Abstract: Identity systems, methods, and media for auditing and notifying users concerning verifiable claims are provided.

Abstract: There may be provided a method for block chain based facial recognition, the method may include receiving a request, by a controller and from a requesting entity, to utilize a facial recognition service that is block chain based; determining, by the controller, whether to fulfil the request or to reject the request; utilizing the facial recognition service to provide a response to the request and outputting the response when determining to fulfill the request; and rejecting the request when determining to reject the request.

Abstract: The present invention provides a processing device (1) including a storage unit (112) that stores device-specific information in association with device identification information for identifying each of a plurality of devices, an authentication key request reception unit (101) that receives an authentication key request including device identification information, an authentication key issuing unit (102) that issues an authentication key, a license key request reception unit (103) that receives a license key request including the device identification information and the authentication key, a license key issuing unit (104) that issues a license key, and a revelation control unit (108) that controls revelation of the device-specific information of each device based on issuance states of the authentication key and the license key.

Abstract: A system and method for granting access to network resources through access credentials given to an agent process running on each computer or machine where resource requesters reside. The system extends a traditional token-granting authorization system to the agent processes, where each agent has administrative access to machine information. The agent uses that access to acquire detailed information about resource requesters. Requester qualifications defined by the system limit requester access to resources, and are enforced both by the agent and by the central system on the network resource server. Resource requesters ask for a token for resource use from the agent, not the central system. The agent uses its credentials to get a token from the central system and then return the token to qualified requesters.

Abstract: A processor-implemented system and method for dynamically retrieving an attribute value of an identity claim for a user using a digitally signed access token that is digitally signed by a user device, at a relying party device associated with a relying party. The method includes (i) making an API call to retrieve at least one identity claim for the user, (ii) processing each identity claim of the user, with the relying party device, to identify if at least one by-reference identity claim that includes a URL of an endpoint, (iii) obtaining the digitally signed access token that is digitally signed by the user device, (iv) invoking the URL of the endpoint with the at least one by-reference identity claim and the digitally signed access token, and (v) dynamically retrieving the attribute value from the URL of the endpoint from an issuing party device associated with an issuing party.

Abstract: The present disclosure relates to a communication technique for convergence of IoT technology and a 5G communication system for supporting a higher data transfer rate beyond a 4G system, and a system therefor. The present disclosure can be applied to intelligent services (e.g., smart homes, smart buildings, smart cities, smart or connected cars, health care, digital education, retail business, and services associated with security and safety) on the basis of 5G communication technology and IoT-related technology. Disclosed are a method and an apparatus for securely providing a profile to a terminal in a communication system.

Abstract: The method provides an automated and scalable system for the generation, distribution, management of symmetric pre-shared keys (PSKs) to applications executing on headless and mobile devices. It helps achieve device protection, application security, and data protection with data authenticity and confidentiality in intra-device, inter-device, device-to-edge, and device-to-cloud communications. It helps Transport Layer Security (TLS) enabled applications dynamically acquire and renew PSKs and use identity hints for PSK based authentication ceremony during a TLS handshake. It helps client-server applications dynamically acquire and renew PSKs using keyed-hash message authentication code (HMAC) for data integrity and authenticity, content signing, and data encryption for confidentiality. It helps manage and distribute API shared secrets and API access tokens required for authenticated API requests and API security.

Abstract: A method for automatically attaching a purpose-built electronic device to a provider network includes steps of discovering, by a Wi-Fi module of the purpose-built electronic device, a wireless data network in operable communication with the provider network selecting, by the Wi-Fi module, the wireless data network, transmitting a primary authentication certificate from the Wi-Fi module to an authentication, authorization, and accounting server of the provider network, receiving, by an application server of the provider network, a secondary authentication certificate from a functionality module of the purpose-built electronic device authenticating, by the provider network, the primary and secondary authentication certificates, and attaching the purpose-built device to the provider network.

Abstract: A system and method for securing a private key transaction within blockchain that include receiving an input for initiating a financial transaction between a sender and a recipient. The system and method also include processing a secure wallet that is configured as an encrypted data packet that stores transaction data associated with the financial transaction and account information associated with the sender and the recipient. The system and method additionally include generating a first private key for the sender and a second private key for the recipient. The system and method further include generating a public key that includes encrypted data from the first private key and the second private key and includes the account information associated with the sender and the recipient that is used by at least one blockchain technology provider to pass the financial transaction through the blockchain.

Abstract: Providing an accurate and on-demand status of audit compliance is disclosed. A security policy, agreed upon by a service provider and a service user, is provisioned in a compliance log. A service provider requests to add a first update to the compliance log, the first update indicating that a compliance action has been taken. The first update is added to the compliance log, and a first computational digest of the compliance log is added after adding the first update. An auditor of the compliance action requests to add a second update to the compliance log. The second update is added to the compliance log, and a second computational digest of the compliance log is added after adding the second update. Thereby, the user is provided a more current view of audit compliance that that can be trusted based on the tamper-proof compliance log.

Abstract: A key exchange system in which a shared key is generated for executing encrypted communication between communication apparatuses according to an authenticated key exchange protocol using ID-based encryption, wherein each communication apparatus includes a memory and a processor configured to generate a short-term private key by using a private key of the communication apparatus; generate a short-term public key of the communication apparatus by using the short-term private key; generate private information on the communication apparatus by using the short-term private key, a short-term public key generated by another communication apparatus, and public information generated by the communication apparatus and said another communication apparatus or public information generated by a key delivering center; and generate the shared key for executing encrypted communication with said another communication apparatus by executing a pairing operation using the private key of the communication apparatus and the private

Abstract: A system, method, and computer-readable medium are disclosed for performing a security operation. The security operation includes: monitoring a plurality of actions of an entity, the plurality of actions of the entity corresponding to a plurality of events enacted by the entity; maintaining information relating to the monitoring within a user edge component; identifying an event of analytic utility; analyzing the event of analytic utility at the user edge component, the analyzing generating a security risk assessment; and, providing the security risk assessment to a network edge component.

Abstract: A system includes at least a first computing device, at a financial institution, configured to generate a currency request and apply first-level signature(s) to the currency request. A minting request is generated from the currency request and the first-level signature(s). The system also includes at least a second computing device, at a currency management department, configured to apply second-level signature(s) to the minting request to generate a signed minting request. The system also includes a third computing device, at a director's office, configured to apply third-level signature(s) to the signed minting request. The system also includes a plurality of network nodes, implementing a distributed ledger, configured to verify the first-level signature(s), the second-level signature(s), and the third-level signature(s); and mint the digital currency when the first-level signature(s), the second-level signature(s), and the third-level signature(s) are successfully verified.

Abstract: A slave device continuously transmits a plurality of tuning blocks to a host device at intervals defined by a clock period between a plurality of data blocks at the time of transmitting the plurality of data blocks and by a clock period defined by a data structure of the plurality of tuning blocks.

Abstract: A device configured to identify a first digital document in a digital document repository, to identify a first graphical code that represents the first digital document, and to send the first graphical code to an approved user device. The device is further configured to obtain a second graphical code that represents a public encryption key for the organization and to extract the public encryption key for an organization from the second graphical code. The device is further configured to obtain a third graphical code from the approved user device. The third graphical code represents a second digital document comprising data and a digital signature that was signed using a private encryption key for the organization. The device is further configured to determine the third graphical code passes validation using the public encryption key for the organization and to store the second digital document in a digital document repository.

Abstract: A method includes logging into a server and sending geolocation information to the server by a first device. The first device requests rights to decrypt a secure data file, and in response, the server sends a machine-readable optical label to the first device. The first device displays the machine-readable optical label. A second device logs into the server, and scans the machine-readable optical label displayed by the first device to create a scanned image. The second device decodes data from the scanned image to form decoded data. Geolocation information of the second device and the decoded data are submitted to the server. The decoded data and the geolocation information are validated by the server, and in response to successfully validating the geolocation information, a link completion status indicator is sent to the second device, and information to decrypt the secure data file is sent to the first device.

Abstract: A system includes a centralized repository for tracking rule content and managing subscriptions to rule content by organizations and providers utilizing the system; a rule-evaluation server for receiving requests for rule-evaluations for specific patients, wherein the server determines content needing to be evaluated and retrieves the content to be used; a rule engine for performing the evaluations, wherein content, patient data, and rule evaluation parameters are provided to the engine, and the engine returns recommendations triggered by the evaluation, if any; an aggregator for aggregating recommendations from multiple sources, detecting and coordinating related recommendations, and applying configuration settings based on the patient and/or provider in context; and a client component for coordinating communication between an electronic health records system, the server, and the aggregator.

Abstract: A system and method are provided for identifying a browser instance in a browser session between a server hosting a web domain and the browser instance executing on a user computing device. The method conducted at the browser instance includes obtaining a private key and a public key of a key pair unique to a combination of a web domain and the browser instance being used to access the web domain. The method includes obtaining a browser certificate issued for the key pair and storing the private key at a storage provided by the browser instance for use by the browser instance during an active browser session with the web domain. The private key is stored as unextractable from the storage and with configuration for use by the browser instance during an active browser session with the web domain in signing or cryptographic operations without the private key being revealed.

Abstract: The present invention relates to data rights management and more particularly to a secured system and methodology and production system and methodology related thereto and to apparatus and methodology for production side systems and are consumer side systems for securely utilizing protected electronic data files of content (protected content), and further relates to controlled distribution, and regulating usage of the respective content on a recipient device (computing system) to be limited strictly to defined permitted uses, in accordance with usage rights (associated with the respective content to control usage of that respective content), on specifically restricted to a specific one particular recipient device (for a plurality of specific particular recipient devices), or usage on some or any authorized recipient device without restriction to any one in specific, to control use of the respective content as an application software program, exporting, modifying, executing as an application program, viewing,

Abstract: Systems and methods that may be used to provide multitenant key derivation and management using a unique protocol in which key derivation may be executed between the server that holds the root key and a client that holds the derivation data and obtains an encryption key. In one or more embodiments, the derivation data may be hashed. The disclosed protocol ensures that the server does not get access to or learn anything about the client's derived key, while the client does not get access to or learn anything about the server's root key.

Abstract: Computing environments can enable user initiation of wire-transfer application functionalities according to some aspects described herein. For example, a selection by a user of an option in a graphical user interface can be detected. The option can be for initiating a selected functionality of a wire-transfer application in a computing environment, and the user may not be authorized in the computing environment to interact with the wire-transfer application outside of the graphical user interface. In response, a text file can be generated that includes data identifying the selected functionality. The text file can be stored in a predefined storage location that is monitored by the execution service. The execution service can automatically detect a presence of the text file in the predefined storage location. In response, the execution service can automatically issue a command to the wire-transfer application for causing the wire-transfer application to execute the selected functionality.

Abstract: A method for automatic pairing of two devices for wireless communication includes detecting, by a first device, that a second device is in a communicable range of the first device, where the first device has not been paired with the second device for wireless communication. The method may include determining, by the first device, by communicating with a third device, that the second device is paired with the third device. The first device and the third device are also paired previously. The method may include transmitting, by the third device, a key material to the second device. The method may include confirming, by the first device and by the second device, that the key material matches. The method may include establishing, by the first device, a communication link with the second device for wireless communication in response to the key material being a match.

Abstract: A method of processing a transaction between a customer and a merchant includes receiving from a mobile device of the customer or from another device of the customer an indication of consent to perform a cardless payment transaction with the merchant, receiving from the mobile device an indication that the customer is within a predetermined distance of the merchant, after receiving both the indication of consent and the indication that the customer is within the predetermined distance, sending to a computer system of the merchant an indication of the presence of the customer and personal identifying information for the customer, receiving data indicating a transaction between the customer and the merchant, and submitting the transaction to a financial service for authorization.

Abstract: A method comprises one or more of measuring metrics of a node during boot up, storing the metrics, generating a signature record from the stored metrics, and broadcasting the signature record when said node initializes a network connection.

Abstract: This disclosure relates to systems and methods for performing cryptographic operations in connection with the management of electronic content using multiple license services. In some circumstances, a content service may not wish to share unencrypted content keys with a single license service for a variety of security reasons. Embodiments of the disclosed systems and methods may use multi-party cryptographic methods in connection with the management of protected content keys and/or associated licenses and/or the distribution of content keys and/or licenses to authorized users and/or devices. In various embodiments, a content service may split a content key into a plurality of key shares and may transmit the key shares to a plurality of different license services. The license services may coordinate operations to generate a protected content key without revealing unencrypted content key to any of the participating license services.

Abstract: An apparatus includes a memory configured to store labels of virtual private networks (VPNs) in a first local label space. The apparatus also includes a processor to assign a first label block identifier (LBI) to a first block of labels in the first local label space and assign a first tuple to a first VPN. The first tuple includes the first LBI and a first label index (LI) that indicates a location of a first label of the first VPN within the first block of labels. The apparatus also includes a transceiver configured to provide the first tuple to routers that allocate second blocks of labels from second local label spaces based on the first tuple. The second routers store the first label at locations in the second label spaces indicated by the first LI.

Abstract: A computing system that is configured to receive requests to send computer executable programs to a data owner system associated with a data source for execution of the computer executable program by the data owner system. The data owner system may store to a blockchain a permitted list of programming functions, function libraries, function syntax definitions, and execution environment requirements. The computing system may be further configured to retrieve the permitted lists. The computing system may be further configured to evaluate the computer executable program using the permitted lists to determine if the computer executable program may be executed by the data owner system. The evaluation may be performed by generating an abstract syntax tree of the computer executable program. The computing system may be further configured to send the computer executable program to the data owner system if the computer executable program satisfies the conditions of the permitted lists.

Abstract: A system and method for checking the sanction status of an entity to determine whether the entity is prohibited from engaging in transactions with an organization. The system and method include receiving a request to form an agreement between an organization and an entity and maintaining, in a sanctioned entity blacklist, associations between a plurality of entities and a plurality of identifiers. Each identifier of the plurality of identifiers indicates that a respective entity of the plurality of entities has sanctioned entity status prohibiting the respective entity from engaging in a transaction with one or more organizations. The system and method include determining a sanctioned entity status associated with the entity based on a digital certificate and the sanctioned entity blacklist. The system and method include generating, responsive to determining the sanctioned entity status associated with the entity, an error condition indicating that the digital certificate failed validation.

Abstract: A carrier network may provide for asymmetric key exchange for end to end encryption between user equipment utilizing capability upload and discovery messages of the carrier network. For example, a carrier network may receive a capability upload message from a first user equipment. The carrier network may determine that the capability upload message includes a key bundle for end to end (E2E) encryption of communications. In response, the carrier network may store the key bundle in a key distribution center (KDC). The carrier network may also receive, from a second user equipment, a capability discovery message requesting capability information for the first user equipment. In response, the carrier network may request and receive the key bundle from the KDC and transmit the key bundle to the second user equipment.

Abstract: An exchange processing system may include multiple exchange components that are respectively included in multiple computing systems. A central exchange component may receive a request to enable access to secured data, the request having identity data encrypted via an identity encryption module and inquiry data encrypted via a first request encryption module. The central exchange component may decrypt the identity data via the identity encryption module, and decrypt the inquiry data via the first request encryption module. Response data may be generated from secured data that is selected based on the identity and inquiry data. The central exchange component may encrypt the response data via a second request encryption module and re-encrypt the identity data via the identity encryption module. The encrypted identity and response data may be provided to a second remote exchange module.

Abstract: Example embodiments relate to transaction authentication using biometric inputs from multiple users. The biometric inputs are input via a single computing entity simultaneously or within a configurable time period. The biometric inputs can be used to generate a transaction authentication record to authenticate the transaction.

Abstract: A cryptographic communication system includes: a first cryptographic communication apparatus including a first tamper-resistant device configured to store a first key generation function and a first storage unit configured to store first individual information; and a second cryptographic communication apparatus including a second tamper-resistant device configured to store a second key generation function and a second storage unit configured to store second individual information. The first cryptographic communication apparatus generates a twelfth shared key using the first key generation function and the second individual information. The second cryptographic communication apparatus generates a twenty first shared key using the second key generation function and the first individual information.

Abstract: Techniques and structures to provide secure data transfer between entities in a multi-user on-demand computing environment. An electronic device may comprise at least one physical memory device, one or more processors coupled with the at least one physical memory device, the one or more processors configurable to create a scratch organization within the computing environment, receive, via a user interface, a metadata selection comprising a plurality of metadata resources which define a set of components for a service implemented in an origin organization of the multi-user, on demand computing environment, extract the plurality of metadata resources from the origin organization within the computing environment into a metadata bundle, and deploy the metadata bundle in the scratch organization. Additional subject matter may be described and claimed.

Abstract: Techniques and structures to provide secure data transfer between entities in a multi-user on-demand computing environment. An electronic device may comprise at least one physical memory device, one or more processors coupled with the at least one physical memory device, the one or more processors configurable to create a scratch destination organization within the computing environment, receive, via a user interface, a metadata selection comprising a plurality of metadata resources, extract the plurality of metadata resources from an origin organization within the computing environment into a metadata bundle, and deploy the metadata bundle in the scratch organization. Additional subject matter may be described and claimed.

Abstract: Systems, methods, and articles of manufacture to securely share data stored in a blockchain. A contactless card may receive a request to provide a data element from a device. An applet of the contactless card may encrypt the data element and a wallet address. The applet may generate a signature for the request, and transmit, to a mobile device, the signature and the encrypted data. The mobile device may transmit, to a verification service, the signature and encrypted data. The verification service may verify the signature based on a public key. A node in a blockchain may generate a block in the blockchain, the block comprising indications of the verification of the signature, the requested data element, and the wallet address. An encrypted data element corresponding to the data element may be decrypted using a public key. The device may receive the decrypted data element from the wallet address.

Abstract: A communication device may: comprise an output unit configured to output first information obtained by using a first public key in a memory in a case where a predetermined instruction is inputted to the communication device; after the first information has been outputted, receive an authentication request in which the first public key is used from a terminal device; send an authentication response to the terminal device; establish a wireless connection between the communication device and an external device; and in a case where a predetermined condition is satisfied after the first information has been outputted, create a second public key different from the first public key and store the second public key in the memory. In a case where the predetermined instruction is inputted to the communication device again, the output unit may be configured to output second information obtained by using the second public key in the memory.

Abstract: A system and method is provided to allow access to centralized patient data captured from a medical device across an open network to a third party. The system and method receives the request based upon patient-specific information, checks the request and allows access if the request matches stored information.

Abstract: A secure multi-party computation implements real number arithmetic using modular integer representation on the backend. As part of the implementation, a secret shared value jointly stored by multiple parties in a first modular representation is cast into a second modular representation having a larger most significant bit. The parties use a secret shared masking value in the first representation, the range of which is divided into two halves, to mask and reveal a sum of the secret shared value and the secret shared masking value. The parties use a secret shared bit that identifies the half of the range that contains the masking value, along with the sum to collaboratively construct a set of secret shares representing the secret shared value in the second modular format. In contrast with previous work, the disclosed solution eliminates a non-zero probability of error without sacrificing efficiency or security.

Abstract: A method and apparatus for secured, multi-lateral, assured data transfer over a computer network for the assured exchange of data between counterparties related to qualifying transactions, the method being accomplished by a distributed computing system including a distributed ledger platform and an off-chain data host platform. On-chain authorization tokens are used to track data access rights, enforce access policies, and control distribution of encryption keys.

Abstract: A method for key agreement between a first party and a second party over a public communications channel, the method including selecting, by the first party, from a semigroup, a first value “a”; multiplying the first value “a” by a second value “b” to create a third value “d”, the second value “b” being selected from the semigroup; sending the third value “d” to the second party; receiving, from the second party, a fourth value “e”, the fourth value comprising the second value “b” multiplied by a fifth value “c” selected by the second party from the semigroup; and creating a shared secret by multiplying the first value “a” with the fourth value “e”, wherein the shared secret matches the third value “d” multiplied by the fifth value “c”.

Abstract: Disclosed is a computer-implemented method for establishing a secure connection between two electronic computing devices which are located in a network environment, the two electronic computing devices being a first computing device offering the connection and a second computing device designated to accept the connection, the method comprising executing, by at least one processor of at least one computer, a connection-establishing application for exchanging an information packet between the first computing device and the second computing device comprising a secret usable for establishing the connection, and evaluating a response from the second computing device for establishing the secure connection.

Abstract: A public-key scheme of Homomorphic Encryption (HE) in the framework Quotient Algebra Partition (QAP) comprises: encryption, computation and decryption. With the data receiver choosing a partition or a QAP, [n, k, C], a public key Keypub=(VQen, Gen?) and a private key Keypriv=†P† are produced, where VQen is the product of an n-qubit permutation V and an n-qubit encoding operator Qen, Gen? an error generator randomly provides a dressed operator ?=V†EV spinor error E of [n, k, C]. Then, by Keypub, the sender can encode his k-qubit plaintext Ix) into an n-qubit ciphertext |?en, which is transmitted to the cloud. The receiver prepares the instruction of encoded computation Uen=PV†Qen† for a given k-qubit action M and sends to cloud, where is the error-correction operator of [n, k, C], =I2n?k?M the tensor product of the (n?k)-qubit identity I2n?k and M , and V†Q†en and P the complex-transposes of VQen and †P† respectively.

Abstract: A system and method for granting access to network resources through access credentials given to an agent process running on each computer or machine where resource requesters reside. The system extends a traditional token-granting authorization system to the agent processes, where each agent has administrative access to machine information. The agent uses that access to acquire detailed information about resource requesters. Requester qualifications defined by the system limit requester access to resources, and are enforced both by the agent and by the central system on the network resource server. Resource requesters ask for a token for resource use from the agent, not the central system. The agent uses its credentials to get a token from the central system and then return the token to qualified requesters.

Abstract: Embodiments relate to systems, apparatuses, and methods for performing transaction signing utilizing asymmetric cryptography and a private ledger. A transaction data is signed by a user device using a private key, and may be utilized in an authorization request message without including a real credential of the user. A transaction verification and accounting module (TVAM) can verify the signed transaction data and can continue processing the transaction.

Abstract: In an example, a method of encryption is described to include generation of a content encryption key and a key encryption key. In that example, the content encryption key is wrapped based on a key wrap operation using the key encryption key and the wrapped content encryption key is encrypted using a policy encryption key. Further in that example, the policy encryption key is encrypted using a public key corresponding to a print apparatus. In an example, a method of decryption is described. The example method of decryption performs recovery of a policy object using a private key corresponding to a print apparatus. In that example, the policy object includes a wrapped key that is unwrapped using a key encryption key to recover a content encryption key usable to decrypt an encrypted electronic document.

Abstract: Disclosed are methods for utilizing a memory device as a security token. In one embodiment, a method includes receiving a request to perform an operation; transmitting a nonce to a memory device; receiving a second nonce from the memory device, the second nonce encrypted using a private key of the memory device; verifying the second nonce using a public key of the device, held by the host system; and executing the operation upon successfully verifying the second nonce.

Abstract: The present invention relates in particular to a pairing method between a multimedia unit and one operator having an operator identifier, the multimedia unit having a multimedia unit identifier and receiving conditional access data from said operator, the method being characterized in that: receiving by the multimedia unit a multimedia unit key formed by applying a first cryptographically function to a personalization key and to the multimedia unit identifier; receiving by the operator an operator key formed by applying a second cryptographically function to said personalization key and to the operator identifier; said multimedia unit further having a function of the multimedia unit and said operator further having a function of the operator, these functions being such that the result of the application of the function of the operator to said operator key and to said multimedia unit identifier is equal to the result of the application of the function of the multimedia unit to said multimedia unit key a

Abstract: A tool for providing a user configured one-time password. Responsive to receiving a request for a one-time password, the tool sends the one-time password, based at least in part, on a user configured one time password rule. The tool receives a user configured one-time password return value for the one time password. The tool determines whether the user configured one-time password return value satisfies the user configured one-time password rule when applied to the one-time password. Responsive to a determination that the user configured one-time password return value satisfies the user configured one time password rule, the tool accepts the user configured one-time password return value and granting access to the application.

Abstract: Set of two or more dongles for providing a digital signature, wherein each dongle holds a secret key, wherein each dongle is configured to receive a message, to compute a digital signature of the received message using the secret key, and to transmit the computed digital signature, wherein at least one of the dongles is configured to, before computing the digital signature, verify the presence of at least one other dongle belonging to the set, and to compute the digital signature only upon successful verification of the presence of one or more other dongles.

Abstract: Systems and methods that may be used to provide multitenant key derivation and management using a unique protocol in which key derivation may be executed between the server that holds the root key and a client that holds the derivation data and obtains an encryption key. In one or more embodiments, the derivation data may be hashed. The disclosed protocol ensures that the server does not get access to or learn anything about the client's derived key, while the client does not get access to or learn anything about the server's root key.