Abstract: A method of dynamically adjusting access privileges of system identities. A set of access logs associated with a system are analyzed in order to generate a restricted access policy for an over privileged system identity. An initial access policy of the system identity is replaced with the restricted access policy and a continuous monitoring and access management (CMAM) service is initiated. Access logs are collected for a monitoring time window and an access denied error can be extracted from the access logs. The access denied error can be compared to an ignore list and/or the access denied error can be added to the ignore list. Authorization checks can be performed to determine if the action associated with the access denied error is authorized. If the action is authorized, the access policy is adjusted to allow for performance of the action.

Abstract: A method is provided for authenticating a first device to a second device using a self-signed digital certificate, when the first device is requested to authenticate itself to the second device. Responsive to the request, a self-signed digital certificate is sent from the first device to the second device. The self-signed digital certificate includes a hash of a password that has been previously provisioned in the first device. The password previously provisioned in the first device is hashed. The hash of the password previously provisioned in the first device is compared, using the second device, with the hash of the password included in the self-signed digital certificate. The first device is authenticated if the second device confirms that the hash of the password previously provisioned in the first device matches the hash of the password included in the self-signed digital certificate.

Abstract: A method for the disclosure of at least one cryptographic key used for encrypting at least one communication connection between a first communication subscriber and a second communication subscriber in which, in a publish-subscriber server, at least one of the communication subscribers logs on as a publishing unit and at least one monitoring device logs on as a subscribing unit, and in a subsequent negotiation of a cryptographic key by the publishing unit, automatically the negotiated cryptographic key is supplied from the publishing unit to the publish-subscribe server, the negotiated cryptographic key is transmitted from the publish-subscribe server to the at least one subscribing unit, and the encrypted communication connection from the subscribing unit is decrypted using the cryptographic key is provided. The following also relates to a corresponding system.

Abstract: The technology disclosed relates to authenticating users using a plurality of non-deterministic registration biometric inputs. During registration, a plurality of non-deterministic biometric inputs are given as input to a trained machine learning model to generate sets of feature vectors. The non-deterministic biometric inputs can include a plurality of face images and a plurality of voice samples of a user. A characteristic identity vector for the user can be determined by averaging feature vectors. During authentication, a plurality of non-deterministic biometric inputs are given as input to a trained machine learning model to generate a set of authentication feature vectors. The sets of feature vectors are projected onto a surface of a hyper-sphere. The system can authenticate the user when a cosine distance between the authentication feature vector and a characteristic identity vector for the user is less than a pre-determined threshold.

Abstract: The invention comprises a method for filtering data. The method comprises receiving a network request from a client, determining, based on one or more filtering criteria, whether to forward the network request to a server, and based on the determining, forwarding the network request to the server, or preventing the network request from reaching the server and blocking future network requests from the client.

Abstract: Systems and methods for using micro accelerations as a biometric factor for multi-factor authentication, the method including receiving, filtering, and determining an identifying pattern from micro acceleration data representative of the user, storing the identifying pattern for later use in authenticating the identity of the user, and using the identifying pattern as one factor in a multi factor authentication.

Abstract: A large-scale Ethernet mesh network is provided, which includes a group connectivity association (CA) including at least thirty-one authenticated supplicant nodes. An authenticator module authenticates each of the authenticated supplicant nodes, and distributes a shared group encryption key to each of the authenticated supplicant nodes. Each of the authenticated supplicant nodes encrypt data using the shared group encryption key, and exchange the encrypted data with any other remaining authenticated supplicant node.

Abstract: A method includes generating a secure management mode public-private key pair; generating a certificate signing request, the certificate signing request including the secure management mode public key of the secure management mode public-private key pair, the certificate signing request including a common name associated with a trusted root certificate authority; sending the secure management mode certificate signing request to a signing server; receiving a signed certificate signed by a factory certificate authority, a public key certificate for the factory certificate authority, and a trust chain signed by the trusted root certificate authority; validating the signed certificate; and enabling a secure management mode.

Abstract: A computer system and method having a user interface including a touch-sensitive display screen. The system and method enables entry of a password which includes displaying a first array of a plurality of images on the touch-sensitive display prompting a user to select with a finger one of the plurality of images displayed. Subsequently at least another array of a plurality of images successive to the first array is displayed on the touch sensitive display prompting a user to select with a finger one of the plurality of images displayed in the another array of images. A computer processor then determines if a user selected a predetermined image from the first array of the plurality of images and a predetermined image from each at least another array of plurality of images displayed after the first array. If determined, the user is permitted access to an application executable on the computer system.

Abstract: An embodiment of the present invention is directed to providing third party certificate management for native mobile apps or IoT apps. An embodiment of the present invention is directed to performing vendor certificate pinning for trusted communications in native mobile apps without having to control vendor certificate lifecycle management. With an embodiment of the present invention, downloaded certificates may be protected by encryption, anti-tampering protection, etc.

Abstract: Systems, methods, and apparatuses for implementing authentication of a user login to an external website from a community in a cloud based computing environment. An exemplary system having at least a processor and a memory therein includes means for identifying a first domain where a user is to be allowed to login to an external web page hosted thereon, and means for connecting the external web page with a community of a cloud computing environment hosted on a second domain different than the identified first domain, the connecting means handling how the connected community authenticates the user when the user logs into the external web page and providing one of a plurality of login experiences for the user based on conditions determined at run time.

Abstract: Technologies for key management of internet-of-things (IoT) devices include an IoT device, an authority center server, and a group management server. The IoT device is configured to authenticate with an authority center server via an offline communication channel, receive a group member private key as a function of the authentication with the authority center server, and authenticate with a group management server via a secure online communication channel using the group member private key. The IoT device is further configured to receive a group shared key as a function of the authentication with the group management server, encrypt secret data with the group shared key, and transmit the encrypted secret data to the group management server. Other embodiments are described herein.

Abstract: One embodiment provides a method, including: receiving, at a remote device and from a user, a request to generate a one-time password for accessing a default account of a device, wherein the remote device comprises a device public key corresponding to the device and an account public/private key pair corresponding to the default account; generating, at the remote device, the one-time password utilizing the account private key and the device public key; and providing, from the remote device, the one-time password to the user. Other aspects are described and claimed.

Abstract: An example operation may include one or more of registering, by a data sharing node, a first service node and a second service node for accessing a common data store, causing, by the data sharing node, a first client node associated with the first service node to provide a data access request token key and a receipt key to a second client node associated with the second service node based on a data access request received from the second client node, assigning, by the data sharing node, weights to the data access request token key and to the receipt key, and causing, by the data sharing node, the second service node to retrieve a result from the data source based on the assigned weights.

Abstract: A “trusted domain” is established within which content received from a communications network, e.g., a cable TV network, is protected from unauthorized copying thereof, in accordance with the invention. In an illustrative embodiment, the trusted domain includes a device associated with a user which receives content from the cable TV network. The content may be encrypted using a content key in accordance, e.g., with a 3DES encryption algorithm before it is stored in the device. In addition, a first encrypted content key version and a second encrypted content key version are generated by respectively encrypting the content key with a public key associated with the device and another public key associated with the user, in accordance with public key cryptography. The first and second encrypted content key versions are stored in association with the encrypted content in the device storage.

Abstract: A method in a User Equipment (UE) of an Evolved Packet System (EPS) establishes a security key (K_eNB) for protecting Radio Resource Control/User Plane (RRC/UP) traffic exchanged with a serving eNodeB. The method comprises sending a Non-Access Stratum (NAS) Service Request to a Mobility Management Entity (MME), the request indicating a NAS uplink sequence number (NAS_U_SEQ). The method further comprises receiving an indication of the NAS_U_SEQ of the NAS Service Request sent to the MME, back from the MME via the eNodeB. The method further comprises deriving the K_eNB from at least the received indication of the NAS_U_SEQ and from a stored Access Security Management Entity-key (K_ASME) shared with said MME.

Abstract: According to one embodiment, a computerized method comprises three operations. First, an exploit is determined to have been activated on a client device to transition a state of the client device from a non-infected state to an infected state. Second, a software image is determined prior to the client device receiving the object including the exploit. Lastly, an operating state of the client device is restored by at least reinstalling the software image on the client device so that the client device reverts to an operating state of the client device prior to activation of the exploit.

Abstract: Disclosed in an embodiment of the present application is an information pushing method, comprising: a wireless network sharer client obtaining a first identifier of a wireless network selected from a wireless network list scanned/stored by a wireless network sharer terminal, and sending the same to a server; the server generating a second identifier and sending the same to the wireless network sharer client; the wireless network sharer changing the first identifier of the wireless network into a third identifier based on the second identifier; the wireless network sharer client obtaining a wireless network list updated by a wireless network sharer mobile terminal and sending the third identifier of the selected wireless network in the list to the server; and the server comparing the second identifier with the third identifier, and allowing successful authentication when the two identifiers are consistent, and registering information about the devices of the wireless network.

Abstract: A system for one-click two-factor includes a processor and a non-transitory, tangible, computer-readable storage medium having instructions stored thereon that, in response to execution by the processor, cause the processor to perform operations including: (i) receiving an access request from a user, the access request including a first authentication factor; (ii) generating a second authentication factor and a hyperlink that includes the second authentication factor; (iii) providing the hyperlink that includes the second authentication factor to a client device associated with the user; (iv) automatically receiving the second authentication factor in response to selection of the hyperlink by the user; and (v) verifying the first authentication factor and the second authentication factor to authenticate the identity of the user.

Abstract: The present disclosure relates to computer-implemented methods and systems for intelligent task management. An example method may include identifying one or more authorized entities. The method may further include broadcasting at least one task associated with a user to one or more devices associated with the one or more authorized entities. The method may further include receiving from the one or more authorized entities, via the one or more devices, an indication of acceptance of the at least one task. The method may further include selecting at least one trusted entity among the one or more authorized entities. The method may further include issuing at least one digital certificate to the at least one trusted entity to perform the at least one task.