Abstract: The present disclosure provides systems and methods for secure identification retrieval. The method includes retrieving a value of a periodic variable and calculating a plurality of query tokens from a corresponding plurality of client device identifiers and the value of the periodic variable. Each query token is associated with a corresponding client device identifier in a first database. The method further includes receiving a first query token calculated from a client device identifier of the first client device and the value of the periodic variable and identifying a second query token of the calculated plurality of query tokens in the first database matching the first query token. The method further includes, responsive to the identification, retrieving the associated client device identifier and retrieving one or more characteristics of the first client device according to the associated client device identifier. The method further includes transmitting the retrieved one or more characteristics.

Abstract: Pairing data associated with a second device may be received at a first device. The pairing data may be received from a server. A first authentication proof may be generated based on the pairing data received from the server. A second authentication proof may be received from the second device. Furthermore, an authentication status of the second device may be updated based on a comparison of the first authentication proof that is based on the pairing data received from the server and the second authentication proof that is received from the second device.

Abstract: Techniques to protect subscriber identity in messages communicated between a user equipment (UE) and a cellular wireless network entity by using multiple ephemeral asymmetric keys are disclosed. The UE determines multiple ephemeral UE public and secret key pairs, while the cellular wireless network entity provides a network public key to the UE. The network public key may be updated over time. Multiple encryption keys based on the multiple ephemeral UE secret keys and the public network key are derived and used to encrypt a subscription permanent identifier (SUPI) to generate multiple subscription concealed identifiers (SUCIs). Each SUCI is used only once for messages communicated to a cellular wireless network and discarded after use. New SUCI are generated when the network public key is updated.

Abstract: An embodiment disclosed herein is related to computing systems and method for a computing system to generate an access token that includes an IP address from a request. In the embodiment, a request is received for access to one secured data items. The request may include user credentials that specify that a user making the request is permitted to access the secured data items. The user credentials are validated and an Internet Protocol (IP) address that the request was sent from is determined. An access token is generated that includes the IP address that the request was sent from.

Abstract: A method, a system, and a computer program product for performing key management configurations. One or more encryption keys for encrypting one or more data payloads for accessing one or more databases are received. The received encryption keys are compared to a plurality of encryption keys associated with the databases. Based on the comparison, a configuration of at least one database is changed using the received encryption keys. The changed configuration is stored.

Abstract: In one embodiment, a device in a network inserts a profile tag into an address request sent by an endpoint node in the network to a lookup service. The lookup service is configured to identify one or more addresses with which the endpoint node is authorized to communicate based on a profile for the endpoint node associated with the inserted profile tag. The device receives an address response sent from the lookup service to the endpoint node that indicates the set of one or more addresses with which the endpoint node is authorized to communicate. The device determines whether a communication between the endpoint node and a particular network address is authorized using the set of one or more addresses with which the endpoint node is authorized to communicate. The device blocks the communication based on a determination that the particular network address is not in the set of one or more addresses with which the endpoint node is authorized to communicate.

Abstract: A token management apparatus includes a reception unit that receives, from a first user who has an access token for accessing a service providing server that provides a service, a permission condition for permitting a second user for a conditional use of an access token of the first user, the second user being differential from the first user and not having the access token; and an issuance unit that issues a conditional access token that permits the conditional use of the service within a range of the permission condition, to the second user in a case where the second user requests the conditional use of the access token of the first user, and the request for the conditional use satisfies the permission condition.

Abstract: Systems and methods to securely send or write data to a cloud storage or server. In one embodiment, a method includes: establishing a connection to a client using a client-side transport protocol; receiving, over the connection, data from the first client; decrypting, using a client session key, the received data to provide first decrypted data; encrypting the first decrypted data using a stored payload key (that is associated with the client) to provide first encrypted data; encrypting, using a cloud session key, the first encrypted data using a remote-side transport protocol to provide second encrypted data; and sending the second encrypted data to the cloud storage or server.

Abstract: A method is disclosed for conducting a transaction between a computing device and an access device. A server computer may be utilized to facilitate data exchanges between the computing device and the access device. These data exchanges may utilize high-frequency sound signals. The server computer may encrypt at least some portion of data that is then transmitted to the access device via the computing device. The server computer may verify data received from the access device prior to generating and transmitting an authorization request message for the transaction.

Abstract: A method includes generating, by a computing device, a unique identifier (ID) based on copyright information associated with digital content, wherein the copyright information and the digital content are recorded on a blockchain of a blockchain network; identifying a plurality of color values associated with one or more color attributes of at least a portion of the digital content; and embedding the unique ID in the digital content by changing one or more color values of the plurality of color values to be representative of the unique ID, wherein the embedding produces information-embedded digital content that enables retrieval of the copyright information from the blockchain based on the unique ID, and wherein a visual difference between the digital content and the information-embedded digital content is not apparent to an unaided human eye.

Abstract: In one embodiment, a method includes receiving an ISIS hello message including an attestation token from a second network apparatus, determining that the attestation token is valid for the second network apparatus at a current time, establishing an adjacency to the second network apparatus in response to the determination, computing, based at least on the attestation token, a trust level for a first link from the first network apparatus to the second network apparatus and a trust level for first prefixes associated with the first link, and sending an LSP comprising the trust level for the first link and the trust level for the first prefixes to neighboring network apparatuses, where the trust level for the first link and the trust level for the prefixes are used by the network apparatuses in the network to compute a routing table of the network.

Abstract: A storage device can include processing and cryptographic capability enabling the device to function as a hardware security module (HSM). This includes the ability to encrypt and decrypt data using a cryptographic key, as well as to perform processing using such a key, independent of whether that processing involves data stored on the device. An internal key can be provided to the drive, whether provided before customer software access or received wrapped in another key, etc. That key enables the device to perform secure processing on behalf of a user or entity, where that key is not exposed to other components in the network or environment. A key may have specified tasks that can be performed using that key, and can be discarded after use. In some embodiments, firmware is provided that can cause a storage device to function as an HSM and/or processing device with cryptographic capability.

Abstract: A Secure, Reliable, and Decentralized Communication (“SRDC”) system may initialize primary and auxiliary processes associated with a mobile application, including creation of an Obfuscated Symmetric Primary Key (“OSPK”) and an Obfuscated Symmetric Auxiliary Key (“OSAK”). A cipher key manager may apply a two-way function f( ) to generate two subkeys: SPAK1 (designated (SPAK)primary) and SPAK2 (designated (SPAK)auxiliary). (SPAK)auxiliary may be encrypted using (SPAK)primary to obtain (E-SPAK)auxiliary. OSAK may be de-obfuscated to obtain Symmetric Auxiliary Key (“SAK”) and (E-SPAK)auxiliary may be encrypted using SAK to obtain (EE-SPAK)auxiliary. A key obfuscator may be called to de-obfuscate OSPK to obtain Symmetric Primary Key (“SPK”). (SPAK)primary may then be encrypted using SPK to obtain (E-SPAK)primary. The SRDC system may communicate with a CP mobile service and store (E-SPAK)primary in a storage service.

Abstract: Implementations of this specification include receiving a synchronization request from a light-weight node of the blockchain network including an identity of the light-weight node; identifying one or more permissions associated with the identity of the light-weight node; determining an original world state structure associated with the block height and including a plurality of account records; identifying based on the one or more permissions, a subset of the plurality of account records that are authorized for access by the light-weight node; generating an isolated world state structure based on the original world state data structure including only the subset of the plurality of account records that are authorized for access by the light-weight node; sending a response to the light-weight node that includes the isolated world state data structure.

Abstract: The disclosed technology relates to a process of evaluating any number of different identity providers (IDPs) and their respective set of credentials that are used to authenticate corresponding users to assist with the onboarding of the different IDPs in connection with Wi-Fi identity federations. In particular, the process allows a person's electronic identity and attributes (stored across one or more IDPs) to be determined once using a standard. Once trust has been established for the user, that trust can then be utilized across a number of different systems (e.g., Single-sign on). The same trust determination can be used without the need for the authenticity of the user identity to be re-evaluated with each new access request.

Abstract: Systems and methods for authenticating a user using an interactive voice response application. The method includes receiving data representing a spoken voice utterance corresponding to a user of an interactive voice response application. The method further includes processing the data representing the spoken voice utterance based on a length and a quality of the spoken voice utterance. The method also includes comparing the processed data representing the spoken voice utterance and a voiceprint associated with the user. The method further includes generating a security token in response to determining that the processed data representing the spoken voice utterance substantially matches the voiceprint associated with the user. The method also includes receiving the security token from the interactive voice application and validating the security token corresponding to the user in response to determining that the security token matches a security token generated by a server computing device.

Abstract: An example computing device includes a memory to store a cryptographic key, a processor coupled to the memory, and a set of instructions stored in the memory. The set of instructions, when executed by the processor, is to capture an encrypted passcode originating from a basic input/output system (BIOS) of a managed device as a challenge to grant local access to the BIOS and authenticate with a server using a user credential. When authentication with the server is successful, the set of instructions is to decrypt the encrypted passcode with the cryptographic key to obtain a decrypted passcode and output the decrypted passcode. When authentication with the server is unsuccessful, the set of instructions is to delete the cryptographic key.

Abstract: Methods, systems and computer program products for layered masking of data are described. A system receives content including personally identifiable information (PII). The system redacts the content by masking the PII. The system identifies the PII in multi-layer processing, where in each layer, the system determines a respective confidence score indicating a probability that a token is PII. If the confidence score is sufficiently high, the system masks the token. Otherwise, the system provides the token to a next layer for processing. The layers can include regular expression based processing, lookup table based processing, and machine learning based processing.

Abstract: A system for securing a secret word during a read of the secret word from a read-only memory (ROM) is disclosed. The system includes a memory controller coupled to the ROM and a random number generator coupled to the memory controller. The random number generator is configured to generate a random number. The system further includes a number shuffler coupled to the random number generator and the memory controller. The number shuffler is configured to generate a bit read order based on the random number and the memory controller is configured to read bits of the secret word from the ROM according to the bit read order.

Abstract: An application program authorization method includes: when a first application on a terminal is logged into, sending, by the terminal to a first application server by using the first application, a first request message used for negotiating a token binding identifier of the first application; receiving, by the terminal, a first response message including generation information of the token binding identifier from the first application server; generating, by the terminal, the token binding identifier based on the generation information of the token binding identifier, and sending the token binding identifier to the first application server; and when the at least one second application on the terminal logs in by using the first application, sending, by the terminal to the first application server, a second request message, where the second request message includes the token binding identifier.