Abstract: Certain embodiments of the disclosure disclose a method and a device, the device including a display, a camera module disposed under the display, at least one light source disposed to correspond to the camera module, a memory, and a processor operatively connected to the display, the camera module, the light source, and/or the memory. The processor may be configured to drive the camera module and the at least one light source in response to a request for biometric authentication, acquire a face image from the camera module, analyze the face image produced at least in part by light emitted from the driven at least one light source, and perform the biometric authentication based on the analysis result. Other embodiments are possible.

Abstract: A delegated biometric authentication system and related methods are disclosed. Using the system, a user can securely delegate biometric authentication to a public device from his communication device. This public device may be an Internet of things device that is not owned by the user, such as a computer, smart TV, tablet, etc. The public device may operate in a public place, such as a hotel or library. The communication device may be the users own smartphone or tablet, etc. A fuzzy vault process can be used to store the user's biometric template in the system Embodiments preserver the user's privacy without compromising authentication security and user convenience.

Abstract: Techniques are taught for detecting threats to data by monitoring encryption key activity. The disclosed techniques include methods and systems for collecting and analyzing encryption key activity, relating this activity to object data and comparing it against a defined policy. They also include reporting policy violations in the form of notifications and alerts. Distributed implementations of the present techniques deploy various modules and services at remote/local as well as global/central sites. When network connectivity between a remote site and a central site is unreliable, a local policy engine and a local activity analyzer service monitor key activity at the remote site and detect policy violations. When network connectivity is restored, they synchronize with their global counterparts.

Abstract: A communication method, apparatus, and system are provided, to resolve problems in a conventional technology that an AKMA authentication procedure is complex and signaling overheads are large. Principles of the method are as follows: In a registration procedure of a terminal device, AKMA authentication is implicitly indicated based on primary authentication. For example, if primary authentication succeeds, it may be considered that AKMA authentication also succeeds. In addition, an AKMA temporary identifier is allocated to the terminal device after AKMA authentication succeeds. According to the method, apparatus, and system in this application, no additional AKMA authentication is required. This simplifies a procedure and reduces signaling overheads.

Abstract: This disclosure provides systems, methods, and devices for wireless communication that support improved routing of image sensors that share a PHY within different secure domains. In a first aspect, a device may receive a packet from an image sensor along a physical data connection. The device may determine a virtual channel associated with the packet and may determining a secure domain for the packet based on the virtual channel. The first secure domain may be selected from a plurality of secure domains accessible via the physical data connection, such as based on a mapping maintained by the device. The device may then route the packet within the first secure domain such that further processing and storage of the packet occurs within the first secure domain, such as within a context base associated with the first secure domain. Other aspects and features are also claimed and described.

Abstract: Systems and methods for performing vehicle software attestation. One system includes an electronic control unit (ECU) master included in a vehicle and a verifier system. The ECU master receives a digital shadow request generated by the verifier system and generates a digital shadow. The digital shadow is based on a unique, one-way identifier of a program memory space of the ECU master and a unique, one-way identifier of a program memory space of each of a plurality of other ECUs included in the vehicle. The ECU master transmits the digital shadow to the verifier system. The verifier system receives the digital shadow from the ECU master as a first digital shadow, receives a second digital shadow from a digital twin representing software installed in the ECU master and each of the plurality of other ECUs, and determines whether the first digital shadow matches the second digital shadow.

Abstract: Secure data analytics is provided via a process that identifies sensitive data fields of an initial dataset and mappings between the sensitive data fields and other data fields of the dataset, where analytics processing is to be performed on the initial dataset, then, based on an expectation of data fields, of the initial data set, to be used in performance of the analytics processing and on the identified sensitive data fields, selects and applies a masking method to the initial dataset to mask the sensitive data fields and produce a masked dataset, provides the masked dataset to an analytics provider with a request for the analytics processing, and receives, in response, a generated analytics function, generated based on the masked dataset, that is configured to perform the analytics processing, and invokes the generated analytics function against the initial dataset to perform the analytics processing on the initial dataset.

Abstract: A method for recognising a user whose body is capable of re-transmitting an electromagnetic signal in the form of an electromagnetic wave. The method is implemented on a transceiver device and includes the following steps on the device: transmitting an electromagnetic pulse signal; obtaining a re-transmitted signal when the user is in the vicinity of the device, the signal depending on the transmitted pulse signal; comparing the re-transmitted signal with at least one reference signal of the user; and recognising the user if the re-transmitted signal is close to the reference signal.

Abstract: Blockchain-based systems and methods are used to control access to property. One system includes a mobile device, a key fob, and a server. The mobile device generates an encrypted code and transmits it to the key fob. The key fob transmits the encrypted code to the property and the server updates a log of the key fob in a hyper ledger. The property includes a computing device that validates the encrypted code and grants a key fob user access to the property. Another system includes a server that validates an access key and a first station that transmits an access key to a second station via the server and a satellite. The second station transmits data to the first station via the server and the satellite. The server saves a transmission log in a hyper ledger and transmits the access key in response to a request by the first station.

Abstract: A method for setting access rights to project data in an application by defining an area of authority for a user, includes: determining a plurality of fields of data for a project in the application; determining a topology of one or more fields, from among the determined plurality of fields, for which the area of authority is to be settable; setting an area of authority for a registered user of the application, based on a field of the determined topology; and preventing access by the registered user to data for which a value of the field does not comply with the set area of authority.

Abstract: When personally identifiable information (PII) is to be stored or updated, a system first seeks consent from the user for the PII store or update. If the user grants consent, then the system stores the PII in the user's personal device or updates the PII stored in the user's personal device. The system then retrieves that PII and generates a token representing that PII. Even if the token were taken by a malicious user, it would not be possible for the malicious user to determine the user's actual PII from the token. In this manner, the security of the PII is improved over conventional systems.

Abstract: Techniques for managing an application token may include providing, by a first service provider application on a communication device to a first service provider computer, a first request for a first application token, receiving, by an account management application on the communication device from a token service computer in communication with the first service provider computer, the first application token, and storing the first application token in a token container in the account management application.

Abstract: Embodiments are directed to protection of communications between a trusted execution environment and a hardware accelerator utilizing enhanced end-to-end encryption and inter-context security. An embodiment of an apparatus includes one or more processors having one or more trusted execution environments (TEEs) including a first TEE to include a first trusted application; an interface with a hardware accelerator, the hardware accelerator including trusted embedded software or firmware; and a computer memory to store an untrusted kernel mode driver for the hardware accelerator, the one or more processors to establish an encrypted tunnel between the first trusted application in the first TEE and the trusted software or firmware, generate a call for a first command from the first trusted application, generate an integrity tag for the first command, and transfer command parameters for the first command and the integrity tag to the kernel mode driver to generate the first command.

Abstract: Providing access control to distributed resources, including storing, at a computing dock coupled to an information handling system, a local access database indicating verified credentials of one or more users; receiving, at the computing dock, a request for access to a resource coupled to the computing dock; providing, in response to the request for access, an authentication request to an authentication system; in response to the authentication request, providing, by the computing dock, an authentication challenge to the information handling system; receiving, at the computing dock and in response to the authentication challenge, user credentials at the authentication system; verifying, at the authentication system, the user credentials against the local access database; providing, based on the verified user credentials, an authorization token to the first device; and allocating, based on the authorization token, access to the resource to the information handling system.

Abstract: In order to provide a control apparatus that enhances security of a radio communication system run by a user, the control apparatus including an acquisition section and a registration section, the acquisition section being configured to acquire subscriber information in which at least authentication information is encrypted, and the registration section being configured to register the acquired subscriber information in a database included in a core network. The control apparatus may further include an authentication section configured to decrypt the encrypted authentication information, and use the decrypted authentication information and authentication information included in a connection request from a terminal apparatus to the core network to authenticate the terminal apparatus.

Abstract: Systems and methods are described for preserving the privacy of a user in connection with an extended reality (XR) application. The system and methods may receive, by an interposer application, image data from a video capture driver and determine, by the interposer application and based on privacy preferences of a user profile, whether a region of the image data comprises sensitive content. In response to determining that a region of the image data comprises sensitive content, the image data may be modified by applying, by the interposer application, a modification to the region of the image data. The modified image data may be provided by the interposer application to the XR application, wherein the wherein the XR application may be prohibited from directly accessing data from the video capture driver.

Abstract: In some implementations, a server device may receive, from a client device, a login credential associated with a user and a request to access a resource. The server device may identify a confidant associated with the user and a confidant device associated with the confidant, wherein the confidant device is different from a user device associated with the user. The server device may transmit, to the confidant device, a request to verify an identity of the user. The server device may determine whether a verification of the identity of the user is received from the confidant device. The server device may grant or deny access to the resource based on determining whether the verification of the identity of the user is received from the confidant device.

Abstract: Techniques are described for performing multi-factor authentication of a user during a service session, based at least partly on a code conveyed using an audio file. A code is generated that corresponds to the user and/or their user device. A playback device that is registered to the user can be used to output a playback of an audio file that encodes the code. The playback of the audio file is conveyed through the service session by the user device and received by a backend server, which analyzes the playback of the audio file to extract the code. The user can be authenticated based at least partly on verifying the code that is extracted from the playback of the audio file, by comparing the extracted code to the code that was generated and sent to the playback device.

Abstract: Distributed firewalls in a network are disclosed. Example firewall controllers disclosed herein are to instruct a first network node of a software-defined network to implement a first firewall instance of a distributed firewall, the first network node to implement the first firewall instance with a first virtual machine. Disclosed example firewall controllers are also to configure a second network node of the software-defined network to route network traffic through the first firewall instance and, after at least some of the network traffic is dropped by the first firewall instance, instruct the second network node to implement a second firewall instance of the distributed firewall, the second network node to implement the second firewall instance with a second virtual machine.

Abstract: A computing device can capture a current access token of a user process. The computing device can perform a determination of whether the current access token for the user process differs from a particular access token of a parent process of the user process. The computing device can detect whether the user process has been subject to an escalation of privilege attack based on the determination of whether the current access token for the user process differs from the particular access token. The computing device can performing a mitigation action with respect to the user process in response to detecting that the user process has been subject to the escalation of privilege attack.