Abstract: A system for supporting Enhanced Privacy Identification (EPID) is provided. The system may include a host processor operable to communicate with a remote requestor, where the host processor needs to perform signature revocation checking in accordance with EPID. To perform signature revocation checking, the host processor has to perform either a sign or verify operation. The host processor may offload the sign/verify operation onto one or more associated hardware acceleration coprocessors. A programmable coprocessor may be dynamically configured to perform the desired number of sign/verify functions in accordance with the requirements of the current workload.

Abstract: Systems, methods and devices for validating and performing operations on homomorphically encrypted data are described herein. The methods include securely transmitting and extracting information from encrypted data without fully decrypting the data. A data request may include an encrypted portion including a set of confidential data. One or more sets of encrypted comparison data may be then retrieved from a database in response to the data request. The encrypted set of confidential data from the data request is then compared with each set of encrypted comparison data using one or more homomorphic operations to determine which set of encrypted comparison data matches the encrypted set of confidential data. If there is a match, this validates the set of confidential data. An encrypted indicator is then generated indicating success or failure in validating the set of confidential data, which may then be forwarded to a party associated with the data request.

Abstract: Systems, methods, and apparatuses for protecting a secret on a device with limited memory, while still providing tamper resistance, are described. To achieve security, an encoding computer can apply a memory-hard function MHF to a secret S and determine a result Y, then determine a proof ? for the result Y. Then, the encoding computer can send a codeword C comprising the secret S and the proof ? to a decoding computer. The decoding computer can retrieve the codeword C from persistent memory and parse the secret S and the proof ?. The decoding device can use transient memory decode the codeword C by verifying the proof ? was generated with the secret S and the result Y. When the correctness of the result Y is verified, the decoding device can apply a cryptographic function to input data using the secret S then reset the transient memory.

Abstract: Embodiments are directed to post quantum public key signature operation for reconfigurable circuit devices. An embodiment of an apparatus includes one or more processors; and a reconfigurable circuit device, the reconfigurable circuit device including a dedicated cryptographic hash hardware engine, and a reconfigurable fabric including logic elements (LEs), wherein the one or more processors are to configure the reconfigurable circuit device for public key signature operation, including mapping a state machine for public key generation and verification to the reconfigurable fabric, including mapping one or more cryptographic hash engines to the reconfigurable fabric, and combining the dedicated cryptographic hash hardware engine with the one or more mapped cryptographic hash engines for cryptographic signature generation and verification.

Abstract: An object is to provide a monitor device capable of reducing threat of DoS attacks on a mobile network. A monitor device (10) according to the present invention includes a signal monitor unit (11) for estimating a specific base station communicating with a communication terminal (30) attacking a mobile network according to the number of times an ATTACH procedure is rejected, in which the ATTACH procedure is for registering information about a communication terminal (30) communicating with a base station (20) in a communication device (40) located in the mobile network, and a base station control unit (12) for causing the specific base station to determine whether to execute the ATTACH procedure related to a communication terminal served by the specific base station according to communication terminal identification information set in a signal transmitted from the communication terminal served by the specific base station.

Abstract: A method, computer system, and a computer program product for authenticating a user in a computing system is provided. A corresponding method comprises validating one or more user snapshots of the user that should have been acquired in corresponding acquisition conditions according to their match with the corresponding acquisition conditions; the user snapshots are then sent (at least in part) to one or more authenticators requesting them to identify the user. A computer program and a computer program product for performing the method are also proposed. Moreover, a corresponding system is proposed.

Abstract: Techniques are provided for communication-efficient device delegation. One method comprises, in response to a request for a new signing key of a given device, determining a number of new signing key requests received for the user of the given device; determining a new public verification key of the given device for an identity-based signature scheme by traversing a cryptographic hash chain backwards from a position of an initial selected value of the cryptographic hash chain; computing a new signing key based on public parameters and secret parameters of a backup component and the initial selected value; and providing the new public verification key and the new signing key to the given device. The given device authenticates to an authentication service using an identity-based signature computed using the new signing key. The request for the new signing key is submitted, for example, when the given device is lost, damaged, unavailable or stolen.

Abstract: A request to identify a data value may be received via a network at a designated one of a plurality of identity nodes. A query that includes the data value may be transmitted to an identity service associated with the designated identity node. A response message from the identity service may include one or more designated network identifiers corresponding with the data value. The designated identity node may communicate with the plurality of identity nodes to identify a plurality of network identifiers corresponding with the data value. A trust ledger may be updated to include a correspondence between a selected one of the network identifiers and the data value.

Abstract: A method for using unified transaction services in a multi-tenant architecture system is discussed. The method includes receiving a request, at a first service provider, to provide a first transaction service for a user. The method includes accessing a first representation of the first service provider in a first hierarchical data structure, the first hierarchical data structure being managed by a second service provider, the second service provider managing user identity of the user. The method includes determining, based on the first representation, that transaction resources required for completion of the first transaction service are provided at the second service provider using a resource representation. The method also includes, responsive to determining that the transaction resources are accessible at the first service provider, accessing, at the first service provider, the transaction resources via the resource representation.

Abstract: For each data value associated with a data object, a respective object value identification query message that includes the data value may be sent to each of a plurality of identity nodes via a network. For each of the data values, a respective object value identification response message that includes a respective network identifier corresponding with the respective data value may be received. A local identifier may be determined based on the object value identification response messages, and a response query message including the local identifier may be transmitted.

Abstract: A method for processing disputes in a multi-tenant architecture system includes receiving, at a first service provider, a dispute request from a second service provider that manages entity identities of a plurality of customers. The dispute request indicates a disputed transaction between a customer of the plurality of customers and another entity. The method includes accessing an identity manager to determine a customer representation, the identity manager previously onboarded the plurality of customers as a plurality of customer representations. The identity manager is hosted by the first service provider that manages customer representations corresponding to entity identities of the customers. The dispute request is propagated with the customer representation to a dispute management engine that determines an outcome for the dispute, the determination based on characteristics of the disputed transaction and on characteristics of the customer.

Abstract: Systems, apparatuses and methods may provide for establishing a hardware-based chain of trust in a computing system and extending the hardware-based chain of trust to a container manager and a containerized application on the computing system. Additionally, the containerized application may be checked for its trust and security while it is launched, via the container manager, on the computing system. In one example, extending the hardware-based chain of trust includes conducting a pre-boot measurement of the container manager, a root of trust measurement agent, and one or more packages associated with the containerized application, and verifying the pre-boot measurement of the platform/host and the application itself prior to the containerized application being launched.

Abstract: Methods, apparatuses, and computer readable media for location measurement reporting in a wireless network are disclosed. An apparatus of a responder station is disclosed, the apparatus comprising processing circuitry configured to derive bits from a temporary key, and generate a first sequence and a second sequence using the bits, wherein the first sequence and second sequence comprise one or more symbols. The processing circuitry is further configured to concatenate the first sequence and the second sequence to form a new first sequence comprising the first sequence and the second sequence, and concatenate a modified first sequence and a modified second sequence to form a new second sequence. The processing circuitry may be configured to repeat a number of times the concatenate the first sequence through the concatenate the modified first sequence.

Abstract: A method for using unified identities in a multi-tenant architecture system is discussed. The method includes receiving a request, at a first service provider, to provide a service for a user. The method includes accessing a representation of a second service provider in a first hierarchical data structure managed by the first service provider. The method includes determining that user data required for the service is managed by the second service provider that manages user identity of the user. The method includes determining that the representation is linked with a full identity reference for the second service provider in a second hierarchical data structure managed by the second service provider. The method includes accessing the user data at the second hierarchical data structure using the full identity reference. The method includes accessing the service via the lightweight identity reference and using the user data at the first service provider.

Abstract: An online system detects imposter pages based on machine learning techniques. The online system maintains a plurality of authenticated pages and a plurality of unauthenticated pages, each of which is associated with a name and an image. From the plurality of unauthenticated pages, the online system filters out one or more unauthenticated pages that are associated with names of authenticated pages to obtain a group of candidate pages. Further, the online system pairs each candidate page up with an authenticated page. The candidate page has a name and/or image similar to the authenticated page. The online system inputs the candidate page and the authenticated page into a trained model. The trained model outputs an imposter score indicating a likelihood that the candidate page is an imposter page. The online system takes actions on the candidate page based on the imposter score.

Abstract: This invention relates to a method for granting, for a mobile device which is not provisioned with a subscription to access a wireless network, the establishment of an initial wireless communication over a second wireless network (Se-PLMN) operated by a second wireless network operator (Se-MNO), the mobile device belonging to a user, the method comprising the steps of: receiving (801) by the second wireless network (Se-PLMN) an identifier of the mobile device; verifying (802), in an immutable distributed database hosted by a first wireless network operator (Fi-MNO) and the second mobile network operator (Se-MNO) in which data is replicated across a plurality of compute nodes of a network, if at least a published assertion comprising said identifier of the mobile device demonstrates that the user owns a first subscription to the first mobile network operator (Fi-MNO), said subscription allowing said first operator (Fi-MANO) to be charged by the second mobile network operator (Se-MNO) for the establishment of a

Abstract: Disclosed are systems and methods for adapting a pattern of dangerous behavior of programs. A teaching module may load into an activity monitor the pattern and establish a first usage mode for it, during which the activity monitor detects threats that correspond to that pattern, but does not perform actions for their removal. Later, in the course of a teaching period, the activity monitor detects threats based on the detection of events from the mentioned pattern. If the events have occurred as a result of user actions, and the events have a recurring nature or are regular in nature, the teaching module adds parameters to the pattern which exclude from subsequent detection those events or similar events. Upon expiration of the teaching period, the teaching module converts the pattern of dangerous behavior of programs to the second usage mode, during which threats are detected using the modified pattern and removed.

Abstract: A data protection system is provided that allows applications to access protected data in a way that restricts applications from outputting to unauthorized targets any unprotected data derived from the protected data and that ensures that the applications do not have access to a key that allows access to the unprotected data. The data protection system provides a policy server that may execute on a service node of a high performance computing system and a data encryption process that may execute on each compute node that is allocated to an application or batch job. The policy server maintains policies of entities specifying access control for protected data. The data encryption process generates a secure execution environment for an application process and interfaces with the policy server to retrieve keys for decrypting protected data in accordance with a policy, and it decrypts and provides the decrypted data to the application process.

Abstract: Among other things, this document describes systems, methods, and apparatus for monitoring and protecting a user credential issued by an organization when that credential is used outside that organization's network security perimeter. For example, a reverse proxy server (RPS) receives a client request directed to a content provider's site. The RPS initiates a process that involves parsing the request message and extracting a user credential. The RPS locates a credential policy from the credential owner based on the user credential. The RPS can issue an API request to a credential service that is authoritative for the credential. That credential service may return a directive to the RPS specifying how to handle the client request message. Preferably, the operation is transparent to the content provider whose site was the target of the client's request message. Activity records can be presented in visualizations that enhance security analysts' tactical comprehension at a glance.

Abstract: The disclosure is related to a data management platform (“platform”) for providing a secure storage environment for digital contents associated with a user. The platform may be accessible via an app installed on a user device, which allows the user to upload, modify, and view digital contents. Because a digital content is mapped to a universal scaffold in a structured format, the platform can organize and display the digital contents in meaningful ways. The digital contents can be hosted on a remote server. The platform provides zero-knowledge encryption so that the digital contents stored at the server are secure, as in one cannot know the contents of the encrypted information stored at the server. The platform also facilitates zero-knowledge offers in which offers are sent to multiple users but the server does not know to which users the offers are presented until an offer is accepted by the user.