Abstract: Techniques for enhancing the security of storing sensitive information or a token on a communication device may include sending a request for the sensitive information or token. The communication device may receive a session key encrypted with a hash value derived from user authentication data that authenticates the user of the communication device, and the sensitive information or token encrypted with the session key. The session key encrypted with the hash value, and the sensitive information or token encrypted with the session key can be stored in a memory of the communication device.

Abstract: Methods and systems generate an attributed network for tracing transmitted data that is attributable to a user. A digital registration certificate includes an identity marker and a verified privity marker. The digital registration certificate is registered with an immutable entry in a registry, with the immutable entry also storing the identity marker and referencing the verified privity marker, and with retrieval of the digital registration certificate being required to access the attributed network. A client device requests to access the attributed network, and the systems and methods authenticate a user of the client device by verifying biometric login data as matching the identity marker included in the immutable entry in the registry. The digital registration certificate is obtained from the registry. A virtual browser configured for accessing the attributed network packages the digital registration certificate with data specified by the client device.

Abstract: A system and method for integrating hierarchical authentication systems and non-hierarchical authentication systems. The system and method is provided in one configuration as a mobile app that functions to allow a mobile device to access highly sensitive data while simultaneously ensuring a highly secured environment utilizing both hierarchical authentication systems and non-hierarchical authentication systems to provide a highly reliable authentication process.

Abstract: A system and method. The system may include a first computing device implemented in a vehicle that is a first node of a distributed blockchain ledger network. The first computing device may include a first processor and a first computer readable medium. The first processor may be configured to: maintain a first instance of a distributed blockchain ledger; receive data for entry in the first instance of the distributed blockchain ledger; write a record including the data in the first instance of the distributed blockchain ledger; determine a data link for forwarding the record to other nodes of the distributed blockchain ledger network; forward the record to the other nodes of the distributed blockchain ledger network, wherein the other nodes include a second computing device offboard of the vehicle, the second computing device configured to maintain a second instance of the distributed blockchain ledger; and validate the record.

Abstract: Systems and processes that may be implemented to manage access by software applications to various resources of a user telecommunications device are disclosed. The systems and processes may implement a trust policy which reflects privacy criteria selected by a user of the user telecommunications device, wherein the trust policy overrides registered permissions of the software applications. The user telecommunication device may include a memory that stores a software application has been granted registered permissions to access a input and/or output component of the user telecommunications device as well as a trust policy has been set by the user to proscribe access by that particular software application to the input and/or output component. In implementing the trust policy, the software application may be prevented from accessing the input and/or output component notwithstanding the software application having registered permissions to access the input and/or output component.

Abstract: A management apparatus (500) stores encrypted tags (C(D)) and encrypted data such that they are associated with each other. When a search apparatus (400) obtains a search keyword (s) for searching for encrypted data stored in the management apparatus (500), the search apparatus (400) calculates deterministic information (t) which is uniquely determined by the search keyword (s), and generates a search query (Q(s)) by performing encryption of a probabilistic encryption scheme on the search keyword (s) using the deterministic information (t). The search apparatus (400) transmits the search query (Q(s)) to the management apparatus (500). When the management apparatus (500) receives the search query (Q(s)) from the search apparatus (400), the management apparatus (500) determines whether the search keyword (s) obtained by decrypting the search query (Q(s)) matches an associated keyword obtained by decrypting an encrypted tag (c) stored in the management apparatus (500).

Abstract: In one embodiment, a service configured to execute on trusted participant devices authenticates network service devices each having identifying information and one or more offered services, and creates an entry into a secure digital ledger for each authenticated network service device and associated offered services, each entry based on the identifying information and the one or more offered services for a corresponding network service device. Upon receiving an advertisement for an advertised service from an advertising device attached to a given trusted participant device, the service then requests and may receive an authentic ledger entry from the secure digital ledger for the advertised service.

Abstract: A method at a Fast Identity Online, FIDO, server for facilitating a terminal device without a Subscriber Identity Module, SIM, card to access a first network via a second network. Association information for the terminal device without a SIM card is obtained indicative of an association between the terminal device without a SIM card and a user subscription account and authentication information for the terminal device without a SIM card and causes the terminal device without a SIM card to be registered with the FIDO server according to a set of FIDO Alliance specifications based at least on the association information and the authentication information. Registration information for the terminal device without a SIM card is provided to an Authentication, Authorization, and Accounting, AAA, server, in response to receipt at the AAA server of an authentication request from the terminal device without a SIM card.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for decoding Turing tests. One of the methods includes managing a database that stores data of each of a plurality of aggregation accounts; sending, for a particular account identified by one of the aggregation accounts and to a server, a request for access to account data for the particular account; receiving, from the server, data that includes a login credentials field and a Turing test challenge; extracting the Turing test challenge; providing, to an external system that is a different system from the server, the Turing test challenge; receiving, from the external system, a response to the Turing test challenge; providing, to the server, the response to the Turing test challenge; providing, to the server, the login credentials for the particular account; and receiving, from the server, account data for the particular account.

Abstract: Disclosed is a device and method to secure software update information for authorized entities. In one embodiment, a device for receiving secured software update information from a server, the device includes: a physical uncolonable function (PUF) information generator, comprising a PUF cell array, configured to generate PUF information, wherein the PUF information comprises at least one PUF response output, wherein the at least one PUF response output is used to encrypt the software update information on the server so as to generate encrypted software update information; a first encrypter, configured to encrypt the PUF information from the PUF information generator using one of at least one public key from the server so as to generate encrypted PUF information; and a second encrypter, configured to decrypt the encrypted software update information using one of the at least one PUF response output so as to obtain the software update information.

Abstract: Aspects of the present disclosure provide for systems and methods to automatically load security access files and/or keys on a local digital controller serving subscriber communication equipment, but are not so limited. A disclosed system operates to use a deployment manager as part of auto-loading security access files and/or keys on a local digital controller serving subscriber communication equipment. A disclosed method operates in part to auto-load security access files and/or keys on a local digital controller serving subscriber communication equipment.

Abstract: Techniques are disclosed relating to malware clustering based on execution-behavior reports. In some embodiments, a computer system may access malware information that includes a plurality of reports corresponding to a plurality of malware samples. In some embodiments, each of the malware reports specifies a set of features relating to execution behavior of a corresponding malware sample. The computer system may, in various embodiments, process the plurality of reports to generate a plurality of vectors that includes, for each of the malware samples, a corresponding vector indicative of the execution behavior of the corresponding malware sample. Based on the plurality of vectors, the computer system may generate similarity values indicative of a similarity between ones of the plurality of vectors. Further, based on the similarity values, the computer system may assign each of the plurality of malware samples to one of a plurality of clusters of related malware samples.

Abstract: According to various aspects, a delay-based physical unclonable function (PUF) device is provided. According to one embodiment, the PUF device includes circuitry for generating output bits of entropy by comparing, or “racing”, a plurality of PUF cells. A PUF cell is a building block of the PUF device. For example, the PUF device may include two identically designed circuits with only process related variations and each circuit can be a PUF cell. According to another aspect, if PUF cells with same history of winning or losing are being compared in a race, adversaries cannot predict the outcome of the current race based on previous race results. Accordingly, systems and methods are described herein for generating multiple rounds of races based on the previous rounds of races. Thus, one PUF cell can be used in multiple pairwise comparisons while maximal entropy is extracted.

Abstract: A system records use of values used in cryptographic algorithms where the values are subject to uniqueness constraints. As new values are received, the system checks whether violations of a unique constraint has occurred. If a violation occurs, the system performs actions to mitigate potential compromise caused by exploitation of a vulnerability caused by violation of the uniqueness constraint.

Abstract: The invention relates generally to systems and methods for protecting patient privacy when health care information is shared between various entities and, in particular, to systems and methods that implement a multi-stage sanitizing routine for de-identifying patient data from medical reports and diagnostic images to ensure patient privacy, while preserving the ability for sanitized medical reports and diagnostic images to be re-identified.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for digital asset buyback. One of the methods includes: obtaining a request for buying back a digital asset from a first blockchain account, the request comprising a quantity of the digital asset; identifying, based on the request, a blockchain contract that is deployed on the blockchain and that corresponds to the digital asset; generating a blockchain transaction for transferring the quantity of the digital asset from the first blockchain account to a second blockchain account associated with digital asset buyback, wherein the blockchain contract comprises a restriction prohibiting transfer of the digital asset out of the second blockchain account; and sending, to a blockchain node for adding to the blockchain, the blockchain transaction for transferring the quantity of the digital asset from the first blockchain account to the second blockchain account.

Abstract: An apparatus and method for performing operation being secure against side channel attack are provided. The apparatus and method generate values equal to values obtained through an exponentiation operation or a scalar multiplication operation of a point using values extracted from previously generated parameter candidate value sets and an operation secure against side-channel attack, thereby improving security against side-channel attack without degrading performance.

Abstract: Structured access to volunteered private data disclosed. Access can be based on security and privacy constraint information (SPCI) that can be selected by the party volunteering the private data. The volunteered data can be stored in a protected portion of a public network. The SPCI can be correlated to the volunteered data. In response to receiving a request for access to the volunteered data, an attribute of the request can be determined to satisfy one or more rules related to the SPCI prior to facilitating access to a version of a portion of the volunteered data. The version of the portion of the volunteered data can be a redaction of the portion of the volunteered data. The version of the portion of the volunteered data can be aggregated with other portions of other volunteered data determined to satisfy corresponding SPCI related rules.

Abstract: A communication device including a non-SIM based client is authenticated for accessing an IMS network. An internet protocol identity is received from the communication device. The internet protocol identity is not associated with a SIM. Authentication information associated with the internet protocol identity is requested and received from the communication device. A determination is made whether the communication device is authenticated based on the internet protocol identity and the authentication information. If the communication device is determined to be authenticated, the communication device is allowed access to the IMS network.

Abstract: Multiuse certificates (e.g., wildcard certificates) can be associated with policies that specify one or more computational constraints, e.g., limited processor power, limited access time, limited access to file system usage, or limited memory access. An application associated with a multiuse certificate can be monitored to ensure that the specified computational constraints are not violated. Upon the computational constraints being violated, the multiuse certificate can be invalidated and/or authentication requests rejected.