF devices. When the keys match, the clients are authenticated. It may be desirable to inject errors into the challenge responses generated by the clients to improve security. When errors are injected, attackers cannot determine correct challenge responses except by brute force.

Abstract: A method, computer program product and computer system to analyze network vulnerability expansion is provided. A processor receives network infrastructure data regarding a network. A processor identifies a plurality of vulnerabilities associated with one or more components of the network. A processor generates a architecture model based, at least in part, on the network infrastructure data and the plurality of vulnerabilities. A processor generates a vulnerability expansion model based, at least in part, on the architecture model. A processor determines a vulnerability expansion based, at least in part, on the vulnerability expansion model and at least one vulnerability of plurality of vulnerabilities being compromised.

Abstract: The disclosed systems and techniques enable data integrity checks by an enterprise system to verify that a local alias address matches an alias maintained by an aliasing system. More generally, the disclosed systems and techniques enable an enterprise system to use alias addresses (e.g., email addresses, phone numbers) for users while avoiding storing and managing the users' personal addresses. For example, the enterprise system may forward personal addresses (e.g., received from a user) to a relay or aliasing server configured to generate alias addresses (e.g., alias email addresses or alias phone numbers) based on the personal addresses. The aliasing server may operate as a “middle man” that receives emails, phone calls, or text messages directed to the alias addresses and that forwards the messages to the personal addresses (when appropriate).

Abstract: A selection apparatus includes a macro analysis unit that acquires a macro feature amount from a macro in a document file to which the macro is added, a text analysis unit that acquires a text feature amount from text in the document file, a cluster analysis unit that performs clustering using the macro feature amount and the text feature amount, and a selection unit that selects an analysis target document file based on a cluster analysis result, and is able to efficiently and accurately select the macro-added document file to be analyzed.

Abstract: Disclosed herein are systems and method for securely sending user data. In an exemplary aspect, a trusted party device may receive a request for user data and a first hash of the request stored in a distributed registry. In response to verifying that the first hash matches a hash of the request as calculated by the trusted party device, the trusted party device may generate and transmit both a confirmation request to send the user data and a second hash of the confirmation request to an authorized user device. The trusted party device may receive, from the authorized user device, both a confirmation message and a third hash of the confirmation message stored in the distributed registry. In response to verifying that the third hash matches a hash of the confirmation message as calculated by the trusted party device, the trusted party device may send the requested user data.