Abstract: The present invention discloses a method of processing a data transfer request securely over a network, the method comprising the steps of obtaining, by a first entity, a first token associated with sensitive data received from a user; associating the first token with a token reference and storing the token reference; sending the token reference to a second entity; requesting a second token from a second entity upon receiving a data transfer request from a third entity, wherein the second token is derived from the first token using an ad hoc logic; and processing the data transfer request using the second token.

Abstract: Embodiments of the invention relate to systems, methods, and computer program products for resource origination tracking, the invention including: electronically receiving, from a first user device associated with a first user, a digital resource and a set of distribution rules associated with the digital resource; creating an NFT associated with the digital resource; predicting, via a machine learning engine, a value of the NFT; electronically receiving, from a second user device associated with a second user, a request to complete a resource transfer; transferring ownership of the NFT associated with the digital resource from the current owner to the second user; and transmitting, to a managing entity system, instructions to transfer, from an account associated with the second user, a first amount of financial resources to an account associated with the current owner and a second amount of financial resources to an account associated with the first user.

Abstract: Disclosed are an apparatus and a method for estimating a system state. Accordingly, it is possible to perform Resilient State Estimation (RSE) that is robust to disturbance and is autonomously restored from sensor attack/failure.

Abstract: Methods and systems are disclosed herein for authenticating a user. A security device may use an object associated with a user and a device of the user to authenticate the user, for example, if the user has forgotten a password. A user may insert the object (e.g., a card, or other object) into the security device and may select an option to authenticate via a device that is trusted by both the security device and the user, rather than authenticating by entering a password at the security device.

Abstract: A biometrics hub may establish a session with a first biometric device, receive first biometric data of a user from the first biometric device, establish a session with a second biometric device, receive second biometric data of the user from the second biometric device, and store the first biometric data and the second biometric data at the biometrics hub. The biometrics hub may further detect a power event associated with at least one of the first biometric device or the second biometric device, and change, in response to detecting the power event, a schedule for processing at least one of the first biometric data or the second biometric data.

Abstract: Auditing data containing sensitive data are stored in a data structure comprising data objects. Each data object comprises one or more pairs of a name and a value. Pairs that are flagged or identified as containing sensitive data are partially encrypted; the value is encrypted using an asymmetric key and the name corresponding to the encrypted value remains unencrypted. Some pairs that are not flagged or identified as containing sensitive data are left unencrypted. Unencrypted data may be stored in the partially encrypted auditing data as plain text. The auditing data may be analyzed to generate business metrics and identify application errors. The auditing data may also be queried, and data objects containing unencrypted pairs and/or partially encrypted pairs may be returned based on matching unencrypted names and/or values to the data query.

Abstract: A gate open/close control device (face authentication machine) includes a face image acquirer (camera) that captures a user before passing through a gate device (external device) and acquires a face image for authentication of the user; a transmitter (communicator) that transmits a processing request for face authentication to the face collation server based on the face image for authentication; a receiver (communicator) that receives the authentication result returned from the face collation server; and a controller that reflects the authentication result on an open/close control signal of the gate device.

Abstract: Case management systems and techniques are disclosed. In various embodiments, a hierarchical document permission model is received, the model describing a document hierarchy comprising a plurality of hierarchically related document nodes and defining for each of at least a subset of said document nodes one or more document roles and for each such role one or more document permissions with respect to that document node. The hierarchical document permission model is used to determine and enforce permissions with respect to case management instances to which the hierarchical document permission model applies.

Abstract: Methods and systems of data de-tokenization are described herein to provide solutions to utilizing tokenized data files. A de-tokenization service controller may extract instances of tokenized data by determining a schema associated with a tokenized file, wherein the schema identifies which fields contain tokenized data. A decryption system may decrypt the tokens and send decrypted sensitive values to the de-tokenization service controller. The de-tokenization service controller may then generate a de-tokenized data file comprising a plurality of records corresponding to the plurality of original tokenized records, using the decrypted sensitive values in place of the instances of tokenized data. In some embodiments, the methods may further comprise generating a validated file by adding one or more fields indicating the results of validation based on a set of validation rules.

Abstract: A method at a first domain for obtaining at least one insight from a second domain, the method including registering an application with an anchor in the first domain; providing, from the anchor to the application, a first message signed by the anchor; sending, from the first domain to a network domain, the signed message; receiving, from the network domain, at least one signed token, each of the at least one signed token being for a synthetic sensor on the second domain, where the synthetic sensor provides an insight; sending a request message to the second domain, the request message requesting the insight and including the at least one token; and receiving the insight from a synthetic sensor associated with the at least one token.

Abstract: A system protects personally identifiable information (PII) by implementing an unconventional key management scheme. In this scheme, the system uses a set of keys rather than an individual key for encrypting PII. Different portions of the PII are encrypted using different keys from the set of keys. In this manner, even if a malicious user were to access a key, that key would not give the malicious user the ability to decrypt all of the PII. Additionally, the system generates a new set of keys periodically (e.g., once a month). The system also deletes sets of keys that are too old (e.g., six months old). As a result, even if a malicious user were to access a key, the usefulness of that key would be time limited.

Abstract: Systems and methods are provided for persistent login. Such persistent login may be based on linking user identity across accounts of different entities to allow each entity to maintain control over their respective sets of user data, while providing a streamlined user experience that avoids much of the repetitive need to login to different services with different login credentials (e.g., during periods of heavy use). Such persistent login may utilize a set of tokens issued and exchanged between devices of the partnering entities. Such tokens may include an access token, refresh token, and identity token. When a user associated with a first entity requests access to information secured by a second entity, such request may be associated with the access token. If the access token is determined to be expired, the refresh token may be used to refresh the access token, which may also trigger issuance of a new refresh token.

Abstract: Technologies for attestation techniques, systems, and methods to confirm the integrity of a device for establishing and/or maintaining a trustworthy encrypted network session. An example method can include sending, via a server and using a cryptographic security protocol, a message associated with establishing an encrypted network session; receiving a response from a client device; identifying a level of trust of the client device based on the response; determining whether to perform a next step in the cryptographic security protocol based on the level of trust, wherein the cryptographic security protocol comprises at least one of a Secure Shell (SSH) protocol, a Transport Layer Security (TLS) protocol, a Secure Sockets Layer (SSL) protocol, and an Internet Protocol Security (IPsec) protocol.

Abstract: A method by a management node for managing a device operable to join a network includes receiving from the device a request to join the network, the request including a device specific parameter and a token, and generating an authentication parameter from the device specific parameters and the token. The method further includes authorising the device to join the network if the authentication parameter fulfils a validity criterion. Generating an authentication parameter from the device specific parameters and the token includes generating an input including the device specific parameters and the token, computing a cryptographic function of the generated input, and setting an output of the cryptographic function as the authentication parameter. Also disclosed are a method for operating a device, a management node, a device and a computer program.

Abstract: A communication terminal includes a memory in which identification information associated with a user is stored, a controller that carries out authentication of the user, and a communication interface that transmits a signal including the identification information. When user authentication is successful, the controller sets the communication terminal to a first state in which the signal is transmitted to an external apparatus, and when user authentication is not successful, the controller sets the communication terminal to a second state in which the signal is not transmitted to the external apparatus.

Abstract: Systems and methods for providing decentralized tokenization with mapping data devoid of sensitive data. A node receives a set of index-key pairs generated by a randomization service external to the node. Each index-key pair in the set of index-key pairs defines a particular index value mapped to a particular random key value. The node creates a mapping structure using the set of index-key pairs. Data-in-transit comprising sensitive data is received. A tokenization service of the node generates a token for the sensitive data using the mapping structure.

Abstract: An authentication system supports multi-factor authentication (MFA) when authenticating the identity of a user. A challenge-response portion of the authentication process is delegated to an MFA device—a secondary device within control of the user, but separate from the primary login device that the user is using when initiating the authentication. Communications between the MFA device and the login device are conducted using a short-range wireless communication protocol (e.g., Bluetooth™ or NFC), so that the two devices must be in close physical proximity to each other.

Abstract: A self-service lender portal provides lenders with a suite of tools for interacting with a multi-lender architecture configured to provide loan applicants with automated pre-qualification and eligibility evaluation for multiple candidate lenders. The lender portal provides lenders with an interface for uploading rule sets defining lending and eligibility criteria, downloading operational data generated from processing loan applicant information, generating and managing security keys for encryption and decryption of sensitive data, and managing access policies for providing single sign-on by interfacing with the lender's own identity management systems.

Abstract: A system and method is disclosed for a digital identity (DI) management platform. A carbon identification may be generated to include personal information unique to a user. The personal information may be authenticated by an external entity (e.g., governmental agency) to the digital identity management platform. A silicon identification may be generated for multiple devices registered to the user and may include a unique identifier for each device. A digital identity may be generated that links the carbon identification and the silicon identification The digital identity may be stored within a digital wallet accessible on each device by a user profile created and secured using a blockchain process. A request to access the personal information stored within the digital identity may be received and a predefined trust level will determine the amount of personal information to be provided.

Abstract: Some embodiments are directed to a container builder (110) for building a container image for providing an individualized network service based on sensitive data (122) in a database (121). The container builder (110) retrieves the sensitive data (122) from the database (121), builds the container image (140), and provides it for deployment to a cloud service provider (111). The container image (140) comprises the sensitive data (122) and instructions that, when deployed as a container, cause the container to provide the individualized network service based on the sensitive data (122) comprised in the container image (140).