Abstract: Systems and methods are provided for verifying identities of users. One exemplary method includes generating a unique identifier (ID) for a user, generating a public/private key pair associated with the unique ID for the user, and receiving at least two images. The images include a first image associated with a physical document indicative of an identity of the user and a second image comprising an image of at least part of the user. The exemplary method further includes validating an integrity of the first image, converting at least the first image to one-way hashed data, when the integrity of the first image is valid, and transmitting the hashed data signed with the private key, the unique ID and the public key to an identification provider, whereby a digital identity record for the user is stored in a ledger data structure.

Abstract: A secure engine method includes providing an embedded microcontroller in an embedded device, the embedded microcontroller having internal memory. The method also includes providing a secure environment in the internal memory. The secure environment method recognizes a boot sequence and restricts user-level access to the secure environment by taking control over the secure environment memory. Taking such control may include disabling DMA controllers, configuring at least one memory controller for access to the secure environment, preventing the execution of instructions fetched from outside the secure environment, and only permitting execution of instructions fetched from within the secure environment. Secure engine program instructions are then executed to disable interrupts, perform at least one secure operation, and re-enable interrupts after performing the at least one secure operation.

Abstract: A method, apparatus, and computer program product for establishing an authenticated online session are provided. An example method includes receiving a request for an authenticated online session and causing, by display circuitry, presentation of an input pattern to a user. The method further includes receiving, by gaze detection circuitry, one or more images of the user's eye captured during presentation of the input pattern, and determining, by the gaze detection circuitry, an identification code represented by the one or more images. The method also includes receiving, by contextual evaluation circuitry, contextual device data of a user device associated with the user during presentation of the input pattern. The method further includes establishing, by authentication circuitry, the authenticated online session based upon the identification code and the contextual device data.

Abstract: A method (and structure) includes receiving a challenge for an authentication, in a chip having stored in a memory device therein a secret to be used in an authentication attempt of the chip by an external agent. The chip includes a hardware processing circuit to sequentially perform a processing related to the secret. The secret is retrieved from the memory device and processed in the hardware processing circuit in accordance with information included in the received challenge. The result of the processing in the hardware processing circuit is transmitted as a response to the challenge. The hardware processing circuit executes in a parallel manner, thereby reducing a signal that can be detected by an adversary attempting a side channel attack to secure the secret.

Abstract: Implementations of the present specification provide a method and an apparatus for identifying an applet of risky content based on differential privacy preserving. An example method includes: responsive to monitoring an operation performed by a user using an applet, determining whether an operation source is a risky operation source, the operation source including a combination of the user and a device used by the user; responsive to determining that the operation source is a risky operation source, disturbing a program identifier of the applet by using a randomized response technique that satisfies local differential privacy preserving; and sending an operation source identifier of the operation source and the disturbed program identifier to a serving end, so that the serving end identifies whether the applet is an applet of risky content based on multiple received disturbed program identifiers by using the randomized response technique.

Abstract: A method includes receiving electronic data, extracting a first identifier from the electronic data, extracting first attributes from the electronic data, and searching a database for identifiers that match the first identifier to determine a number of matching identifiers. The method also includes determining that the number of matching identifiers exceeds a first threshold and searching the database for attributes associated with each of the matching identifiers to determine a subset of matching attributes. The method further includes calculating a specificity for the subset of matching attributes, determining that the specificity of the subset of matching attributes is less than or equal to a second threshold, and creating a filter based at least in part on the determination that the specificity of the subset of matching attributes is less than or equal to the second threshold.

Abstract: The present invention relates to a method of securely using a first tenant secret key stored under an encrypted form in a first token (TKA) of a first tenant (A) identified by a first tenant identifier (UIDA) and having said first tenant secret key, wherein: each tenant identifier (UIDT) for a tenant (T) comprises a first value and, when said tenant (T) is allowed to use a secret key of a parent tenant (Tp) identified by a parent tenant identifier (UIDTP), said parent tenant identifier, appended before said first value, and said first token (TKA) has been generated from said first tenant identifier (UIDA) and a first tenant secret key encrypted with said first tenant identifier (UIDA) and with a first tenant customer master key (CMKA), said first tenant customer master key (CMKA) having been derived from said first tenant identifier (UIDA) and a secure domain master key (SDMK), said method comprising the following steps performed by a secure device storing said secure domain master key (SDMK), on request of a

Abstract: A secure storage system having authentication and cryptographic data protection is made by providing a mass-data memory and a security element communicatively coupled with the mass-data memory. This mass-data memory and the securing element are controlled by respective different control commands such that different drivers can be installed to operate the mass-data memory and the security element. A secured hardware data interface is provided between the mass-data memory and the security element, and the security element provides security-critical information concerning the data of the mass-data memory.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for a cryptoasset custodial system using power down of server computers to protect cryptographic keys. The cryptoasset custodial system includes a plurality of server computers. Each server computer of the plurality of server computers includes a volatile memory configured to store a cryptographic key associated with a cryptographic transaction to be performed, by the server computer, on a blockchain. A computing device is communicatively coupled to the volatile memory and configured to perform, using the cryptographic key, the cryptographic transaction on the blockchain. Responsive to detecting an interruption in an electrical power supply to the server computer, the stored cryptographic key is deleted from the volatile memory to prevent access to the cryptographic key.

Abstract: The present disclosure involves systems, software, and computer implemented methods for a efficient distributed secret shuffle protocol for encrypted database entries using independent shufflers. Each of multiple data providers provides an encrypted secret input value. A set of shuffling clients, independent of the data providers, participate with a service provider in a secret shuffling of the encrypted secret input values. The protocol includes generation and exchange of random numbers, random permutations and different blinding values. A last protocol step includes using homomorphism, for each client, to perform computations on intermediate encrypted data to homomorphically remove a first blinding value and a second blinding value, to generate a rerandomized encrypted secret input value. As a result, the rerandomized encrypted secret input values are generated in an order that is unmapped to an order of receipt, at the service provider, of the encrypted secret input values.

Abstract: A method for expiring tokens includes obtaining a list of valid key identifications (IDs) for at least one valid cryptographic key configured to sign authentication tokens. The method also includes receiving an authentication token from a client authenticating and authorizing the client to access a resource and comprising an ID of a cryptographic key used to sign the authentication token. The method also includes determining whether the cryptographic key used to sign the authentication token is valid based on the list of valid key IDs for the at least one valid cryptographic key. When the cryptographic key used to sign the authentication token is valid, the method includes allowing the client access to the resource.

Abstract: Disclosed are an apparatus for controlling authentication and a method of operating the same capable of increasing security and convenience in user authentication by authenticating a user through an authentication scheme that is determined differently according to space reliability of an authentication-processing space in which user authentication is processed.

Abstract: Lateral movement between networked computers is detected, and automatically and efficiently assessed by a detection tool to distinguish innocent activity from cyberattacks. By correlating log data about logins and network traffic, the detection tool produces network node sets corresponding to individual movements. If a chain can be built from node sets matching an event sequence pattern that tends to be used by attackers, then the detection tool reports the chain as an illicit lateral movement candidate. Detection patterns define illicitness grounds such as consistency of data transfer sizes, shortness of login intervals, use of suspect protocols, chain scope, and the presence or use of administrator credentials. Detection responses may then isolate computers, inspect them for malware or tampering, obtain forensic images for analysis, tighten exfiltration filtering, and otherwise mitigate against ongoing or future cyberattacks.

Abstract: Some methods enable a first device to assist a second device in becoming authenticated with a content management system. The content management system can receive user credentials or an elevated access token from the first device. The content management system can respond to the first device with an access token for use by the second device. Alternatively, the content management system can send the access token directly to the second device. The second device can then use the access token for authenticated communications with the content management system.

Abstract: Disclosed are a method and a device for compressing and decompressing unit files when encrypting an electronic publication (EPUB) file. The method for compressing unit files for EPUB file encryption comprises: a step of determining an encryption target unit file from among a plurality of unit files forming an EPUB file; a step of performing encryption of the compressed encryption target unit file; and a step of performing compression of general unit files among the plurality of unit files in addition to the encryption target unit file. As such, by performing compression of the encryption target unit file before the general unit files, it is possible to effectively reduce the size of a single packaged EPUB file.

Abstract: The disclosed computer-implemented method for managing connections may include (i) detecting, by a security agent on an endpoint, an attempt by another application on the endpoint to establish a connection according to a specific Internet protocol, and (ii) injecting, by the security agent on the endpoint, into an options field within a header of a network packet within the connection, the header formatted according to the specific Internet protocol, at least one byte that reveals identifying information about the application to enable an in-line proxy security device to manage the connection according to the revealed identifying information. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method of providing infrastructure protection for a server of a network organization, the method including announcing an internet protocol (IP) address range associated with the network organization using a border gateway protocol (BGP) on an edge server of a distributed network of edge servers. The method further including receiving an incoming network packet intended for the server of the network organization identified using a public IP address within the IP address range, the public IP address serving as a first anycast address for a distributed network of edge servers. The method further including determining, by the distributed network, whether the incoming network packet is legitimate. The method further including responsive to determining that the incoming network packet is legitimate, routing, by a processor using generic routing encapsulation (GRE), the incoming network packet to the server at a private IP address.

Abstract: A method of providing infrastructure protection for a server of a network organization, the method including announcing an IP address range associated with the network organization using a border gateway protocol on an edge router of a scrubbing center associated with the network organization. The method further including receiving an incoming network packet intended for a server of the network organization identified using a public IP address within the IP address range, the public IP address serving as a first anycast address for a plurality of scrubbing centers in a distributed network of scrubbing servers, the plurality of scrubbing centers including the scrubbing center. The method further including determining, by the scrubbing center, whether the incoming network packet is legitimate. The method further including, responsive to determining that the incoming network packet is legitimate, routing, by a processor, the incoming network packet to the server at a private IP address.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for enabling paperless documentation. One method includes identifying one or more electronic forms to be filled out and submitted. At each step of a plurality of steps: generating a unique identifier (ID) based on a time that the step is performed and digital content on the electronic form at the time; recording the unique ID, the time, and the digital content on the blockchain; embedding the unique ID in the digital content at the time by changing one or more attributes associated with the digital content to be representative of the unique ID, where the embedding produces information-embedded digital content that enables retrieval of the time and the digital content from the blockchain based on the unique ID; and recording the information-embedded digital content to the blockchain.

Abstract: One or more embodiments of the present specification relate to a data processing method, apparatus, device, and system for code scanning jumps. An example method includes receiving scan data resulting from a client application having been used to scan an identification code, in which the identification code and the client application have been created under different platforms. A domain name is obtained from the scan data, and a target regular expression corresponding to the domain name is obtained from a regular expression library. A jump rule string corresponding to the identification code is determined based on the target regular expression and a resource path of the domain name of the identification code, and a jump address corresponding to the jump rule string is queried from a rule library that includes mapping relationships between jump rule strings and jump addresses.