Abstract: Systems, methods, and computer-readable media for on-demand security provisioning using whitelist and blacklist rules. In some examples, a system in a network including a plurality of pods can configure security policies for a first endpoint group (EPG) in a first pod, the security policies including blacklist and whitelist rules defining traffic security enforcement rules for communications between the first EPG and a second EPG in a second pods in the network. The system can assign respective implicit priorities to the one or more security policies based on a respective specificity of each policy, wherein more specific policies are assigned higher priorities than less specific policies. The system can respond to a detected move of a virtual machine associated with the first EPG to a second pod in the network by dynamically provisioning security policies for the first EPG in the second pod and removing security policies from the first pod.

Abstract: Disclosed are methods, systems, and computer-readable medium for context-specific granular access to flight management system (FMS) SaaS using adaptive IAM. For instance, the method may include receiving, at one of a plurality of application programing interface (API) endpoints of a flight management system (FMS) software as a service (SaaS), a request from a client; determining whether the request is authorized; in response to determining the request is authorized, analyzing the request to determine a context of the request and determine whether the request includes an intent; transmitting a message to a particular functionality of the FMS SaaS based on the context and the intent; determining whether the client is associated with a subscription type; filtering a data stream from the FMS SaaS in accordance with the subscription type and the context; generating a response based on the filtered data stream; and transmitting the response to the client.

Abstract: In various embodiments, authentication stations are distributed within a facility, particularly in spaces where mobile devices are predominantly used—e.g., a hospital's emergency department. Each such station includes a series of authentication devices. Mobile device may run applications for locating the nearest such station and, in some embodiments, pair wirelessly with the station so that authentication thereon will accord a user access to the desired resource via a mobile device.

Abstract: Systems, apparatuses, methods, and computer program products are disclosed for gathering performance information for post-quantum cryptography (PQC) is provided. An example method includes generating, by a QC detection data generation circuitry, QC detection data. The example method further includes encrypting, by a PQC cryptographic circuitry, the QC detection data based on a PQC cryptographic technique The example method further includes decrypting, by a PQC decryption circuitry, the QC detection data. The example method further includes storing, by a PQC cryptographic performance circuitry, encryption metadata generated by the PQC cryptographic circuitry and decryption metadata generated by the PQC decryption circuitry as PQC cryptographic performance information associated with the PQC cryptographic technique.

Abstract: Systems and techniques are described to facilitate using secure tokens for stateless software defined networking. An initial configuration may be created for deploying a network device at a deployment site. A cryptographically secure certificate may be created that includes the initial configuration for deploying the network device at the deployment site. The cryptographically secure certificate may be stored in a secure token that can be inserted into a secure token reader that is located at the deployment site and communicatively coupled to the device at the deployment site. The network device may then be configured at the deployment site by using the secure token.

Abstract: Systems and methods are described for onboarding a new device to a blockchain secured network. A trusted device that is already enrolled on the blockchain can receive information from a new device. The new device can send an onboarding request to a server through a non-blockchain secured Application Programming Interface (“API”). The trusted device can send an onboarding request for the new device through a blockchain secured API. The server can receive the requests and match them. The server can authenticate the two devices and send a request to a blockchain consensus to add the new device to the blockchain with the trusted device as a referral. The blockchain consensus can add the new device to the blockchain and notify the server. The server can notify the new device, and the new device can begin communicating through the blockchain secured API or directly with other devices on the blockchain.

Abstract: An application controlling method includes: determining a control authority of a current user of a terminal when it is determined that the current user of the terminal is changed; and locking a predetermined application in the terminal when the current user does not have control authority. As such, privacy of the authorized user can be protected.

Abstract: A method and an apparatus for performing verification using a shared key are disclosed. The method includes: receiving, by a first network element, a registration request message from a second network element, where the registration request message includes a user identifier, first network identifier information, and second network identifier information, the second network identifier information is obtained by processing the first network identifier information by using a shared key, and the shared key is a key used between the first network element and the second network element; verifying, by the first network element, the registration request message by using the shared key; and sending, by the first network element, a registration response message to the second network element. When receiving a registration request from a visited network, a home network verifies the registration request message by using a shared key, to avoid a spoofing attack from the visited network.

Abstract: A system for detecting and mitigating attacks using forged authentication objects within a domain is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to retrieve the new authentication object from the authentication object inspector, calculate a cryptographic hash for the new authentication object, and store the cryptographic hash for the new authentication object in a data store; wherein subsequent access requests accompanied by authentication objects are validated by comparing hashes for each authentication object to previous generated hashes.

Abstract: Various systems and methods for discovery and onboarding in an interconnected network framework of Internet of Things (IoT) devices are described. In an example, a technique for onboarding and provisioning a device onto an interconnected network framework includes operations to: receive a unique temporary device identifier from a device instance, the device instance indicating availability for onboarding onto a network; onboard the device instance onto the network; establish a secure session with the device instance via the network; receive, in the secure session, a secure device identifier; and initiate provisioning of the device instance in a secure directory based on the secure device identifier. In a further example, techniques are provided to securely identify and provision a second device instance (a doppelganger device instance) operating on a physical device that hosts both the first device instance and the second device instance.

Abstract: A system and methods for detecting and mitigating golden SAML attacks against federated services is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to create a security cookie for each valid authentication session; wherein subsequent access requests accompanied by authentication objects are validated by checking for a valid security cookie.

Abstract: Managing client access token requests is provided. It is determined whether a current time interval between a last allowed access token request matches a regular access token request interval for a client. In response to determining that the current time interval does match the regular access token request interval for the client, a current access token request is allowed. An access token is generated for the client to access a protected resource hosted by a resource server based on allowing the current access token request. The access token is issued to the client via a network.

Abstract: A system and methods for mitigating golden ticket attacks within a domain is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to retrieve the new authentication object from the authentication object inspector, calculate a cryptographic hash for the new authentication object, and store the cryptographic hash for the new authentication object in a data store; wherein subsequent access requests accompanied by authentication objects are validated by comparing hashes for each authentication object to previous generated hashes.

Abstract: Systems and methods utilized to protect data. One method includes maintaining, by a first processing circuit in a production database of a production environment system, ciphertext data associated with a cryptographic function, wherein the production environment system corresponds to a first access level. The method further includes masking, by a second processing circuit in a middle environment system, the ciphertext data using a masking function to generate alternate ciphertext data, wherein the middle environment system is a proxy and communicably coupled with the production environment system over a secure network. The method further includes decrypting, by the second processing circuit in the middle environment system, the alternate ciphertext data utilizing a symmetric key to generate masked cleartext data, and storing, by the second processing circuit in a lower environment system, the masked cleartext data in a lower database, wherein the lower environment system correspond to a second access level.

Abstract: Systems and methods to securely send or write data to a cloud storage or server. In one embodiment, a method includes: establishing a connection to a client using a client-side transport protocol; receiving, over the connection, data from the first client; decrypting, using a client session key, the received data to provide first decrypted data; encrypting the first decrypted data using a stored payload key (that is associated with the client) to provide first encrypted data; encrypting, using a cloud session key, the first encrypted data using a remote-side transport protocol to provide second encrypted data; and sending the second encrypted data to the cloud storage or server.

Abstract: A method is disclosed for conducting a transaction between a computing device and an access device. A server computer may be utilized to facilitate data exchanges between the computing device and the access device. These data exchanges may utilize high-frequency sound signals. The server computer may encrypt at least some portion of data that is then transmitted to the access device via the computing device. The server computer may verify data received from the access device prior to generating and transmitting an authorization request message for the transaction.

Abstract: The present disclosure provides systems and methods for secure identification retrieval. The method includes retrieving a value of a periodic variable and calculating a plurality of query tokens from a corresponding plurality of client device identifiers and the value of the periodic variable. Each query token is associated with a corresponding client device identifier in a first database. The method further includes receiving a first query token calculated from a client device identifier of the first client device and the value of the periodic variable and identifying a second query token of the calculated plurality of query tokens in the first database matching the first query token. The method further includes, responsive to the identification, retrieving the associated client device identifier and retrieving one or more characteristics of the first client device according to the associated client device identifier. The method further includes transmitting the retrieved one or more characteristics.

Abstract: A method for providing interactive recording networks is disclosed. Multiple child networks can be established, each child network being coordinated by a respective coordinating entity. Each coordinating entity can also participate in a central parent network. A data package can be sent from one network to another. When a data package is sent to another network, additional data can be added to indicate that the data package is being escalated.

Abstract: A method is disclosed. The method includes a user device storing a message data template comprising a plurality of data fields. A multi-record message may be generated using the message data template in response to an interaction between the user device and an access device. To generate the multi-record message, the user device may increment a counter stored on the user device to produce a counter value, and generate a dynamic cryptogram. The user device may additionally retrieve a credential. The counter value, the dynamic cryptogram, and the credential may then be incorporated into the plurality of data fields of the message data template to form the multi-record message. The multi-record message may be transmitted to the access device, where the access device forwards the multi-record message to an authorization computer to authorize or deny the interaction.

Abstract: Techniques are described for managing master keys for token requestors to use in generating cryptograms such as TAVVs. A processor computer generates a first master key for a token requestor, the first master key being generated based on (a) a second master key managed by the processor computer and (b) an identifier of the token requestor. The processor computer transmits, to a token requestor computer corresponding to the token requestor, the first master key. The processor computer receives, from the token requestor computer, a request for a token. Responsive to receiving the request for the token, the processor computer transmits the token to the token requestor computer; and receives, from the token requestor computer, an authorization request message comprising the token and a cryptogram generated by the token requestor computer using the first master key and the token.