Abstract: A device can be identified using a manufacturing characteristic in the device. Power consumption data associated with a device is received. A power model can be fitted to the power consumption data and at least one parameter is determined based on fitting. A fingerprint of the device can be created based on at least one parameter.

Abstract: A method for producing a cryptographic timestamp for a digital document using multiple time servers is provided. In the method, a nonce value is produced and a current hash value is formed from the nonce value and the digital document. Then, a time server is repeatedly selected, the current hash value is transmitted to the selected time server, a response comprising a digital signature of the current hash value and a time indication is received by the selected time server, and an additional hash value is determined from the received response and used as the current hash value. The cryptographic timestamp for the digital document is formed from the nonce value and the multiple received responses. The method produces a tamperproof timestamp on a majority basis and is suitable for dating and protocolling in the field of automation and IoT.

Abstract: Systems, methods, and apparatus for a virtual transponder utilizing inband telemetry are disclosed. A disclosed method for a virtual transponder utilizing inband telemetry comprises transmitting, by a hosted payload (HoP) operation center (HOC), encrypted hosted commands to a host spacecraft operations center (SOC). The method further comprises transmitting, by the host SOC, encrypted host commands and encrypted hosted commands to a vehicle. Also, the method comprises reconfiguring a payload on the vehicle according to unencrypted host commands and/or unencrypted hosted commands. In addition, the method comprises transmitting payload data to a host receiving antenna and/or a hosted receiving antenna. Also, the method comprises transmitting encrypted host telemetry to the host SOC. In addition, the method comprises transmitting encrypted hosted telemetry to the hosted receiving antenna. Further, the method comprises transmitting, by the hosted receiving antenna, the encrypted hosted telemetry to the HOC.

Abstract: Before a composition is ingested into a runtime environment at a runtime device, the composition may be verified at an authoring trusted execution environment (TEE) operating on an authoring device. A user can operate an untrusted computing platform (e.g., a personal computer, laptop computer, tablet computer, etc.) to write code, generate data, or create some other composition. Since this composition is created on an untrusted device, the authoring TEE may output the composition on a trusted peripheral device to a user for review and approval. Responsive to receiving approval at the trusted peripheral device, the authoring TEE can sign the composition with a local key and forward the composition for execution by the runtime device. The signature can be utilized by the runtime device to prove that it was reviewed and verified by an authorized user operating the authoring device.

Abstract: A communication terminal shares a session key with and sends cipher text to another communication terminal via a server device, including: a common key cipher text obtaining unit that encrypts a message based on a common key to obtain common key cipher text; a function computation result obtaining unit that computes the common key and the session key based on a predetermined first function to obtain a function computation result; a public key cipher text obtaining unit that encrypts the function computation result based on a public key to obtain public key cipher text; and a cipher text sending unit that sends the common key cipher text and the public key cipher text to the server device. The communication terminal can update data previously saved in a server to data that can be decrypted on the communication terminal side using an updated session key, without the server decrypting the data.

Abstract: Implementations of the present disclosure include providing a graph that is representative of an enterprise network and includes nodes and edges, a set of nodes representing assets within the enterprise network, each edge representing a lateral movement path between assets, determining, for each asset, a contribution value indicating a contribution of an asset, determining lateral movements paths between a first asset and a second asset, providing a lateral movement path value representative of a difficulty in traversing a respective lateral movement path, identifying a set of remediations based on remediations defined for one or more vulnerabilities associated with issues identified for assets, each remediation mitigating a cyber-security risk within the enterprise network, and prioritizing the two or more remediations based on contribution values of assets, lateral movement path values of paths, and one of lateral movement complexity values of respective segments of paths and costs of respective remediation

Abstract: A cryptographic key management service receives a request to import a first cryptographic key. In response to the request, the service creates a public cryptographic key and a private cryptographic key. The private cryptographic key is encrypted using a second cryptographic key to create an import key token. The import key token and the public cryptographic key are provided in response to the request. The service receives an encrypted first cryptographic key, which the service decrypts using the private cryptographic key to obtain the first cryptographic key. The service stores the first cryptographic key and enables its use for the performance of cryptographic operations.

Abstract: Described embodiments include an apparatus, comprising a communication interface and a processor. The processor is configured to obtain an NT Local Area Network Manager (NTLM) authentication token, which authenticates a client device to a service using an NTLM authentication protocol. The processor is further configured to, subsequently to obtaining the NTLM authentication token, receive, via the communication interface, from another processor that belongs to the client device, a challenge that was sent to the client device by the service in response to a request, from the client device, to access the service. The processor is further configured to, using the NTLM authentication token, compute a response to the received challenge, and to communicate the computed response to the client device, without exposing the NTLM authentication token to the client device. Other embodiments are also described.

Abstract: This relates to connecting a network of logical broadcast domains to the Internet. In an embodiment, selected signal packets are transmitted between two logical broadcast domains via a tunnel server. Outbound signal packets are communicated to the Internet via network address translation as to the outbound signal packets which are different than the selected signal packets.

Abstract: Enforcing authorization controls for an approved software change on a target system is provided. A user is validated to perform a set of actions. The set of actions performed by the validated user is monitored to determine whether the set of actions conform to an approved process for the approved software change on the target system. A deviation from the approved process is detected based on determining that the set of actions do not conform to the approved process during the monitoring. In response to detecting the deviation from the approved process, an alert is sent regarding the deviation.

Abstract: An access control system includes a processor configured to provide a trusted execution environment isolated from a rich execution environment. A rich OS operates in the rich execution environment while a trusted OS operates in the trusted execution environment. A plurality of protected data files are stored in non-volatile memory. When a process requests access to a protected data file, the computer system can permit the requesting process to access the requested data file only if a validated application token is present that corresponds to the requesting process. An application token is generated for the associated application by: detecting initiation of a first process associated with the associated application; determining that a valid user code is available within the trusted execution environment; and generating the application token using the valid user code upon determining that the valid user code is available within the trusted execution environment.

Abstract: A management device (181) calculates, from access information transmitted from a token terminal (121) and a site seed assigned to a server (161), a user seed, and registers the user seed in the token terminal (121). The token terminal (121) obtains a share seed to be shared with the server (161) independently therefrom, calculates a key code from the share seed and the user seed, and presents the key code to the user. When the user enters the key code to an access terminal (141), the access terminal (141) transmits, to the server (161), a request having the key code specified. The server (161) obtains access information relating to the transmitted request, calculates a checkup seed from the access information and the site seed assigned to the server (161), obtains a share seed independently from the token terminal (121), calculates a checkup code from the share seed and the checkup seed, and sets a necessary condition for sign-in that is consistent between the key code and the checkup code.

Abstract: An authentication method for a tag device includes exchanging authentication codes between the tag device and an authentication server to perform mutual authentication. A reader device acts as a communications bridge between the tag device and the authentication server. The reader device may observe mutual authentication between the tag device and the authentication server as an indicator that the tag device is authentic. A failure of mutual authentication indicates that the tag device is not authentic.

Abstract: Embodiments of the present invention are directed towards a computer-implemented method of detecting multi-factor authorization. The method includes detecting a user entering security credentials for a client application via a keypad. The method further includes determining that the user is using a single sign-on method of authentication method based upon a cadence of keystrokes used to enter the security credentials. The method further includes storing the security credentials in memory.

Abstract: An access control system includes a first controller having a first antenna interface for broadcasting identifying data to local devices, for receiving ephemeral ID signals, token signals or payload data from local devices, and a first processor for determining a first authentication when an ephemeral ID signal or a token from a first local device is determined to be valid, for determining a second authentication when an ephemeral ID signal or a token from a second local device is determined to be valid, and for instructing a peripheral to perform a user-perceptible action in response to the first authentication, and a second controller coupled to the first controller having a second processor for receiving payload data for the second local device in response to the second authentication, and a second antenna interface for outputting at least a portion of the payload data to the remote server in response to the second authentication.

Abstract: An example operation may include one or more of receiving a request to modify a governance policy of a blockchain, identifying a principal identity that controls the governance policy, determining an allowable combination of signatures of the principal identity required for modifying the governance policy based on a graph data structure storing signature policies for endorsing modifications to governance policies, and modifying the governance policy of the blockchain based on the request in response to an allowable combination of signatures being received.

Abstract: In an embodiment, a computing system, such as a monitoring computer, receives a request from a user to monitor an account of the user with an online service provider. The request may include personal information and user preferences for one or more protective actions. The system periodically monitors external data sources for indications of changes to personal information associated with the account, and detects changes or attempted changes to personal information associated with the account. The system may determine risk levels associated with detected changes or attempted changes, and transmit a notification to the user via a communication channel selected based on the determined risk level and/or the user preferences. The system may also initiate protective actions, so that further unauthorized access to the account may be prevented.

Abstract: A method for securely processing data to prevent unauthorized access is provided. The method includes the steps of splitting data into components and with a sequence of a first hashing, a first encryption, a second hashing, a second encryption, and a third hashing, that optimizes the security of the data. The method further provides steps to securely retrieve, update and delete the data once the data has been securely stored.

Abstract: A system and method for provisioning internet access to guests of a travel facility is provided. A number of access points are in electronic communication with a gateway device which is in electronic communication with a property management system (PMS) and a router. The PMS includes identifying information for guests registered with the travel facility. An API gateway and a central destination server are in electronic communication with the gateway device by way of the internet. The central destination server receives a request to connect to the internet from a personal electronic device and grants internet access if the personal electronic device is recognized as having previously been granted internet access for a duration of time and if the current time is within the duration of time.

Abstract: Remote control to facilitate the management, configuration, or maintenance of information technology infrastructure is provided. The system activates a real-time communication session and a code for the real-time communication session. The system generates a link with an indication of the code for the real-time communication session. The system transmits the link to a mobile telecommunications device that launches a web browser to request content. The system receives the request for content, and obtains access to data from a sensor of the mobile telecommunications device. The system identifies the real-time communication session corresponding to the code. The system establishes, via a web socket over a network protocol, the real-time communication session with a data feed from the sensor. The system provides, based on at least a portion of the data feed, a command to control the mobile telecommunications device.