Abstract: Calls that can be secure (e.g., are conducted with end-to-end encryption) may originate with some or all of the call being unsecured. Then, upon a triggering event such as a user deciding that sensitive information will be discussed or a “sniffer” determining that the call is being monitored by a spoofed endpoint, triggers a transition of the call from an unsecure connection to a secure connection without terminating and reestablishing the call. Accordingly, an unsecure call, such as one utilizing Transmission Control Protocol (TCP) signaling and Real-Time Transport Protocol (RTP) and transitioned to Transport Layer Security (TLS) and Secure RTP (SRTP) to allow a previously unsecured call to become secured with end-to-end encryption.

Abstract: The invention relates to a secure container for storing value documents, e.g. banknotes, having respective value document identification numbers marked thereon, and a corresponding securing system that, upon detection of an intrusion, neutralizes the value documents and delivers in real time over a communication network an alert message containing at least the value document identification numbers to authorities and/or ATMs or carrier, and prevents any transaction based on said neutralized value documents via said ATMs.

Abstract: A system and method for sharing communication platform data includes (a) displaying on a screen of a mobile device a first and second data field, wherein the first data field includes a QR code and the second data field includes a plurality of visual indicia corresponding to contact information corresponding to a user of the mobile device; (b) visually distinguishing on the screen at least one selected visual indicia from at least one unselected visual indicia upon receiving an input corresponding to a selection of the at least one visual indicia by the user; and (c) updating in real-time the QR code to include the contact information corresponding to the selected visual indicia and, optionally, wherein the updated QR code corresponds to a URL containing the contact information.

Abstract: A computing system that is configured for a federated wallet with cryptographically secure signature delegation. The system may be configured to receive a session public key corresponding to a decentralized application and a user. The system may be further configured to receive an unsigned transaction of a blockchain, the unsigned transaction corresponding to the user. The system may be further configured to provide a symmetric encryption key to the user's device for encrypting the user's private signing key. The system may be further configured to determine, using the session public key, that the unsigned transaction is valid. Based on the validity of the unsigned transaction, the system may send the unsigned transaction to the user's device. The system may send the symmetric encryption key to the user's device to decrypt the private signing key. The system may be further configured to receive a signed transaction for submission to the blockchain.

Abstract: Provided are a program and personal information protection method which are executed by a system which is operated by a medical practitioner, said program and method comprising: a display process of causing a monitor part 2 to display an examination result screen 3 including personal information which identifies a subject; an identification process of identifying the personal information in the examination result screen 3 which is displayed in the display process; and an invalidation process of invalidating the personal information identified in the identification process in a captured image which includes the examination result screen 3. Instances of personal information being displayed in error to outside users are thus reduced in comparison to the prior art, and sharing of examination result information is implemented smoothly.

Abstract: A technique for controlling cryptographic document protection and verification is presented. In one implementation, a device is associated with a device identifier and with a cryptographic key is configured to obtain an electronically processable document representation (EPDR) of content of a document that is to be protected and to apply the cryptographic key to the EPDR to obtain a cryptographically processed document representation (CPDR). The device is further configured to transmit the device identifier and a verification parameter comprising at least one of the EPDR and the CPDR towards a transaction server that is configured to log the device identifier and the verification parameter in a tamper-proof manner. The device is also configured to receive a transaction identifier associated with the device identifier and the verification parameter from the transaction server, and trigger printing of the transaction identifier and the CPDR on a physical document that corresponds to the EPDR.

Abstract: Apparatuses for transferring power from a power source to a computing device are provided for. The apparatuses include an entropy-generator for generating entropy. The apparatus is adapted for transferring the entropy to the computing device (such as a mobile computing device) when it is connected to the computing device. The device is adapted to power the entropy-generator with power received from the power source. Methods are also provided for. The methods include providing power and/or entropy to a computing device.

Abstract: Methods and apparatus are disclosed for supplementing partially readable and/or inaccurate codes. An example apparatus includes a watermark analyzer to select a first watermark and a second watermark decoded from media; a comparator to compare a first decoded timestamp of the first watermark to a second decoded timestamp of the second watermark; and a timestamp adjuster to adjust the second decoded timestamp based on the first decoded timestamp of the second watermark when at least a threshold number of symbols of the second decoded timestamp match corresponding symbols of the first decoded timestamp.

Abstract: Key management for encrypted data includes establishing a cache of key decryption keys and periodically evicting the keys from the cache. A pool of key encryption keys also is created and periodically, selected key encryption keys are removed from service. Notably, the rate of removal of the encryption keys differs from the rate of cache eviction for the decryption keys. Thereafter, clear data is encrypted with a cipher to produce cipher text, and the cipher is encrypted with a selected key encryption key from the pool. Finally, in response to an access request for the clear data, an attempt to locate in the cache a key decryption key for the encrypted cipher is made. If attempt fails, the key decryption key is retrieved from remote memory. Finally, the encrypted cipher is decrypted with the located key, and the cipher text decrypted to produce the clear data.

Abstract: A method in a virtual private network (VPN) environment, the method including determining, by a VPN server, an encrypted authentication packet based at least in part on utilizing an encryption key and a nonce to encrypt an initial authentication packet; transmitting, by the VPN server to an authentication server, the encrypted authentication packet to enable VPN authentication of a device requesting VPN services from the VPN server; determining, by the authentication server, a response regarding the VPN authentication based at least in part on decrypting the initial authentication packet utilizing a decryption key and the nonce; and transmitting, by the authentication server to the VPN server, the response regarding the VPN authentication. Various other aspects are contemplated.

Abstract: There is provided a computer implemented method for secure management of data generated in an Electronic Health Record (EHR) during an episode of care, for a user, wherein the EHR is being maintained in a medical database (140) comprised within a Healthcare Service Provider (HSP) server (130), the computer implemented method comprising the steps of sending an identification hash corresponding to the user to an Application Program Interface (API) server (150) from a first client device (110a); extracting the data from the HSP server (130) and de-identifying the data to obtain de-identified data at the API server (150); generating a record hash at the API server (150); transmitting the identification hash, the record hash and the de-identified data from the API server (150) to a core server (160); receiving the identification hash, the record hash and the de-identified data at the core server (160) and transmitting the identification hash, the record hash and the de-identified data from the core server (160) to

Abstract: A policy-based printing system is implemented to allow access to a private domain to print using a public domain. The private domain includes private servers that store documents. The public domain includes servers and a printing device. A public policy server uses a domain list and a protocol connection with a private authentication server to validate a user and identify which private domain to access. The public policy server receives requests from the printing device to process a print job of a document in the private domain. A proxy printing device is created to manage a plurality of printing devices and communicate with the public policy server. The proxy printing device corresponds to a condition within the printing devices.

Abstract: Collection, validation, accuracy checking, and matching of information for individuals, e.g., in-scope people entering/exiting a country is described. The systems, techniques, devices, methods, and approaches described herein can be used to collect biographic, biometric, and travel information for persons who enter a country with the expectation that the person will eventually exit. The system and method described herein include structures and procedures for determining whether the individual, based on his/her information, meets a predefined criterion that is associated with predefined procedures, e.g., special precautions are to be implemented. This document also describes how information for an individual can be matched with an existing record in order to ensure accurate recordkeeping.

Abstract: Systems and methods described herein provide access to encrypted user data at a multi-tenant hosted cloud service. The cloud service enrolls a first tenant in the cloud service. The cloud service receives a request for a ticket for a user of the first tenant to access the cloud service. The cloud service communicates a user data access ticket for the user to access a user data service of the cloud service. The cloud service receives a request to store user data of the user. The request includes encrypted user data. The cloud service stores the encrypted user data. The cloud service may provide the encrypted user data to a computing device of the user after validating the user data access ticket received from the computing device. The computing device may decrypt the encrypted user data and identify the data of the user for resources provided by server(s).

Abstract: Learning data of a usage environment can be efficiently collected. A recognition apparatus includes: a first neural network configured to receive input of data; a second neural network configured to receive input of the data, the second neural network having a different structure from a structure of the first neural network; a comparison unit configured to compare a first output result of the first neural network and a second output result of the second neural network; and a communication unit configured to wirelessly transmit the data to a host system configured to learn the data when a comparison result between the first output result and the second output result is different by a predetermined standard or more.

Abstract: Systems and methods are disclosed for securely communicating sensitive data (e.g., interaction data) during a process for offline authentication. A data packet may be received by an access device from a user device in a one-way communication. The data packet may be converted to obtain interaction data comprising a digital certificate certified by the certificate authority and a digital signature value generated by the user device. A second public key associated with the user device may be obtained utilizing the digital certificate and the first public key associated with the certificate authority. The validity of the interaction data may be determined based at least in part on the digital signature value and the second public key associated with the user device. When the interaction data is determined to be valid, an identifier of the interaction data may be authorized and access may be provided based on this authorization.

Abstract: An image forming apparatus has an input portion that receives original image data, a control portion that generates output image data based on the original image data, a printing portion that performs printing based on the output image data, and a storage portion. The storage portion stores associated color information that defines colors associated with a plurality of prescribed processes respectively. When generating the output image data, the control portion, if the original image data includes a marked region, performs, out of the plurality of processes, the process associated with the color of the marked region.

Abstract: A policy-based printing system is implemented to allow access to a private domain to print using a public domain. The private domain includes private servers that store documents. The public domain includes servers and a printing device. A public policy server uses a domain list and a protocol connection with a private authentication server to validate a user and identify which private domain to access. The public policy server receives requests from the printing device to process a print job of a document in the private domain. A proxy printing device is created to manage a plurality of printing devices and communicate with the public policy server. The proxy printing device corresponds to a condition within the printing devices.

Abstract: Key management for encrypted data includes establishing a cache of key decryption keys and periodically evicting the keys from the cache. A pool of key encryption keys also is created and periodically, selected key encryption keys are removed from service. Notably, the rate of removal of the encryption keys differs from the rate of cache eviction for the decryption keys. Thereafter, clear data is encrypted with a cipher to produce cipher text, and the cipher is encrypted with a selected key encryption key from the pool. Finally, in response to an access request for the clear data, an attempt to locate in the cache a key decryption key for the encrypted cipher is made. If attempt fails, the key decryption key is retrieved from remote memory. Finally, the encrypted cipher is decrypted with the located key, and the cipher text decrypted to produce the clear data.

Abstract: A vehicle includes a first image obtainer configured to obtain an external image; a second image obtainer configured to obtain an internal image; an obstacle detector configured to detect obstacles; a controller configured to control autonomous driving based on obstacle detection information detected by the obstacle detector and image data obtained by the first image obtainer and encrypt brightness data among the image data obtained by the first and second image obtainers during the control of the autonomous driving; and a storage configured to store the encrypted brightness data.

Abstract: A policy-based printing system is implemented to allow access to a private domain to print using a public domain. The private domain includes private servers that store documents. The public domain includes servers and a printing device. A public policy server uses a domain list and a protocol connection with a private authentication server to validate a user and identify which private domain to access. The public policy server receives requests from the printing device to process a print job of a document in the private domain. A proxy printing device is created to manage a plurality of printing devices and communicate with the public policy server. The proxy printing device corresponds to a condition within the printing devices.

Abstract: This specification describes techniques for processing service requests. One example method includes receiving an electronic credential request from a client, retrieving an electronic credential that corresponds to the user identifier, generating server signature information, and transmitting the server signature information and the electronic credential to the client. The server signature information includes the electronic credential and a user public key of the client. The electronic credential and the user public key are signed using a server private key. The server signature information is configured to be cryptographically verified by the client and configured to enable the client to generate a two-dimensional barcode based on the electronic credential. The electronic credential included in the two-dimensional barcode is configured to be verified by a credential verification device. The credential verification end device is configured to generate the electronic credential based on the user identifier.

Abstract: One embodiment of the present disclosure provides a method of generating an encrypted multimedia bitstream, the method comprising: obtaining processed multimedia data; selecting an object to be encrypted from among the processed multimedia data; encrypting the selected object to be encrypted; converting the processed multimedia data into encrypted multimedia data, based on a result of the encrypting; and generating encrypted multimedia bitstream by encoding the encrypted multimedia data.

Abstract: A super polyalphabetic cipher where both the alphabet size, and the key size are user controlled and secret, and where computation is kept simple—reading, comparing, and sorting bits, to minimize battery consumption for Internet of Things, and where the users can decide how much randomness to use to match their security needs, and face, when necessary, a quantum computer cryptanalytic assault.

Abstract: A Convolutional Neural Network (CNN) based-signal processing includes receiving of an encrypted output from a first layer of a multi-layer CNN data. The received encrypted output is subsequently decrypted to form a decrypted input to a second layer of the multi-layer CNN data. A convolution of the decrypted input with a corresponding decrypted weight may generate a second layer output, which may be encrypted and used as an encrypted input to a third layer of the multi-layer CNN data.

Abstract: A processing equipment includes a processing unit having a plurality of functions. A retaining unit retains a device identifier capable of identifying the processing equipment. An interface unit receives a function authentication key which is a code for setting a specific function among the plurality of functions to be enabled or disabled. A control unit sets the specific function to be enabled or disabled according to the function authentication key when a device identifier included in the received function authentication key coincides with the device identifier retained in the retaining unit.

Abstract: A method and device for processing and accessing image are provided. The image processing method includes: one or more protected areas are determined in an original picture to be processed, image data of the one or more protected areas are protected by adding access rights, one or more independent sub-image data corresponding to the one or more protected areas are obtained, and then the one or more protected areas in the original picture are shielded to obtain main image data, the images in the protected areas being invisible in the shielded original picture; and the one or more obtained independent sub-image data and the obtained main image data are associatively stored.

Abstract: Some embodiments provide an electronic device with a novel content redaction engine. The content redaction engine of some embodiments determines whether to redact content for output based on whether a user is biometrically verified. When the content redaction engine receives verification data indicating that the user is biometrically verified, the device displays content without any portion redacted. On the other hand, when the content redaction engine does not receive such verification data, the device displays the content with at least a portion redacted. The electronic device of some embodiments additionally includes a biometric reader and a biometric verification engine. The biometric reader reads a person's uniquely identifying biometric data (e.g., thumbprint/fingerprint, iris scan, voice, etc.). This biometric information is then read by the biometric verification engine for comparison to a stored set of verified user biometric data.

Abstract: An e-mail sending-receiving system that enables to ensure security at the time of sending and receiving an e-mail including an attached file encrypted and to improve convenience. In an e-mail sending terminal, a first storing unit stores a password in a storage medium in association with a receiving-side mail address, an encryption unit encrypts a file attached to an e-mail so as to be decodable using the password, a generation unit generates the e-mail by attaching the file encrypted, and a sending unit sends the e-mail to the receiving-side mail address. In an e-mail receiving-side terminal, a second storing unit stores the password in the storage medium in association with a sending-side mail address, a reception unit receives the e-mail, and a decoding unit decodes the encrypted file using the password stored in association with the sending-side mail address of the e-mail received.

Abstract: Some embodiments provide an electronic device with a novel content redaction engine. The content redaction engine of some embodiments determines whether to redact content for output based on whether a user is biometrically verified. When the content redaction engine receives verification data indicating that the user is biometrically verified, the device displays content without any portion redacted. On the other hand, when the content redaction engine does not receive such verification data, the device displays the content with at least a portion redacted. The electronic device of some embodiments additionally includes a biometric reader and a biometric verification engine. The biometric reader reads a person's uniquely identifying biometric data (e.g., thumbprint/fingerprint, iris scan, voice, etc.). This biometric information is then read by the biometric verification engine for comparison to a stored set of verified user biometric data.

Abstract: An image forming apparatus that dynamically and suitably switches login processing between a user who selects an icon and a user who is identified by reading of a card. The image forming apparatus searches user information of a user who logs in by selecting a user icon displayed on a display unit and a user who logs in using a card, and performs the login processing on a searched user.

Abstract: Examples disclosed herein relate to image recognition instructions to receive a plurality of image frames, route each of the plurality of image frames to at least one of a plurality of element detectors, determine whether the respective one of the plurality of element detectors has recognized an embedded element and, in response to determining that the respective one of the plurality of element detectors has recognized the embedded element, cause a resource associated with the recognized embedded element to be retrieved.

Abstract: Restricted content of a data file is identified. The restricted content is removed from the data file, and a redacted version of the data file is generated. The restricted content is stored separate from the redacted version of the data file.

Abstract: A communicating apparatus receives at least (i) email data which is encrypted by a content encryption key, (ii) the content encryption key which is encrypted by a public key of the communicating apparatus, and (iii) a public key certificate of the communicating apparatus. The communicating apparatus decrypts the encrypted content encryption key by a private key corresponding to the public key certificate of the communicating apparatus and decrypts the email data by the decrypted content encryption key. And the communicating apparatus prints at least the email data and the public key certificate of the communicating apparatus.

Abstract: Techniques are disclosed for verifying caller identification in voice communications. In one embodiment, there is disclosed a method comprising receiving a request to establish a voice call between communications devices. The request comprising encrypted information and an identifier identifying a caller associated with the request to establish the voice call. The method further comprises retrieving, in response to receiving the request, a decryption key from an authentication source by requesting from the authentication source the decryption key associated with the identifier. The method further comprises utilizing the decryption key to decrypt the encrypted information and produce decrypted information as well as comparing the decrypted information and the identifier to determine a similarity therebetween. The method further comprises providing, based on the comparison, an indication of whether or not the request is deemed associated with fraud.

Abstract: Computationally implemented methods and systems include acquiring an encrypted image that is a captured image that has been encrypted through use of a particular device code associated with an image capture device that captured the captured image, wherein the captured image includes a representation of a feature of an entity, decrypting the acquired encrypted image that was encrypted through use of the particular device code, and performing a validation detection operation to detect a privacy beacon associated with the entity in the decrypted captured image. In addition to the foregoing, other aspects are described in the claims, drawings, and text.

Abstract: In order to verify the authenticity of a product associated with a host device, the product contains, in segments of a non-volatile memory, several different functions stored in ciphered fashion. The host device sends a control signal for selecting and activating one of those ciphered functions. The product then deciphers and executes the function. The result of the function execution is then communicated back to host device when a decision on product authenticity is made.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for receiving data from a giver at a first time, the data being used to identify a merchant at which a gift from the giver to a recipient is redeemable. The system presents a group of merchants associated with the data to the giver, each merchant of the group of merchants offering a promotion in connection with the gift. The system receives from the giver a selection of a chosen merchant from the group of merchants, the chosen merchant having an associated promotion. The system then generates a policy comprising the gift, the chosen merchant, and the associated promotion such that upon receiving an indication of a triggering event caused by the recipient, the system can apply the gift and the associated promotion according to the policy.

Abstract: Techniques are described for generating a seal that is applicable to an object, and scanning the seal to access encoded data to be used for verifying one or more characteristics of the object. The seal may be applied to a tangible document, such as a document printed on paper. The seal may encode data that is particularly associated with the document. For example, the seal may encode a hash of at least a portion of the information (e.g., text) included in the document. In some instances, the seal may encode a digital version and/or metadata of at least a portion of the information in the document. A scan of the seal may retrieve information useable to verify the authorship, provenance, originality, and/or unaltered contents of the documents. In some instances, the seal may encode information that enables the presentation of hidden information and/or metadata associated with the document.

Abstract: An information processing system includes an information processing device, and an electronic device to utilize a service provided from the information processing device. A service delivery unit provides the service for the electronic device. An information management unit manages license information of the service, generates use permission information and sends the generated use permission information to the electronic device. An execution management unit manages an execution request of the service specifying the use permission information of the service. An execution unit determines whether to have a use authority of a function of the electronic device utilized by the service based on contents of the license included in the use permission information of the service and executes the service by utilizing the function of the electronic device upon determining that the use authority of the function of the electronic device utilized by the service is present.

Abstract: Some embodiments provide an electronic device with a novel content redaction engine. The content redaction engine of some embodiments determines whether to redact content for output based on whether a user is biometrically verified. When the content redaction engine receives verification data indicating that the user is biometrically verified, the device displays content without any portion redacted. On the other hand, when the content redaction engine does not receive such verification data, the device displays the content with at least a portion redacted. The electronic device of some embodiments additionally includes a biometric reader and a biometric verification engine. The biometric reader reads a person's uniquely identifying biometric data (e.g., thumbprint/fingerprint, iris scan, voice, etc.). This biometric information is then read by the biometric verification engine for comparison to a stored set of verified user biometric data.

Abstract: Methods and systems of authenticating electronic identification (ID) documents may provide for receiving a decryption key and an encrypted ID document from a certificate authority server at a mobile device, wherein the encrypted ID document includes a read only document having a photograph of an individual. Additionally, the decryption key may be applied to the encrypted ID document to obtain a decryption result in response to a display request. The decryption result can be output via a display of the mobile device, wherein the encrypted ID document can be sent to a challenge terminal if a challenge request is received.

Abstract: A method of modifying the output of an output device is provided. A first code, associated with a first recipient party, is received and used to generate, within the output device, a second code, the second code containing encoded data identifying the first recipient party and instructions for activating an additional functionality of the output device. The additional functionality is activated in accordance with the instructions contained in the second code. The output of the output device is modified according to data encoded in the second code, to encode a third code in the output of the output device, the third code including an ID code associated with the first recipient party.

Abstract: An image forming apparatus that is capable of executing authentication processing improved in security of a command including authentication information, which is received over a network from an external apparatus. A CPU receives a command including authentication information via a network. The CPU determines whether or not authentication information included in the received command is a hash value. The CPU causes processing in accordance with the received command to be executed depending on authentication performed based on the authentication information when it is determined that the authentication information is a hash value, and causes the processing not to be executed when it is determined that the authentication information is not a hash value.

Abstract: In a functional encryption scheme where a decryption key dk can decrypt a ciphertext encrypted by an encryption key ek, when decrypting the encryption key in which a parameter ? is set, by the decryption key dk in which a parameter ? is set, if and only if a relation R(?, ?) holds, a wider range as a relation R is expressed. Of first information including a polynomial d(x), plural polynomials Di(x), and predicate information, and second information including attribute information, a cryptographic system treats one as a ciphertext and a remaining one as a decryption key. A decryption device, based on the predicate information and attribute information, selects at least one of polynomials Di(x), and calculates a coefficient ?i enabling a polynomial constituted based on a polynomial ?iDi(x) to be divided out by a polynomial d(x), the polynomial ?iDi(x) obtained by multiplying the selected polynomial Di(x) by coefficient ?i.

Abstract: A process mode of either of an encryption process and a decryption process is set for at least one of a plurality of pieces of key data, in association with the key data. Then, a mode specifying command for specifying a process mode in association with key data is received from another apparatus, and if the received process mode and the process mode associated with the key data coincide with each other, the process in the process mode using the key data is permitted.

Abstract: An information processor is connected via a network to an output apparatus and configured to control a job outputting process of the output apparatus. The information processor includes a job identifier generation part configured to generate a job identifier for uniquely identifying a job input from a terminal apparatus connected via the network to the information processor, an information storage part configured to store information that correlates the job identifier and the input job, a job identifier transmission part configured to transmit the job identifier correlated with the input job to the terminal apparatus, and a job association part configured to associate user information for uniquely identifying an authenticated user received from the output apparatus with the input job based on a job association request including the user information and the job identifier and on the information stored in the information storage part.

Abstract: A method, an apparatus, and a non-transitory computer readable medium for accelerating cryptographic processing are presented. A cryptographic algorithm is parallelized, which includes breaking the cryptographic algorithm into components, parallelizing an entire component if the component is fully parallelizable, parallelizing part of a component if the component is partially parallelizable, and sequentially executing a component if the component is not parallelizable. Processing of the parallelizable component or the partially parallelizable component is distributed to one or more parallelized devices. The parallelized devices include at least one of: a graphics processing unit or a cryptographic processing device, which may include an integrated cryptographic processor or a cryptographic co-processor.

Abstract: A corresponding portion of storage (such as one or more storage cells) is assigned one of multiple different error correction modes depending on a respective ability of the corresponding portion of storage cells to store data without error. Groups of storage cells that are less prone to failures (i.e., loss of data) are assigned a first error correction mode in which a first length error correction code is used to generate error correction information for a given sized segment of data. Groups of storage cells that are more prone to failures are assigned a second error correction mode in which a second length error correction code is used to generate error correction information for the given sized segment of data.

Abstract: There is provided an electronic pen device configured to be used with a remote secure server for registering handwritten signatures, the secure server comprising an authentication database storing authentication information in connection with pre-registered users and a signature registration database for registering handwritten signatures, the electronic pen device comprising: an input/output (I/O) interface; a memory; a tip and capturing means connected thereto for capturing handwritten signatures; a network interface adapted to be connected to a data network, and a processing unit connected to the I/O interface, to the capturing means, to the memory and to the network interface. As another aspect of the invention, there is further provided a system for registering handwritten signatures. As another another aspect of the invention, there is further provided a method of authenticating handwritten signatures.