Abstract: The present disclosure describes techniques for managing secret information. A material set may be created. The material set may correspond to a material set name (MSN). The material set may be configured to contain secret information and information for identifying destinations that are authorized to access the secret information. The secret information may be managed by using the MSN to identify and track the secret information and without exposing the secret information.

Abstract: Provided is a method, performed by an electronic device, of communicating with another electronic device through first communication, the method including: generating a first key based on a secret key of the electronic device and a public key of the other electronic device received through second communication independent of the first communication; transmitting a public key of the electronic device to the other electronic device through the second communication such that a second key corresponding to the first key is generated at the other electronic device; generating a timestamp sequence based on the first key; and conducting communication with the other electronic device through the first communication by using the timestamp sequence.

Abstract: An example operation may include one or more of splitting, by a document server, a document provided by a document owner node into a plurality of segments to be stored on a ledger of a blockchain, detecting, by the document server, a change to the document made by an authorized participant node, updating, by the document server, a segment of the plurality of segments stored on the ledger based on the change to the document, collecting, by the document server, votes on the change to the document from a plurality of participant nodes, and committing the updated segment to the blockchain based on the votes.

Abstract: A vehicle-mounted device upgrade method and a related device. The method may be applied to a vehicle-mounted system, a vehicle-mounted control device and one or more to-be-upgraded vehicle-mounted devices, and the method may include: obtaining, by the vehicle-mounted control device, a vehicle-mounted upgrade package, where the vehicle-mounted upgrade package includes a plurality of upgrade files, and each upgrade file is used to upgrade at least one to-be-upgraded vehicle-mounted device; performing, by the vehicle-mounted control device, security verification on the plurality of upgrade files; and sending, by the vehicle-mounted control device, a target upgrade file to a target to-be-upgraded vehicle-mounted device that is to be upgraded by using the target upgrade file, where the target upgrade file is an upgrade file on which security verification succeeds in the plurality of upgrade files. According to this application, the vehicle-mounted device can be securely and efficiently upgraded.

Abstract: A system in which a device may automatically provision another device with credentials, at the behest of a cloud-based service, based in part on the physical proximity of the device to be provisioned. The provisioning device and the device to be provisioned may use a radio access technology (RAT) with a limited radio range. Account information associated with the device to be provisioned is known to the cloud-based service, which authenticates the device to be provisioned via the device with credentials.

Abstract: A method for mitigating misinformation in encrypted messaging environments includes receiving content from an originating user, encrypting the content into an originating message using a first encrypting key, appending an originating message identifier to the originating message, storing the originating message identifier on a messaging server in conjunction with transmitting the originating message to a first device corresponding to a first recipient, decrypting the originating message using a first decrypting key, storing the content on the first device to produce locally stored content and inserting the originating message identifier within metadata for the locally stored content. The method may also include encrypting the locally stored content into a new message intended for a second recipient, detecting the originating message identifier within the metadata for the locally stored content, and appending the originating message identifier to the new message.

Abstract: Methods, systems, and devices for communications are described. A device or a group of devices may generate data. The group of devices may receive a group profile from a node that identifies the devices to be included, and the group profile may include a function to be evaluated at each of the devices. The node may also provision evaluation parameters which may allow the device to provide authenticated aggregate data to a requesting third party, without sharing the data between the devices, thus concurrently maintaining individual data privacy and data provenance.

Abstract: Some embodiments of the present invention comprise a method, system, and/or computer program product for a publish/subscribe messaging system. A processor identifies a subscriber of a pub/sub messaging system. The processor retrieves a stored encrypted key for the identified subscriber of the pub/sub messaging system. The processor communicates the retrieved encrypted key to a user selected from a group comprising a publisher of the pub/sub messaging system and the identified subscriber of the pub/sub messaging system. The processor implements end-to-end encryption of messages of the pub/sub messaging system based on key-groups.

Abstract: Distributed storage of a file in edge storage devices that is resilient to eavesdropping adversaries and Byzantine adversaries. Approaches include a cost-efficient approach in which an authorized user has access to the content of all edge storage nodes. In this approach, key blocks and file blocks that are masked with key blocks are saved in the edge storage nodes. Additionally, redundant data for purposes of error correction are also stored. In turn, upon retrieval of all blocks, errors introduced by a Byzantine adversary may be corrected. In a loss resilient approach, redundant data is stored along with masked file partitions. Upon retrieval of blocks from the edge storage nodes, a unique approach to solving for the unknown file partition values is applied with identification of corrupt nodes based on an average residual error value for each storage node.

Abstract: In a secure end-to-end transmission of data between a first device and a second device via a message broker, the following are performed: a sharing of an entropy pool between the first device and the second device via the message broker, by means of signalling messages, any payload of which is encrypted asymmetrically and which comprise a message signature; and a transmission of subsequent messages between the first device and the second device via the message broker, each said subsequent message comprising a header and a payload, the header comprising an identifier of an authentication key obtained from the shared entropy pool and an identifier of a symmetrical encryption key obtained from the shared entropy pool, the payload being encrypted symmetrically by means of the symmetrical encryption key, and the whole formed by the header and the payload being authenticated by means of a message authentication code obtained by means of the authentication key and inserted in the header.

Abstract: Distributed storage of a file in edge storage devices that is resilient to eavesdropping adversaries and Byzantine adversaries. Approaches include a cost-efficient approach in which an authorized user has access to the content of all edge storage nodes. In this approach, key blocks and file blocks that are masked with key blocks are saved in the edge storage nodes. Additionally, redundant data for purposes of error correction are also stored. In turn, upon retrieval of all blocks, errors introduced by a Byzantine adversary may be corrected. In a loss resilient approach, redundant data is stored along with masked file partitions. Upon retrieval of blocks from the edge storage nodes, a unique approach to solving for the unknown file partition values is applied with identification of corrupt nodes based on an average residual error value for each storage node.

Abstract: Systems and methods are discussed for performing multi-key cryptographic operations. Policies can be received that define whether to perform a cryptographic operation with respect to various data items generated by one or more computing devices. The data items can be identified and compared to the policies to determine whether to perform the cryptographic operation on subsets of data items. The cryptographic operation can be performed with respect to a first subset of the data items using a first key, while the cryptographic operation can be performed with respect to a second subset of the data items using a second key.

Abstract: A first network device may install a receiving key for decrypting traffic on protocol hardware associated with a data plane of the first network device. The first network device may receive, from the data plane, a first notification indicating that the receiving key is installed on the protocol hardware and may provide, to a second network device, a first message identifying the receiving key. The first network device may receive, from the second network device, an acknowledgment message indicating that the receiving key is installed on the second network device and may install a transmission key for encrypting traffic on the protocol hardware. The first network device may receive, from the data plane, a second notification indicating that the transmission key is installed on the protocol hardware and may provide, to the second network device, a second message identifying the transmission key.

Abstract: There is provided a method and system for supporting secure data routing for artificial intelligence services in a communication network. According to embodiments there is provided a system including a platform controller for managing artificial intelligence (AI) services and a coordinator for managing data transmission of the AI services. The platform controller is configured to obtain, from an AI controller, a first security credential used for re-encryption of uplink data for an AI service, wherein the uplink data includes encrypted data from a device and obtain, from the device, a second security credential for re-encryption of downlink data for the AI service, wherein the second downlink data includes encrypted data from an AI server. The platform controller is further configured to provide, to the coordinator, both the first security credential and the second security credential.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for erasing user data stored in a file system. The method includes destroying all key bags containing encryption keys on a device having a file system encrypted on a per file and per class basis, erasing and rebuilding at least part of the file system associated with user data, and creating a new default key bag containing encryption keys. Also disclosed herein is a method of erasing user data stored in a remote file system encrypted on a per file and per class basis. The method includes transmitting obliteration instructions to a remote device, which cause the remote device to destroy all key bags containing encryption keys on the remote device, erase and rebuild at least part of the file system associated with user data, and create on the remote device a new default key bag containing encryption keys.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for providing blockchain-based data authorization. One of the methods includes receiving, by a blockchain node, a data acquisition transaction submitted by a data user for obtaining target data possessed by a data owner, determining, by the blockchain node, that the data user has obtained authorization of the target data, and executing, by the blockchain node, a smart contract invoked by the data acquisition transaction to issue an authorization token to the data user in response to determining that the data user has authorization of the target data, where the authorization token is sent to a privacy computing platform.

Abstract: Techniques are described for enabling a Kerberos-based authentication system to provide a client with access to a plurality of unmodifiable components that require plain text passwords. Such an approach enables a user to sign into a distributed computer system using a single password, and access multiple components that require different passwords without the need to enter a second password. By using Kerberos based authentication, passwords are not unnecessarily sent throughout distributed computing system where they may be vulnerable. A proxy key distribution center can be used to manage passwords or other credentials on behalf of various clients, which can be used with various processes discussed herein.

Abstract: A method at a domain controller for software update control, the method including receiving, at the domain controller, a software update package; verifying, at the domain controller, a source of the software update package; unbundling the software update package into at least one software update, each of the at least one software update being destined for a control unit managed by the domain controller; signing each of the at least one software update; and forwarding each signed software update to the control unit for which the software update is destined.

Abstract: A VPN box is connected upstream of a field device. The VPN box uses a secret cryptographic key of the field device for authentication when setting up a VPN tunnel and/or when setting up a cryptographically protected communication link.

Abstract: A method for use in managing a secure object store in a computing system includes: securing the secure object store including creating, maintaining, and using a hierarchical key system and accessing an encrypted data object using the Node Key Encryption Key and a selected one of the Data Encryption Keys. The securing includes: generating a Node Key Encryption Key; generating a plurality of Data Encryption Keys that are encrypted using the Node Key Encryption Key; and encrypting a plurality of data objects using the Data Encryption Keys, each data object being encrypted by a respective Data Encryption Key.

Abstract: Systems and methods of dynamic management of private data during communication between a remote server and a user's device, including receipt of a request for retrieval of at least one data packet from the user's device, wherein the user's device is configured to provide a response corresponding to the received request, determination of at least one communication data type of the at least one data packet corresponding to the received request, receipt of a privacy preference for the user's device, wherein the privacy preference comprises a list of allowed data packet communication types for sharing during communication, modification of data packets corresponding to requests for sharing of responses that are not compatible with the received privacy preference and maintenance of communication between the remote server and the user's device, with sharing of the modified data packet.

Abstract: Living Machine for the Manufacture of Living Knowledge by Living Individuals through the practice of the Living Knowledge Creation Process in Living Knowledge Creation Process Cycles where Living Knowledge Economics operates.

Abstract: A system and method improves operational performance of a computer by enhancing digital security with an added electronic circuit. The electronic circuit stores sensitive data in an un-erasable state such that the sensitive data may not be altered. The electronic circuit limits transfer of the sensitive data only once after each power-up or after each reset of the computer. The electronic circuit prevents access to the sensitive data by an authorized program. The electronic circuit utilizes its own storage medium and a random access memory, the latter of which can receive and store the sensitive data from the non-transitory computer storage medium. The method uses a software driver and a copy-of-copy of first security key obtained from the sensitive data stored on the electronic circuit. The software driver installs a software module on the computer using the copy-of-copy of first security key to encrypt each installed file.

Abstract: Vehicle access control is disclosed. In various embodiments, a vehicle reservation from a wireless communication device is received, the vehicle reservation is authenticated, and access to the vehicle is provided after authenticating the vehicle reservation. In various embodiments, a system for vehicle access control includes a vehicle access control component that is configured to provide access to a vehicle and a communication interface for communication with a wireless communication device, a communication interface for communication with a wireless communication device. Access to the vehicle is provided when a vehicle reservation is received from the wireless communication device.

Abstract: Described embodiments provide systems and methods for remapping connections to tunnels selected based on a security level of the communications. A first network device may be in communication with a second network device via a plurality of communication tunnels. The plurality of communication tunnels may include an encrypted communication tunnel and an unencrypted communication tunnel. The first network device may receive a packet, the packet including header information and a payload. The first network device may determine whether the received packet is encrypted to meet a threshold level of security. The first network device may, responsive to determining that the packet is to meet the threshold level of security, communicate an identifier of the payload and the header information to the second network device via the encrypted communication tunnel, and communicate the payload to the second network device via the unencrypted communication tunnel.

Abstract: A middlebox includes at least one processor and a memory storing one or more executable instructions that, when executed by the least one processor, cause the at least one processor to receive, from a server, a middlebox key that includes an indication of a lifetime of the middlebox key, receive, from a client device, one or more data packets including encrypted header data and a client device identifier, and determine whether to permit a transmission of the one or more data packets to the server or prevent a transmission of the one or more data packets to the server based on the middlebox key, the encrypted header data, and the client device identifier.

Abstract: A system architecture providing memory encryption suitable for protection against liquid nitrogen and trace probe attacks. In one embodiment, a method of and system for memory encryption are provided. A write request is received at a memory controller. The write request includes first data and a first address. The memory controller is embedded in a CPU and is operatively coupled to memory external to the CPU. The first data are encrypted at the memory controller to generate encrypted first data. The encrypted first data are written to the memory.

Abstract: A method for protecting content, comprising receiving, from a client device, a request for an encryption key for encrypting the content comprising a reference associated with the client device, identifying a set of supported security capabilities corresponding to the reference associated with the client device, identifying a set of required security capabilities corresponding to the content associated with the key request, determining if the set of supported security capabilities satisfy the set of required security capabilities, and in response to determining that the supported security capabilities satisfy the set of required security capabilities, transmitting the encryption key to the client device.

Abstract: A communication system includes a first communication system and a second communication terminal. The first communication terminal generates a first shared key, and the second communication terminal generates a second shared key. During an exchange operation, the first communication terminal stores the second shared key of the second communication terminal, and the second communication terminal stores the first shared key of the first communication terminal. During a challenge operation, the first communication terminal sends a challenge string to the second communication terminal, the second communication terminal generates a response string by performing reversible encryption operations to the challenge string with the first shared key and the second shared key, the second communication terminal sends the response string to the first communication terminal, and the first communication terminal verifies the response string.

Abstract: A system and method improves operational performance of a computer by enhancing digital security with an added electronic circuit. The electronic circuit stores sensitive data in an un-erasable state such that the sensitive data may not be altered. The electronic circuit limits transfer of the sensitive data only once after each power-up or after each reset of the computer. The electronic circuit prevents access to the sensitive data by an authorized program. The electronic circuit utilizes its own storage medium and random access memory, the latter of which can receive and store the sensitive data. The method uses a software driver and a copy-of-copy of first security key obtained from the sensitive data stored on the electronic circuit. The software driver installs a software module on the computer using the copy-of-copy of first security key to encrypt each installed file.

Abstract: Embodiments of the invention are directed to a system, method, or computer program product for providing a real-time determination of resource availability for usage via an interactive forecast interface with incorporated dashboard. In this way, the invention provides a real-time overlay forecast interface on a mobile device. The system gains access to one or more resources of a user and compiles the resources into an interactive forecast interface for visualization, manipulation, and mock manipulation of resources. The invention converts resource data extracted from the sources of the resource into a textual format encrypted for secure implementation and use into the interactive forecast interface.

Abstract: A method for communication in an IP network is described. The method includes a first communicating device initializing a communication with a second communicating device, signalling to the second communicating device that the first communicating device is compatible with multi-path User Datagram Protocol (UDP) communications. If the second communicating device is also compatible with multi-path UDP communications, one of the first or second communicating devices transmits data to the other device using the UDP transport protocol, including in the messages containing said data, regardless of the path used, a single context identifier, allowing the receiving communicating device to correlate all of the UDP datagrams associated with the same multi-path UDP communication.

Abstract: The present teaching relates to a communication authentication device that includes a data storage system, a first communication interface, a display screen, and a processor. The processor is connected to the data storage system, first communication interface, and display screen. The processor may be configured to: acquire a first message in a binary format via the first communication interface; decode the first message in the binary format in accordance with a message formatting standard (e.g., the H standard, which requires particular sizes of messages), to obtain a first decoded message in a text format; and transmit the first decoded message in the text format to the display screen for comparison purposes.

Abstract: One embodiment provides a system that facilitates secure transfer of funds. During operation, the system generates, by a server, an authentication identifier for a payee of a bank account, wherein the authentication identifier indicates the bank account and a corresponding payment account of the payee. The system receives, from a payer, a message which indicates a first command to transfer a payment amount to the payee, wherein the first command includes the authentication identifier. In response to successfully verifying the authentication identifier, the system extracts information associated with the payment account and the bank account from the authentication identifier. The system transfers the payment amount to the bank account of the payee based on the extracted information.

Abstract: An access management system is disclosed that can provide access to resources by password-less authentication. The access management system can provide multiple layers of security for authentication taking into account risk factors (e.g., device, location, etc.) to ensure authentication without compromising access. Contextual details of a user based on a mobile device can be used for authentication based on possession of a device. Password-less authentication of a user may be enabled by registration of devices and/or a location (e.g., a geo-graphic location) as trusted. Security data embedded with encrypted data can be sent to a first device for password-less authentication of a user at the device. A second device registered with the user can obtain the security data from the first device. The second device can decrypts the data and send the decrypted data to the access management system for verification to enable password-less authentication at the first device.

Abstract: A configuration in which usage control that is substantially similar to content usage control in a copy source medium can be performed in a content copy destination is implemented. A data processing unit that performs a copy process of recording data recorded on a first medium on a second medium records encrypted content in the first medium on the second medium, without decrypting the encrypted content. In addition, the data processing unit converts a CPS unit key file recorded on the first medium to generate a converted CPS unit key file and records the converted CPS unit key file on the second medium. Further, the data processing unit acquires an MKB not requiring KCD, which is capable of directly calculating a media key using only a device key, without using key conversion data (KCD) recorded on the first medium, from a server and records the MKB not requiring KCD on the second medium.

Abstract: Systems and methods for confirming a cryptographic key. The system includes an electronic controller configured to generate an electronic message in response to an installation of a secret key on the electronic controller, the electronic message comprising information about the installation of the secret key, digitally sign the electronic message using a manufacturer private key, encrypt the electronic message, store the electronic message in a memory, access the stored electronic message in response to a request by a user, decrypt the electronic message, confirm a digital signature of the electronic message using a manufacturer public key, generate a confirmation message, and send the confirmation message to a user.

Abstract: Method, apparatus and system for communicating between a machine to machine, M2M, device 110 and a device management, DM, server 420 over SMS, comprising: obtaining key material, the key material configured to protect data communicated between the M2M device 110 and the DM server 420. Protecting data to be communicated using the key material. Communicating the protected data between the M2M device 110 and the DM server 420 over SMS.

Abstract: A method for access authentication includes receiving a facial recognition picture from a mobile electronic apparatus of a user. The facial recognition picture is compared to a stored facial recognition picture of the user. If a positive match exists, an authorization key is transmitted to a locking mechanism. The stored facial recognition picture can include a picture stored on a picture database populated by each transmitted facial recognition picture. In certain embodiments, the facial recognition picture can be retrieved from on a social media account.

Abstract: A Post-Quantum Computing Cryptographic communication protocol including a lattice based RSA algorithm, the protocol may include: generating a public key and a private key pair; encrypting a message using a public key pair; transmitting the encrypted message over a communication channel; and decrypting the encrypted message using a private key pair, wherein the generating the public key and the private key pair includes; selecting a first random vector from lattices using a Klein's Algorithm; selecting a second random vector from lattices using the Klein's Algorithm; generating a shortest random vector using a Gauss Sieve algorithm; taking a first vector product of the first random vector and the second random vector; calculating a Totient function of the first vector product; converting the Totient function to the first vector product; generating the public key pair; and generating the private key pair.

Abstract: Key based authorization for programmatic clients is described. One or more server computers receive a request for an action on one or more target resources, the request indicating the action to be performed on the one or more target resources at the resource access point, and a key identifying a client program running on a client computer system. A data store that stores mapping data representing one or more associations among keys, actions and target resources is queried. An existence, in the data store, of an association of a particular key corresponding to a particular client program, with a particular target resource and with a particular action associated with the particular target, represents the particular client program having authorization to perform the particular action on the particular target resource. The system authorizes performance of the action on the one or more target resources for the request.

Abstract: A system based on layered, two-tier double cryptographic keys providing a closed cryptosystem within a secured network environment, the system including a digital key management device and a network node. The digital key management device generates a first-tier cryptographic key, a second-tier cryptographic key and makes the first-tier and second-tier cryptographic keys publicly accessible within a first and a second secured walled regions that are accessible to a network node registered to a first authentication database associated with an access server of the system, encrypts a first and second content with the first-tier and second-tier cryptographic keys, and generates encrypted first and second content. The network node requests access to the first secured walled region, accesses the first-tier and the second-tier cryptographic keys, decrypts the first and second content, generates first and second data containers based on the decrypted content, and transfers the data containers to a client device.

Abstract: Embodiments manage access to cryptography keys for database data, within a secure key store of a local key server owned by a new (security) operating system (OS) user separate from an original default OS user. Existing principles governing distinct OS user access privileges engrained within the OS itself, are leveraged to preclude the default OS user from accessing files of the new security OS user. Embodiments thus segregate the right to read secure cryptography keys of a secure key store, from the right to administer database installation on the OS level. While the original default OS user retains access to the encrypted data, the new security OS user now owns the cryptography key necessary to decrypt that database data. Thus, the default OS user is denied enough information to unlock the database data, enhancing its security. Embodiments are particularly useful for promoting data security in cloud setups and multi-tenant databases.

Abstract: A method is described for providing user authentication and user consent for a transaction made with a payment device. A user authentication step is taken to verify that a user is entitled to use the payment device, and a user consent step is taken to verify that the user consents to the transaction. The user authentication step is discrete from the user consent step. A payment device adapted to perform this method is also described.

Abstract: Methods and apparatuses of controlling a network payment are disclosed, which obtain a payment record when a selection of a payment instrument is needed, and determine a preferred payment instrument for a current transaction based on the payment record. By analyzing the payment record, a payment success rate of each payment instrument supported by a current payer under a current business scenario may be obtained, and a payment instrument having a maximum payment success rate may be set as the preferred payment instrument for the current transaction. The embodiments of the present disclosure therefore are able to implement an automatic selection of a payment instrument, reduce manual operations of a payer, simplify a payment process, and improve the payment efficiency and the transaction efficiency.

Abstract: A system uses a multi-level encryption and tokenization mechanism to allow for fields of a larger object to be individually tokenized and encrypted. Protected data is encrypted using an encryption key and a generated token is displayed in its place. The encryption key is then encrypted using a secondary key. To dereference a token, a requesting application provides the token and associated context to a token service, which searches a token store for a record having both the token and the context. If such a record is located, the token service generates a secondary key and decrypts the encryption key. The decrypted encryption key then decrypts the protected data and transmits the data to the requesting application.

Abstract: A system and method provides security features for inter-computer communications. A user identifier of the user that cannot be used to log the user in to a data consolidating system is received by a matching system from the data consolidating system. The validity of the user is checked at the matching system and, in response to the checking, the user identifier is converted to a different user identifier and the different user identifier is provided to a data providing system by the matching system. The data providing system provides the data of the user in response, and the matching system forwards the data to the data consolidating system.

Abstract: A session to enroll customers to make payments has two stages, a first stage completed on the telephone or on a merchant or debt collector website, and a second stage completed via a communications link such as a telephone or Internet link. The customer enrollment record is linked to financial account information received from the customer in the second stage and stored on a second, secure server. A token linked to the securely stored financial account information is returned to the merchant and then used by the merchant to initiate payments on that financial account. The merchant's personnel and customer record system do not store or have access to the underlying financial account information.

Abstract: The present disclosure relates to a method and a system for securely accessing a vehicle. The method comprises a preliminary phase, a data exchange phase, and an access phase. The method implements the vehicle, a remote data server, and at least one personal electronic device supplied with a dedicated application. The method implements an elliptic encryption curve, a master key, a primary key, a secondary key, and a tertiary key.

Abstract: Methods, devices, and systems for determining whether a received user generated response key matches the generated first unique key, thereby providing an autonomous authentication system to verify the user. The validation computing system may use a unique key to associate with each request for authentication from a client and further validate that unique key. Additionally, the authentication may be validated as an added security measure by a webhost.