Abstract: A method of establishing a secure communication channel from a first edge device that is in a first network zone across a secure overlay network to a second edge device that is in a second network zone, so that access to a computing device that is in the second network zone can be authenticated by an authentication service that is in the first network zone, includes the steps of establishing a first secure communication channel from the first edge device to the secure overlay network, receiving a request to join the secure overlay network along with administrator credential information and, responsive to the request, transmitting the administrator credential information to the authentication service for authentication through the first secure communication channel and the first edge device, and establishing a second secure communication channel from the second edge device to the secure overlay network if the authentication is received from the authentication service.

Abstract: A method for setting up a subscriber identity module for agreeing one or several exchange keys, between a subscriber identity module and a provisioning server includes generating one or several exchange keys from keys of the provisioning server and of the subscriber identity module on a production server and are transmitted into the subscriber identity module and stored, so that the subscriber identity module is put particularly into a state as though it had generated the exchange keys itself. In a method for agreeing one or several exchange keys, between a subscriber identity module and a provisioning server, the subscriber identity module sends its public key to the provisioning server, which subsequently generates the exchange keys.

Abstract: Systems and methods are described for leveraging group signature technology to allow a group manager to set up rules that govern what requires consensus between members of the group. Consensus may require a plurality or a majority of signers using their individual private keys to use a group public key associated with the group. Group membership with group signatures allow for one group public key and a plurality of private keys, where each private key is associated with a group member.

Abstract: Embodiments relate to a method, an apparatus, a vehicle and a computer program for determining information related to an authenticity of a wireless message in a wireless group communication among vehicles of a group of vehicles. The method comprises Receiving the wireless message via an antenna module. The method further comprises Detecting a signal pilot within the wireless message. The method further comprises Determining the information related to the authenticity of the wireless message based on the detected signal pilot.

Abstract: Implementations of data security technologies are disclosed. In an implementation, a plurality of feature points of a user-selected image are determined. A first plurality of interactive operations performed on at least a portion of the plurality of feature points by a user are detected during lock screen passcode set up of a mobile computing device. The first plurality of interactive operations are stored. The user-selected image is displayed on a lock screen when the mobile computing device is in a locked state. A second plurality of interactive operations on a touchscreen of the mobile computing device are detected when the mobile computing device is in the locked state, and the mobile computing device is unlocked if the second plurality of interactive operations match the first plurality of interactive operations.

Abstract: The present disclosure provides a method, system, and device for distributing a software release. To illustrate, based on one or more files for distribution as a software release, a release bundle is generated that includes release bundle information, such as, for each file of the one or more files, a checksum, meta data, or both. One or more other aspects of the present disclosure further provide sending the release bundle to a node device. After receiving the release bundle at the node device, the node device receives and stores at least one file at a transaction directory. After verification that each of the one or more files is present/available at the node device, the one or more files may be provided to a memory of a node device and meta data included in the release bundle information may be applied to the one or more files transferred to the memory.

Abstract: A method may include transmitting a first public encryption key from to a control device and encrypting a first packet for a remote network device utilizing a first private encryption key correlated with the first public encryption key. The method may also include generating a second public encryption key and a second private encryption key and transmitting the second public encryption key to the control device. The method may additionally include receiving a first message from the remote network device that the remote network device received the second public encryption key from the control device, and after receiving the first message from the remote network device that the remote network device received the second public encryption key, encrypting a second packet utilizing the second private encryption key.

Abstract: A secure cartridge-based storage system includes a set of read/write control electronics on a control board adapted to removably couple with each of a plurality of storage cartridges. For each individual storage cartridge, the read/write electronics are adapted to retrieve a unique device identifier from the storage cartridge; retrieve an encryption key stored on the control board in association with the unique device identifier; and utilize the encryption key to encrypt or decrypt data that is in transit to or from a target storage location on the storage media.

Abstract: The present solution is directed to methods and systems for storing personal identifiable information. In some implementations, the information is collected during the authentication of identification (ID) documents. The personal identifiable information can be useful in processes such as client enrollment, mobile device management, identification processes, and transaction audits. However, the data can be a target for bad actors. The present solution includes a one-way hashing and cryptographic function that converts unique personal identifiable information into a unique digest which can be securely stored on a mobile device and rendered as an original state digital image for proof of ID.

Abstract: Various systems and methods for user-authorized onboarding of a device using a public authorization service (310) are described herein. In an example, a 3-way authorization protocol is used to coordinate device onboarding among several Internet of Things (IoT) Fog users (e.g., devices in a common network topology or domain) with principles of least privilege. For instance, respective onboarding steps may be assigned for performance by different Fog ‘owners’ such as respective users and clients (350A, 350B, . . . , 350N). Each owner may rely on a separate authorization protocol or user interaction to be notified of and to give approval for the specific onboarding action(s) assigned. Further techniques for implementation and tracking such onboarding actions as part of an IoT network service are also disclosed.

Abstract: The present disclosure provides a method, system, and device for distributing a software release. To illustrate, based on one or more files for distribution as a software release, a release bundle is generated that includes release bundle information, such as, for each file of the one or more files, a checksum, meta data, or both. One or more other aspects of the present disclosure further provide sending the release bundle to a node device. After receiving the release bundle at the node device, the node device receives and stores at least one file at a transaction directory. After verification that each of the one or more files is present/available at the node device, the one or more files may be provided to a memory of a node device and meta data included in the release bundle information may be applied to the one or more files transferred to the memory.

Abstract: A third party intermediary and a data protection method, system, and non-transitory computer readable medium, include executing a program, via the processor, using zero-knowledge verifiable computing to remove private content from a pre-approved version of a content to ensure privacy of a condition of a user from a provider of the content.

Abstract: Disclosed are various approaches for generating a management token corresponding to a client device. The management token can include one or more device policies that can be installed or enforce on a client device. This can allow a device that might not be enrolled as a managed device to be taken into a facility and comply with the security policies of the facility.

Abstract: Several methods may be used to exploit the natural physical variations of sensors, to generate cryptographic physically unclonable functions (PUF) that may strengthen the cybersecurity of microelectronic systems. One method comprises extracting a stream of bits from the calibration table of each sensor to generate reference patterns, called PUF challenges, which can be stored in secure servers. The authentication of the sensor is positive when the data streams that are generated on demand, called PUF responses, match the challenges. To prevent a malicious party from generating responses, instructions may be added as part of the PUF challenges to define which parts of the calibration tables are to be used for response generation. Another method is based on differential sensors, one of them having the calibration module disconnected. The response to a physical or chemical signal of such a sensor may then be used to authenticate a specific pair of sensors.

Abstract: In accordance with at least some aspects of the present disclosure, an illustrative method for authenticating a user is disclosed. A plurality of biometric modalities are displayed for authenticating the user. A selection of one or more of the biometric authentication modalities may be received. User authentication data may be received for each of the one or more selected authentication modalities. The user authentication data may be compared with previously-determined biometric data. An authentication score may be determined based on the comparison of the user authentication data with the previously-determined biometric data. A determination may be made whether to authenticate the user based on the authentication score.

Abstract: The disclosure relates to techniques for enforcing a limit on single sign-on (SSO) sessions for users across multiple data centers in a multi data center deployment. Users may request access to resources that are governed by an access manager deployed across multiple data centers, with each data center being associated with its own identifier. Each user may be associated with an identity attribute preserved in identity stores across the multiple data centers. The prerequisite for session creation at a data center may be to update the identity attribute of the user to that data center's identifier. If the identity attribute can be updated successfully, the access manager can create a new SSO session at that data center. Updates to the identity attribute may be synchronized across all of the data centers, with each data center aware of any existing sessions based on the current value of the identity attribute.

Abstract: In a general aspect, a method can include: executing an operation of a program that loads an arbitrarily chosen value of an initial data item of a series of ordered data; executing a series of calculation operations distributed in the program, that calculate a current data item based on a preceding data item; performing a final calculation operation of the series of operations that calculates a final data item of the data series; and executing an operation of the program that detects a program execution error by comparing the current data item of the data series with an expected value of the current data item or the final data item, the final data item having an expected value that is independent of the number of data items in the data series and is calculated based on the current data item of the data series and a final compensation data item.

Abstract: Technologies disclosed herein provide a method for receiving at a device from a remote server, a request for state information from a first processor of the device, obtaining the state information from one or more registers of the first processor based on a request structure indicated by a first instruction of a software program executing on the device, and generating a response structure based, at least in part, on the obtained state information. The method further includes using a cryptographic algorithm and a shared key established between the device and the remote server to generate a signature based, at least in part, on the response structure, and communicating the response structure and the signature to the remote server. In more specific embodiments, both the response structure and the request structure each include a same nonce value.

Abstract: Generating a rights blockchain storing rights of a user, including: receiving an enrollment request and a public key from the user; verifying that the user has a private key corresponding to the public key; generating a user identifier using the public key; and generating and delivering the rights blockchain having a genesis block including the user identifier to the user.

Abstract: A system, method, and computer-readable medium are disclosed for performing a platform security operation, comprising: presenting a platform security user interface, the platform security user interface including a plurality of security blocks, each of the plurality of security blocks corresponding to a particular security policy function configuring a security policy via the platform security user interface, the configuring comprising combining a set of the security blocks according to a desired security function; converting the set of security blocks to information representing the security policy; and, deploying the security policy to an information handling system.