Abstract: A method, system, transmitter, and receiver for authenticating a transmitter are disclosed. The authentication is performed using an asymmetric key pair and using a digital signature. The method for authenticating the transmitter includes generating a user identification, calculating the digital signature, generating an authentication request message, and transmitting the authentication request message to a receiver.

Abstract: A processor that was manufactured by a manufacturer comprises privileged debug operational circuitry, a debug restriction fuse, a credential store, a credential of the manufacturer in the credential store, and debug control circuitry. The debug restriction fuse is a one-time programmable fuse. The debug control circuitry is to automatically restrict access to the privileged debug operational circuitry, based on the debug restriction fuse. The processor may also include public debug operational circuitry, a prevent-unauthorized-debug (PUD) fuse, and an undo-PUD fuse. When the PUD fuse is set and the undo-PUD fuse is clear, the debug control circuitry may respond to an attempt by a debugger to use the public debug operational circuitry by determining whether the debugger is authorized, disallowing access if the debugger is not authorized, and allowing access if the debugger is authorized. Other embodiments are described and claimed.

Abstract: Signing data so that a signature can be verified by a verifier while preserving the privacy of a signer, the method including: generating a signature nonce; encrypting the signature nonce with a public key of the verifier to produce an encrypted signature nonce; and calculating a signature of the data of the signer by signing the data concatenated with the signature nonce using a private key of the signer.

Abstract: A platform implements a remote online notarization service. The remote online notarization (RON) service allows notarization of digital documents which have been electronically signed. The RON process can be initiated by a facilitator and involves participants including one or more signers and a notary. The RON service provided by the present system confirms technical features of each participants device used to participate in the RON process. Once a participant's device is verified and the participant is verified, the participant is provided with access to a notarization session in which the notarization takes place. The service provides a manageable, reliable platform for implementing a RON process based on features including digitally witnessing of document e-signing, use of custom notary stamps, and creation of unique notary journal entries.

Abstract: Various systems and methods for testing devices, issuing certificates, and managing certified devices, are discussed herein. A system is configured for using platform certificates to verify compliance and compatibility of a device when onboarding the device into an internet of things (IoT) network. The system may use an approved product list to verify compliance and compatibility for the device. When the device is certified, the system may use an onboarding tool to onboard the device into the IoT network.

Abstract: In embodiments, an authentication server interfaces between a user device with a self-signed certificate and a verifying computer that accepts a user name and password. The user device generates a self-signed certificate signed by a private key on the user device. The self-signed certificate is transmitted to a verifying party computer over a network. The verifying party stores the self-signed certificate with user identification data. The user migrates trust to another device by providing the root certificate and intermediate certificate as a certificate chain to a second device, which then adds a new intermediate certificate to create a longer certificate chain with the same root certificate. In subsequent communications, the verifying party receives a certificate chain including the self-signed certificate from the second user device, and matches that with the user identification data stored in a database.

Abstract: A system is provided for distribution of device key sets over a network in a protected software environment (PSE). In the system, a client device includes a connection interface for receiving a crypto hardware (CH) token belonging to a user, untrusted software, a quoting enclave, and a PSE for generating a provisioning request for a device key set. An attestation proxy server (APS) receives the provisioning message using a first network connection, and transmits the provisioning message to an online provisioning server (OPS) using a second network connection. The OPS constructs a provisioning response and an encrypted device key set, and delivers the provisioning response to the untrusted software using the first and second network connections. The PSE decrypts the encrypted device key set to obtain the device key set, re-encrypts the device key set with a local chip-specific key, and stores the re-encrypted device key set.

Abstract: A computer-based system and method for verifying integrity of data in a key-value database, including assigning each key that is supported by the key-value database to a bucket in a keys database. Upon storing a pair of a value and a key in the key-value database, storing in the bucket assigned to the key a presence indicator indicative of a presence of the key in the key-value database. A bucket is assigned to a key by applying a predetermined function on the key. When reading a value from the key-value database, if the response is empty: getting from the keys database the bucket associated with the key and searching the bucket for the presence indicator associated with the key. If the presence indicator associated with the key is found in the bucket determining that the key-value database is not complete.

Abstract: Systems and methods performed for generating authentication information for an image using optical computing are provided. When a user takes a photo of an object, an optical authentication system receives light reflected and/or emitted from the object. The system also receives a random key from an authentication server. The system converts the received light to plenoptic data and uploads it to the authentication server. In addition, the system generates an optical hash of the received light using the random key, converts the generated optical hash to a digital optical hash, and uploads the digital optical hash to the authentication server. When the authentication server receives the upload, it verifies whether the time of the upload is within a certain threshold time from the sending of the random key and whether the digital optical hash was generated from the same light as the plenoptic data.

Abstract: A computer processing hardware architecture system for the Kyber lattice-based cryptosystem which is created with high resource reuse in the compression and decompression module, the operation unit, the binomial samplers, and the operation ordering, wherein the architecture system includes an internal controller operably configured to independently accelerate a plurality of cryptographic Kyber algorithms at all NIST-recommended post-quantum cryptography security levels and is operably coupled to a singular module operably configured to perform compression and decompression as specified in Kyber, perform arithmetic operations utilized in the plurality of cryptographic Kyber algorithms, and reuse hardware resources for all the arithmetic operations utilized in the plurality of cryptographic Kyber algorithms.

Abstract: In a system comprising an customer providing a service to a plurality of client devices, a method and system for providing an customer-specific digital certificate to a client device of the plurality of client devices is disclosed. The method comprises receiving, in an intermediate certificate authority, a pre-generated digital certificate and an encrypted client device private key encrypted according to a private key encryption key PrKEK, receiving, from the client device, a request for the customer-specific digital certificate, the request comprising at least one of client device identifying information and information identifying the customer, the request signed according to a pre-provisioned client device digital certificate, and transmitting the customer-specific digital certificate and the encrypted client device private key to the client device.

Abstract: An extended hardware security module (“HSM”) possessing additional security properties relative to conventional HSMs and methods for initializing, deploying, and managing such extended HSMs in a networked environment. In the preferred embodiment, an extended HSM includes additional hardware and software components that configure it to run sensitive client tasks on demand inside a cloud-hosted, anti-tamper HSM housing so as to ensure sensitive data is encrypted when stored or processed outside the housing. Methods for initializing, deploying, and managing provide a framework through which extended HSMs may be secured from their initial assembly through their availing for use and actual use over a network by one or more clients. Such use often entails repeated discrete sequential secure sessions and concurrent discrete secure sessions.

Abstract: The invention relates generally to the field of content authentication, and more particularly, to a system and methods for verifying the authenticity of content output to a user. In certain preferred embodiments, the content is verified by identifying the source data of the content, distributing the content, and authenticating the distributed content. Where the content has not been changed, the system may authenticate the content using a cryptographic hash. When minor changes to the content are made, the system may use a perceptual hash to authenticate the content. Further, the system may utilize machine learning algorithms to identify patterns between the same content in, for example, multiple formats and sizes. Advantageously, the content that is uploaded to the system may be used to train machine-learning models that the system may use to authenticate content that has been converted but unmanipulated.

Abstract: A new compromise-resilient and compact cryptographic tool is provided that ensures a breach-resilient authentication and integrity of system measurements in computer systems. The described methods are forward-secure digital signatures with signature and partial public key aggregation capabilities. The methods reduce the total space overhead of signature and public key storage. The methods offer a high space efficiency for systems who has relatively low state transitions, wherein the same message is continuously signed and then followed by different messages.

Abstract: Systems and methods to timestamp and authenticate digital documents using a secure ledger are described. Some implementations can include computer-implemented method to timestamp and authenticate electronic documents. The method can include receiving, by a timestamp and authentication server and from a user device, a unique hash value that is generated at the user device based on a source document and a device identifier of the user device, and verifying, by the timestamp and authentication server, the device identifier. The method can also include, upon verifying the device identifier, inserting, by the timestamp and authentication server, the hash value and the device identifier into a secure ledger, and upon successful insertion into the secure ledger, transmitting, from the timestamp and authentication server to the user device, a success status message including a location in the secure ledger where the hash value was inserted.

Abstract: Certain embodiments provide a method of updating a security. The method can include monitoring a bearer that includes first and second radio accesses according to different radio technologies between user equipment and a communications network. One or more properties of the monitored bearer can be determined. An update of a security key utilized for securing communications over at least one of the radio accesses can be triggered in response to determining that the determined properties meet at least one triggering condition capable of indicating a need for the update.

Abstract: A data input method and apparatus, and user equipment are provided. The method includes: when it is determined that an operation of a user on the user equipment UE is not performed in a preset display area, deliver an event corresponding to the operation to a first operating environment for processing, where the preset display area runs in a second operating environment of the UE, and the second operating environment has a higher security level than the first operating environment. This can better improve security of an event generated when the user operates a program that runs in a Normal World of the user equipment, and can directly operate an event that runs in the Normal World.

Abstract: Approaches in accordance with various embodiments allow for zero-touch enrollment of devices with respective manager systems. In at least one embodiment, a device at startup can contact a central directory service (CDS) for information about an associated manager. The CDS can authenticate the device using device information included in the request, and can send a challenge token to the device in response. The challenge token can include information for the manager, protected with multiple layers of security that should only be able to be decrypted by the authenticated device. The device can decrypt this challenge token to determine the manager information, and can convert this challenge token to a bearer token. The device can then send a request to the determined manager that includes the bearer token, which the manager can use to authenticate the device. The manager can then send the device appropriate configuration information.

Abstract: A system and method for efficiently managing an executable environment involving multiple code-sign certificate chains. The system and method include receiving, by one or more processors and from a client device, a request for information to verify an authorization of a code bundle, the code bundle associated with a first signed code segment and a second signed code segment. The system and method include generating, by one or more processors, a list of certificates associated with the code bundle. The system and method include transmitting, by the one or more processors and to the client device, a message comprising the list of certificates, the message causing the client device to verify the code bundle based on the list of certificates.

Abstract: Various examples are directed to systems and methods for executing a web application with client-side encryption. A web application may execute in a web browser at a client computing device. The web browser may generate a document comprising a secure display element. The web browser may request to render the document at the client computing device. A cryptographic tool of the web browser may decrypt the first encrypted value to generate a first clear value. The web browser may render the document at an output device of the client computing device using the clear value. The web browser may also be programmed to prevent the web application from accessing the first clear value.