Abstract: Mobile collection and vetting of user supplied information is described. The systems, techniques, devices, methods, and approaches described herein can be used to obtain, validate, and vet information, such as customs information, in a mobile environment. In embodiments, methods comprise receiving information input via a mobile device. The information is encapsulated by an intermediate to escort the information through a firewall to the database. In response to vetting the information to determine if it meets one or more criteria, the method involves creating a record associated with a unique identifier, information that bio-identifies a user, or an indication of a determination that results from the vetting. In this embodiment, the method includes generating an electronic receipt for communication to the mobile device, the electronic receipt including the unique identifier.

Abstract: A digital encrypting and decrypting unit (PMEU) that operates according to a Rivest-Shamir-Adleman (RSA) cryptosystem based on Residue Numeral System (RNS) and Chinese Reminder Theorem (CRT). The unit includes two modular exponentiation calculating units (MES-1, MES-2) to process a two residual signals (X mod p; X mod q) to calculate a result of a modular exponentiation by a binary method. The calculating units have inputs (I-k[i], I-SM, I-MM) and outputs (O-k[i], O-SM, O-MM) for signals representing partial results of the modular exponentiation. A modular exponentiation controlling unit (MECU) is connected to the inputs and outputs of the calculating units to control flow of the signals representing the partial results of the modular exponentiation.

Abstract: A system includes devices, first and second cluster servers, and a global server. The first cluster server updates a second set of parameters for the first device and a first set of parameters for the second device. The second cluster server updates a fourth set of parameters for the third device and a third set of parameters for the fourth device. The global server updates the first set of parameters and the second set of parameters for the second cluster server and updates the third set of parameters and the fourth set of parameters for the first cluster server.

Abstract: Disclosed herein are system, method, and computer program product embodiments for certificate tracking. An embodiment operates by a computer implemented method that includes receiving, by at least one processor of a certificate manager, a first request from a client device and sending a second request for a root certificate to a certificate authority. The method further includes receiving the root certificate from the certificate authority and sending a third request to the certificate authority for one or more additional certificates. The method further includes receiving the one or more additional certificates from the certificate authority and storing the root certificate and the one or more additional certificates. The certificate manager and the certificate authority can be located on different networks.

Abstract: Methods and systems for verifying the identity and trustworthiness of a user of an online system are disclosed. In one embodiment, the method comprises receiving online and offline identity information for a user and comparing them to a user profile information provided by the user. Furthermore, the user's online activity in a third party online system and the user's offline activity are received. Based on the online activity and the offline activity a trustworthiness score may be calculated.

Abstract: Method, media, and system for authentication of a claimant as a claimed identity. Embodiments break the authentication process into two steps. In the first step, a registrant establishes an identity profile by presenting identity documents and authentication points that can later be used to verify that they are the person who established the identity profile. Subsequently, when a claimant claims the identity in the identity profile, an identity score and an authentication score can be calculated based on the identity profile and the information provided by the claimant. The authentication score measures how likely it is that the claimant is the same person who established the identity profile. The identity score measures how likely it is that the registrant is who they are claiming to be. The identity score and the authentication score can then be combined to determine the likelihood that the claimant actually corresponds to the claimed identity.

Abstract: An authentication and registration system is provided which can reduce a burden at the time of authentication and registration while ensuring security when a single apparatus is used to perform authentication and registration of identification information on another apparatus. In an authentication and registration system (1), an authentication request signal is transmitted from a mobile terminal (3) to a registration server (2). When two sets of identification information VIN and IMSI received before and after the authentication request signal match each other, the registration server (2) transmits an authentication code signal to an on-board controller (4) so that an authentication code is displayed on a DA apparatus (23).

Abstract: The application relates to controlling access in a software-defined network (SDN). A controller in the SDN receives an access request from an application program. The controller determines whether an operation on a resource as specified in the access request belongs to a permission list corresponding to the application program. The permission list includes a list of permitted operations on the resource by the application program. When the operation as specified in the access request belongs to the permission list, the controller sends a reply message allowing access by the application program. In this way, accesses by the application program are restricted according to the permission list, and malicious attacks from the application program can be prevented to ensure network security.

Abstract: An appliance is capable of storing and processing data related to details surrounding its ownership, behavior, and history within itself in a secure and unalterable way. The appliance may experience multiple transfers in ownership during its lifetime. Certain data stored in the appliance may be encrypted such that only qualifying parties (e.g., owners) may be able to access the data. Some data may remain private to an individual owner while other data may be made available to subsequent owners by passing a shared secret that can be utilized to decrypt the other data. Data may be stored in the appliance in chronological order and may be signed by appropriate parties such that it is not possible to alter the data without detection.

Abstract: Presented are systems and methods that allow hardware designers to protect valuable IP and information in the hardware domain in order to increase overall system security. In various embodiments of the invention this is accomplished by configuring logic gates of existing logic circuitry based on a key input. In certain embodiments, a logic function provides results that are dependent not only on input values but also on an encrypted logic key that determines connections for a given logic building block, such that the functionality of the logic function cannot be determined by reverse engineering. In some embodiments, the logic key is created by decrypting a piece of data using a secret or private key. Advantages of automatic encryption include that existing circuitry need not be re-implemented or re-built, and that the systems and methods presented are backward compatible with standard manufacturing tools.

Abstract: Data packets transmitted to and from an IoT device are obtained and at least one of the data packets are analyzed using deep packet inspection to identify transaction data from payload of the at least one of the data packets. An event log is generated for the IoT device from the transaction data, the event log, at least in part, used to generate a historical record for the IoT device. The IoT device is profiled into a device profile based on the historical record for the IoT device. The event log is updated in real-time to indicate current operation of the IoT device. Abnormal device behavior of the IoT device is determined using the event log and the device profile. The device profile is updated to indicate the abnormal device behavior of the IoT device.

Abstract: An information processing system comprises a terminal device; an end server; and an intermediate server connected to the terminal device and the end server via a network. The intermediate server includes a communication device that communicates with the terminal device and the end server; a memory device that stores an ID correspondence table that registers a combination of first login information and second login information, the first login information being for logging in to the intermediate server, the second login information being for logging in to the end server; and a controller, when the controller executes an information processing program, the controller operating as an ID issue receiving unit, an end server accessing unit, an ID issuing unit, and an end server access receiving unit.

Abstract: Systems and methods allow to take advantage of the natural statistical variation of physical properties in a semiconductor device in order to create truly random, repeatable, and hard to detect cryptographic bits. This may be accomplished by recursively pairing mismatch values of Physically Unclonable Functions (PUF) elements so as to ensure that generated PUF key bits remain insensitive to environmental errors, without affecting the utilization rate of available PUF elements. The pairing process may be applied to any given hardware to generate more stable PUF bit sequences that provide a higher margin of error, increase the number of bits for a given margin of error, or any combination thereof.

Abstract: A method for enabling a scalable public-key infrastructure (PKI) comprises invoking a process of receiving a message for a device, identifying an association ID for the device, retrieving encrypted association keys stored on the server for communicating with the device, the encrypted association keys encrypted using a wrapping key stored on a Hardware Security Module (HSM). The method further comprises sending the message and the encrypted association keys to the HSM, unwrapping, by the HSM, the encrypted association keys to create unwrapped association keys, cryptographically processing the message to generate a processed message, deleting the unwrapped association keys, sending the processed message to the device, and invoking, concurrently and by a second application, the process.

Abstract: A service request and a credential are sent from a customer environment to a service provider. The service provider maintains information, such as a credential whitelist, that identifies which credentials may be used with each customer environment. The service provider identifies the particular customer environment from which the service request was submitted using the IP address of the requester (or other environment-identifying information), and retrieves information that restricts the use of the credentials. A request may be approved or rejected based on the presence of the associated credential in a whitelist notwithstanding whether the credential otherwise authorizes the service request. In some examples, the system is used to limit data exfiltration from a customer environment.

Abstract: A computing system for generating allowed lists of applications for machines is provided. The system, for each machine, identifies a set of executed applications that were executed by that machine. The system then clusters the machines based on similarity between the sets of executed applications so that machines with similar sets are in the same cluster. The system then, for each cluster of machines, creates an allowed list of applications for the cluster that includes the applications in the sets of executed applications of the machines of the cluster. An allowed list for a cluster indicates that only applications in the allowed list are allowed to be executed by a machine in the cluster. The system then distributes the allowed list for a cluster to the machines of that cluster so that the machines execute only applications in the allowed list for their cluster.

Abstract: Identification of an entity performing a deletion or modification action on locally stored files and notification to mitigate risks to cloud stored files is provided. A local or remote file watcher may monitor locally stored files and detect a deletion or modification action. The file watcher may also identify an entity performing the deletion or modification action. The entity may be an application, a process, a user other than the user that is the owner of the files, or the user himself/herself. The file watcher may further determine one or more alert conditions or rules associated with the affected file(s) and/or the entity, that is under which circumstances an alert is to be issued. The alert notification(s) may be issued to the user, an administrator, a cloud storage service, and/or a data protection service such that protective measures can be taken if necessary.

Abstract: A global userID may be linked to many individual locations. A user may login to the global userID and select an experience environment. The experience environment may provide access to locations associated with the experience environment, such as all locations in a country. The user may switch between experience environments without providing login credentials for each individual location the user wishes to view.

Abstract: Aspects of the technology described herein provide a mechanism for controlling access to secure computing resources based on inferred user authentication. A current user may be authenticated and access to secure computing resources permitted based on a determined probability that the current user is a legitimate user associated with the secure computing resource. Legitimacy of the current user may be inferred based on a comparison of user-related activity of the current user to a persona model, which may comprise behavior patterns, rules, or other information for identifying a legitimate user. If it is determined that the current user is likely legitimate, then access to secure information may be permitted. However, if it is determined that the current user is likely illegitimate, than a verification procedure may be provided to the current user, such as a temporal, dynamic security challenge based on recent activity conducted by the legitimate user.

Abstract: A method for territorial filtering, streaming, and downloading media files over a client-server network with local read-write execution capabilities enables application of digital rights management data across batches of media files without admin having to alter each file, or metadata associated with each file, individually. Media files stored remotely in memory associated with a server are batch-handled for application of digital rights management data. Digital rights management data is applicable to batched files by assignation to particular directories wherein media files stored within a particular directory are associable with particular digital rights management data. Territorial filtering is applied to exclude media files from display as part of a selectable menu whereby users requesting access from certain locations are denied access to media files restricted from playback in that location.