Abstract: Apparatuses, methods, and systems are disclosed for providing a radio link failure indication. One method includes counting a number of consecutive discontinuous indications. The method includes comparing the number of consecutive discontinuous indications to a predetermined threshold. The method includes, in response to the number of consecutive discontinuous indications being greater than the predetermined threshold, providing a radio link failure indication.

Abstract: Apparatuses, methods, and systems are disclosed for aggregating HARQ feedback and sidelink retransmission procedure. One apparatus includes a transceiver and a processor coupled with the transceiver, the processor configured to cause the apparatus to transmit sidelink data to each of one or more UEs of a set of UEs and to receive SL feedback from each of the one or more UEs of the set of UEs, the sidelink feedback comprising HARQ feedback indicating a HARQ positive acknowledgement or a HARQ negative acknowledgement. Via the transceiver, the processor transmits an uplink message to a network entity, the uplink message comprising an aggregate of the received sidelink feedback from each of the one or more UEs of the set of UEs.

Abstract: Apparatuses, methods, and systems are disclosed for configuring a sidelink resource pool. One method includes receiving, at a user equipment (UE) from a base station, downlink configuration information (DCI) for a resource pool. The DCI indicates: a starting symbol offset from a beginning of a logical sidelink (SL) slot; a physical sidelink shared channel (PSSCH) symbol duration; a symbol offset between the PSSCH and a physical sidelink feedback channel (PSFCH); a symbol offset between the PSFCH and a physical uplink control channel (PUCCH); a number of repetitions; a type of repetitions; or some combination thereof. The method includes performing a sidelink transmission in the resource pool based on the DCI.

Abstract: Apparatuses, methods, and systems are disclosed for sidelink HARQ operation. One apparatus includes a memory coupled to a processor, where the processor is configured to cause the second apparatus to receive a SL grant for a SL transmission using SL resources, the SL grant indicating a first HARQ process identified by a first HARQ process identifier, and to select a second SL HARQ process identified by a second SL HARQ process identifier for the SL transmission using the SL resources. The processor is configured to cause the second apparatus to transmit SCI containing the second SL HARQ process identifier and to perform the SL transmission using the SL resources.

Abstract: Apparatuses, methods, and systems are disclosed for responding to a new data indicator for a hybrid automatic repeat request process. One method includes determining whether a current new data indicator in a current sidelink grant matches a last received new data indicator in a last received sidelink grant for a first hybrid automatic repeat request process. The method includes, in response to determining that the current new data indicator does not match the last received new data indicator, determining whether a negative acknowledgement has been transmitted in response to the last received sidelink grant.

Abstract: A method comprising: when a user attempts to access: redirecting the user to a Triple Blind Identity Exchange Service (TBIES) Discovery Service (TBIES DS); redirecting, by the TBIES DS, the user back while providing a blinded name of a selected Identity Provider (IdP), redirecting the user to a TBIES-Service Provider (SP) proxy with a federation request; and blinding, by the TBIES-SP proxy, the identity of the SP and any user identifiable data and redirecting the user to a TBIES-IdP proxy, which performs any required data manipulation and redirects the user to the IdP. The IdP authenticates the user, and redirects the user to the TBIES-IdP proxy, which blinds the identity of the IdP, blinds all user information, and redirects to the SP-Proxy, which unblinds the transaction and redirects the user to the SP, where the SP consumes the assertion and decides whether to permit the user access.

Abstract: To provide a user signature on a network transaction, a security server receives transaction information representing a transaction between a network user and a network site, such as a website, directly from the network site. The security server calculates a one-time-password based on the received transaction information and a secret shared by the security server and the network site, but not by the user. The security server transmits the calculated one-time-password for application as the user's signature on the transaction. The one-time-password is independently calculable by the network site based on the shared secret.

Abstract: To provide a user signature on a network transaction, a security server receives transaction information representing a transaction between a network user and a network site, such as a website, directly from the network site. The security server calculates a one-time-password based on the received transaction information and a secret shared by the security server and the network site, but not by the user. The security server transmits the calculated one-time-password for application as the user's signature on the transaction. The one-time-password is independently calculable by the network site based on the shared secret.

Abstract: Transaction authentication with techniques and geolocation are combined to provide privacy and security enhanced geolocation. In an example implementation, a user initiates a transaction at a web service which in turns triggers a security server. The security server uses its always on connection with the combined client on user security device to perform geolocation, proximity and transaction authentication. These results may be used by the web service to make a decision on whether to proceed with the transaction.

Abstract: The present innovation extends the innovations inherent in our prior work on security and privacy enhanced geolocation to address specific problems of determining the proximity of two Internet connected devices. This could be used for applications such as determining proximity of a user's smartphone to an ATM machine they are using. Or to determine the physical proximity of a shopper and a cashier at a check out line. A straightforward application of the prior work will not suffice, as devices may have very different types of connectivity to the Internet. We solve this problem by placing reciprocal slave servers on each of the devices and giving high weight to the time taken for messages to travel from each device to the slave on the other device. The system can be extended to more than two entities by performing the calculation in a pairwise fashion and using further optimizations.

Abstract: Transaction authentication with techniques and geolocation are combined to provide privacy and security enhanced geolocation. In an example implementation, a user initiates a transaction at a web service which in turns triggers a security server. The security server uses its always on connection with the combined client on user security device to perform geolocation, proximity and transaction authentication. These results may be used by the web service to make a decision on whether to proceed with the transaction.

Abstract: To provide a user signature on a network transaction, a security server receives transaction information representing a transaction between a network user and a network site, such as a website, directly from the network site. The security server calculates a one-time-password based on the received transaction information and a secret shared by the security server and the network site, but not by the user. The security server transmits the calculated one-time-password for application as the user's signature on the transaction. The one-time-password is independently calculable by the network site based on the shared secret.

Abstract: An Identity Exchange that communicates and processes data exchanged between Identity Providers (IdP) and Relying Partys (RP) remains blinded from the attribute values of the data flowing through it. To make this happen each IdP and RP are issued anonymous certificates by a Certificate Authority, using which they perform key exchange with each other to exchange session keys, which are used subsequently to encrypt/decrypt all attribute values they exchange via the Identity Exchange.

Abstract: To provide a user signature on a network transaction, a security server receives transaction information representing a transaction between a network user and a network site, such as a website, directly from the network site. The security server calculates a one-time-password based on the received transaction information and a secret shared by the security server and the network site, but not by the user. The security server transmits the calculated one-time-password for application as the user's signature on the transaction. The one-time-password is independently calculable by the network site based on the shared secret.

Abstract: Systems and methods for making a payment on behalf of a payer to a payee are provided. A request to make a payment on behalf of a payer to a payee is received at a first payment service provider. The first payment service provider supports a first payment network within a plurality of payment networks that each include a respective plurality of payers and payees. The payer is one of the plurality of payers and payees associated with the first payment network, and the payor is not one of the plurality of payers and payees associated with the first payment network. A second payment network within the plurality of payment networks with which the payee is associated is identified by the first payment service provider. A payment instruction to make the payment to the payee is transmitted by the first payment service provider to a second payment service provider associated with the second payment network.

Abstract: A 3BIES Discovery Service and Certificate Authority that can issue anonymized certificates allow for a traditional identity federation to perform its functions while the true identity of the Identity Provider and Service Provider are blinded from each other. This is called double blinding and we first describe how this can happen without the presence of an Identity Exchange. When an Identity Exchange is introduced it also becomes necessary to ensure that the Exchange itself does not become a single point of catastrophic failure. To avoid this we introduce the notion of triple blinding. Finally, we also point out that this design makes it possible for user's to request anonymous attestation; wherein the Service Provider does not learn their identity.

Abstract: To validate a user's identity a network validation server receives a smartphone image of a preexisting user credential, including both a user biometric and a unique identifier associated with the credential and stores them in a database. The validation server also receives the unique identifier from a registrar network device seeking to validate the user, and in response transmits a validation code to the user's smartphone for display by the user's smartphone and/or the registrar's network device for display by the registrar's network device. The validation server additionally receives confirmation from the registrar's network device that a validation code displayed on the user's smartphone is the transmitted validation, thereby confirming that the user has been validated by the registrar.

Abstract: A method of operating a security server to securely transact business between a user and an enterprise via a network includes receiving, at the security server from an enterprise with which the user is currently connected via the network, a request of the enterprise to activate a secure communications channel over the network between the user and the security server. The request includes contact information for contacting the user via other than the network. The security server, in response, transmits an activation code for delivery to the user via other than the network and in a manner corresponding to the received contact information. The security server receives, from the user via the network, an activation code and compares the received activation code with the transmitted activation code to validate the received activation code. The secure communications channel is then activated based on the validation of the received activation code.

Abstract: A person-to-person (P2P) payment system provides payment from a payer to a payee without the payer identifying a payee payment receiving preference, such as the payee account into which funds are to be posted. The payment system includes a setup system for setting up payment between the payer and the payee and a messaging system for handling messages between the payer and the payment system and the payee and the payment system, including communications with the payee by way of a payee phone number or email address provided by the payer. A risk assessment system determines a risk score for the P2P transaction and, based on that score, the bank of the payer provides a guarantee to the bank of the payee.

Abstract: A portable apparatus is removably and communicatively connectable to a network device to communicate authentication or authorization credentials of a user in connection with the user logging into or entering into a transaction with a network site. The apparatus includes a communications port to connect and disconnect the apparatus to and from the network device and to establish a communication link with the network device when connected thereto. A processor receives a secure message from the network security server via the port. The message has a PIN for authenticating the user to the network site, and is readable only by the apparatus. The processor either transfers, via the port, the received PIN to an application associated with the network site that is executing on the network device or causes the apparatus to display the received PIN for manual transfer to the application associated with the network site.