Abstract: This disclosure relates to method and system for encrypting and decrypting a facial segment in an image with a unique server key. The method includes receiving an image from one of a plurality of users. The image includes a plurality of facial segments. The method further includes, for each facial segment from the plurality of facial segments, identifying a unique user associated with the facial segment using a facial recognition algorithm, encrypting the facial segment with a unique server key, generating a protection frame, unlockable with the unique server key, to cover the facial segment, and decrypting the facial segment while rendering the image for at least one of the plurality of users upon receiving the unique server key from the at least one of the plurality of users.

Abstract: A system, method, and computer program product are provided for sending and receiving messages using a noisy cryptographic system. To send a message, N secret keys are negotiated using a noisy cryptographic system, where K secret keys are expected to be noiseless. A secret polynomial that includes the N secret keys is generated, and K points on the secret polynomial are derived. For each of the N secret keys, a secret key MAC key is derived and a secret key MAC is calculated using the derived secret key MAC key. A secret key MAC header is generated that includes an array of each of the secret key MACs and possibly a corresponding public key. Message integrity plaintext is generated that includes an encrypted message, the secret key MAC header, and an array of the K points on the secret polynomial. A final message that includes the message integrity plaintext is generated for being sent.

Abstract: An electronic apparatus includes: a wireless communication unit wirelessly communicating with an external access point; and a processing unit performing communication control for the wireless communication unit. The processing unit performs uninstallation of driver software causing the wireless communication unit to operate and installation of the driver software after the uninstallation, as a self-repair and reboot, when there is an error in wireless connection with the external access point.

Abstract: The present invention relates to the field of quantum communication, especially a quantum key distribution device that can be configured with multiple protocols. It uses the simplified Faraday-Michelson interference ring in combination with the intensity modulator to perform timestamp encoding in a chopping manner. The phase modulation is completed with a Sagnac ring device composed of a single-polarization phase modulator, a polarization beam splitter and a Faraday rotator, so as to achieve the purpose of composite encoding and decoding, thus realizing a quantum key distribution device which can be configured with multiple protocols and multiple decoy state schemes. This device can be compatible with multiple protocols including BB84 protocol, the reference frame-independent protocol, the six-state protocol and SARG protocol and is characterized with polarization-independent phase modulation and low system complexity.

Abstract: There is provided a method for authentication in device to device discovery. A method performed by a Discoverer device, comprises broadcasting a direct discovery request, receiving a direct discovery response from a Discoveree device, the direct discovery response comprising a first token, and the Discoverer device using the first token to verify that the Discoveree device is authorized to respond to the direct discovery request.

Abstract: An information intermediating apparatus in an information transaction system including an information providing apparatus, an information acquiring apparatus and the information intermediating apparatus connected to a communication network, includes: a first receiver that receives second information, of first and second information necessary for restoring transaction object information, and first feature information indicating a feature of the first information; a second receiver that receives second feature information from the information acquiring apparatus, the second feature information being calculated from the first information transmitted to the information acquiring apparatus from the information providing apparatus; a feature information determination unit that determines whether an identity is present between the first feature information and the second feature information; and a transmitter that transmits the second information to the information acquiring apparatus, when the feature information d

Abstract: A method of authenticating data received from a user device by a service provider may include receiving user credentials from the user device via a secure communication channel; upon verifying the user credentials, providing to the user device via the secure channel a permission token, where the permission token includes at least a shared secret, where a data within the permission token is not observable to the user device and a shared secret data outside the data of the permission token, the shared secret data observable to the user device; and receiving a request from the user device via a non secure communication channel, where the request may include at least the permission token and a hash digest formed using at least a portion of the shared secret data.

Abstract: In one implementation, the disclosure provides systems and methods for generating a secure signature using a device-specific and group-specific moving target authentication protocol. According to one implementation, generating the secure signature entails determining a state of a first device in association with a select time interval. The state of the first device is defined by one or more time-variable characteristics of the first device. The device computes an output for a signing function that depends upon the determined state of the first device associated with the first time interval.

Abstract: A communication method and a device, the method including obtaining, by a terminal device, a security key, where the terminal device performs the obtaining while the terminal device is in a state in which the terminal device has disconnected a radio resource control (RRC) connection from a first network device, and in which the terminal device retains context information for a context, in the first network device, of the terminal device, and sending, by the terminal device, a first message to a second network device, where the first message includes an identifier of the terminal device and at least one of encrypted uplink data or encrypted signaling, the at least one of encrypted uplink data or encrypted signaling is encrypted by using the security key, and where the second network device is different from the first network device.

Abstract: The controller circuitry is configured to identify one of the plurality of different position assistance information for use by the terminal device to identify a position of the terminal device, and to estimate the position of the terminal device by combining the identified position assistance information with the radio signal received by the position detection receiver circuitry. The position assistance information is identified in accordance with a permission allocated to the terminal device. By providing system information which is unencrypted and other system information which is encrypted, conditional access to the position assistance information can be provided in which a lowest level of position assistance information can provide the least level of position estimation accuracy.

Abstract: An SeNB informs an MeNB that it can configure bearers for the given UE. At this time, the MeNB manages the DRB status, and then sends a key S-KeNB to the SeNB. The MeNB also sends a KSI for the S-KeNB to both of the UE and the SeNB. After this procedure, the MeNB informs an EPC (MME and S-GW) about the new bearer configured at the SeNB, such that the S-GW 50 can start offloading the bearer(s) to the SeNB 30. Prior to the offloading, the EPC network entity (MME or S-GW) performs verification that: 1) whether the request is coming from authenticated source (MeNB); and 2) whether the SeNB is a valid eNB to which the traffic can be offload.

Abstract: A system, method, and computer program product are provided for sending and receiving messages using a noisy cryptographic system. To send a message, N secret keys are negotiated using a noisy cryptographic system, where K secret keys are expected to be noiseless. A secret polynomial that includes the N secret keys is generated, and K points on the secret polynomial are derived. For each of the N secret keys, a secret key MAC key is derived and a secret key MAC is calculated using the derived secret key MAC key. A secret key MAC header is generated that includes an array of each of the secret key MACs and possibly a corresponding public key. Message integrity plaintext is generated that includes an encrypted message, the secret key MAC header, and an array of the K points on the secret polynomial. A final message that includes the message integrity plaintext is generated for being sent.

Abstract: Electronically signed data is persistently stored in data storage. After the passage of time, the data may be accessed and presented to a trusted entity for verification of the data. The trusted entity may have access to secret information used to sign the data. The trusted entity may use the secret information to verify an electronic signature of the data. One or more actions may be taken based at least in part on a response provided by the verification system.

Abstract: A Method and a system for managing undesired service requests sent from at least one terminal to a network are described, wherein the network comprises a network node for storing trusted service-information. The method comprises the steps of: the network receiving a service request from a terminal, the request comprising service request information; and, sending, preferably via a secure communication channel, a user verification request for requesting the user to verify the service requested by the terminal if at least part of the service request information is not listed in the trusted service-information.

Abstract: A security device providing a security function for an image, a camera device including the same, and a system on chip (SOC) for controlling the camera device are provided. An image transmitting device may include an image processor configured to process an image to be transmitted to an external device, and a security circuit including a key shared with the external device. The security circuit may be configured to generate a tag used for image authentication by using data of a partial region of the image and the key based on region information for selecting the partial region of the image. The image transmitting device may be configured to transmit the tag, generated to correspond to the image, to the external device with data of the image.

Abstract: A lifecycle management method, system, and computer program product include establishing a public key infrastructure (PKI) for end-to-end encryption of control plane and data plane communications by providing encryption between arbitrary components for applicant execution where an interaction pattern is isolated, secure, and a multi-tenant environment.

Abstract: Embodiments as disclosed herein may provide systems and methods for component integration and security. In particular, in one embodiment, a native component that presents a network based interface may be on a device, where that native component may expose a network based interface for access by other components. This native component can then be accessed through the network based interface. To address security concerns and other issues, the native component may be configured to determine if a received request is associated with the same user space and only respond to requests originating from the same user space.

Abstract: A method performed by a network server is provided for authentication and key management for a terminal device in a wireless communication network. The method includes authenticating the terminal device during a primary authentication session for the terminal device. The method further includes responsive to a successful authentication of the terminal device, obtaining a first key. The method further includes generating bootstrapping security parameters. The parameters include a second key derived from the first key and a temporary identifier. The temporary identifier identifies the terminal device and the bootstrapping security parameters.

Abstract: The disclosed computer-implemented method for preventing data loss from data containers may include (1) identifying, at a computing device, a process running in a data container on the computing device, (2) intercepting an attempt by the process to exfiltrate information from the computing device via at least one of a file system operation or a network operation, and (3) performing a security action to prevent the intercepted attempt. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: An authentication method for a QKD process includes: a sender selects a basis for preparing authentication information according to an algorithm in an algorithms library, and respectively applies different wavelengths to send quantum states of control information and data information according to a preset information format; a receiver filters the received quantum states, employs a basis of measurement corresponding to the algorithm to measure the authentication information quantum state, sends reverse authentication information when the measurement result is in line with the algorithm, and terminates the distribution process otherwise. In addition, the sender terminates the distribution process when its local authentication information is inconsistent with the reverse authentication information.

Abstract: The present disclosure relates to processing operations configured to efficiently enable a client and a server to establish secure communication upon initial connection between the client and the server. Upon initial connection to with the server, the client provides an encrypted token which serves as both proof of authentication/identity and provides, in the encrypted token, an encryption key that the server can utilize to initiate secure communication with the client. The server is able to trust the encrypted token and the encryption key because the encrypted token is signed and encrypted by an authentication service that has a trusted relationship with the server and because the authentication service has pre-shared decryption and signature verification keys with the server. The server utilizes the encrypted key to secure communications with the client without requiring additional processing to lookup client identity or any further intervention from the authentication service.

Abstract: A method of sharing of a reference key (AppKey) between a connected object and at least one server. The method includes the object applying a function (f) to at least one datum (DevEUI, AppEUI, DevNonce) and to a key (KSE) specific to a secure element of the object to generate the reference key, transmitting to the server a join request of the object to a network of connected objects, which include the datum, and the key (KSE) of the secure element not being transmitted to the server. The method further includes obtaining, by the server, of the key (KSE) of the secure element on the basis of the request, the server applying the function (f) to the datum and to the key (KSE) obtained by the server, so as to obtain the reference key.

Abstract: This application relates to a technique that enables a software application to perform an operation on a file stored on a file system, while enforcing privacy measures. The technique includes receiving, from a file browser, a selection of file made accessible by a file access service. The file access service is associated with the file system storing the file. The file browser executes in a mode that prevents the software application from identifying content displayed within the file browser. The technique also includes, provided the software application is authorized to access the file, communicating a first list of operations for receipt by the software application, in which the software application selects a first subset of operations, to perform on the file. Furthermore, the technique includes establishing, to perform the first subset of operations on the file, a first direct communication link between the software application and the file access service.

Abstract: An improved financial terminal automatically reconfigures into different financial processing terminal types. In one embodiment, the terminal comprises a housing; a card reader configured to accept at least a portion of a card having an integrated circuit; at least one display; at least one processor; and at least one memory configured to store machine readable code, the machine readable code comprising a first kernel corresponding to a first transaction type and a second kernel corresponding to a second transaction type.

Abstract: Methods, systems and apparatus are provided for facilitating financial transactions using an IC type financial card via a terminal. A user is provided a list of transaction types, such as PIN-based, signature-based, etc., and a requested transaction is processed via a first selected transaction type. If the transaction is unsuccessful, the terminal automatically presents a list of remaining available transaction types from which the user may select and the transaction is processed by the next selected transaction type. If the transaction is successful, funds are provided to the user, such as in the form of currency/coins or funds transfer.

Abstract: A system and method of downloading firmware into an embedded device while maintaining the integrity and confidentiality of the firmware is disclosed. In one embodiment, the process comprises four phases. In the first phase, unauthenticated content is written into the memory of the embedded device. In the second phase, this content is verified. In the third step, a secure connection is established between the host and the embedded device. In the fourth step, the firmware is loaded into the embedded device using this secure connection. The firmware is encrypted as it is transferred from the host to the embedded device and is never accessible outside of the embedded device.

Abstract: In aspects of string matching in encrypted data, a computing device stores homomorphic encrypted data as a dataset, and implements a string matching application that receives an encrypted query string as a query of the homomorphic encrypted data. The string matching application can then apply algorithms to perform addition and multiplication operations, and determine whether there are matching strings of the encrypted query string in the dataset. The string matching application can compute, for each row of the dataset, a sum of some function of dataset bits and query bits for a row result, and multiply the row results of the computed rows to determine matching strings. Alternatively, the string matching application can compute, for each row of the dataset, a product over some function of the dataset bits and the query bits for a row result, and add the row results of the computed rows to determine matching strings.

Abstract: Embodiments of the present invention may provide the capability for performing public-key encryption with proofs of plaintext knowledge using a lattice-based scheme that provides improved efficiency over conventional techniques. For example, in an embodiment, a computer-implemented method of verifying encryption may comprise generating a ciphertext, derived from a plaintext, via an encryption scheme, proving validity of the ciphertext, wherein the proof includes at least one challenge value, and using a decryption procedure that recovers a plaintext by choosing at least one additional challenge value at random from a challenge space.

Abstract: Various embodiments relate to a key protocol exchange that provide a simple but still secure key exchange protocol. Security of key exchange protocols has many aspects; providing and proving all these properties gets harder with more complex protocols. These security properties may include: perfect forward secrecy; forward deniability; key compromise impersonation resistance; security against unknown key share attack; explicit or implicit authentication; key confirmation; protocol is (session-)key independent; key separation (different keys for encryption and MACing); extendable, e.g. against DOS attacks . . . (e.g. using cookies, . . . ); support of early messages; small communication footprint; and support of for public-key and/or password authentication.

Abstract: Systems and methods that efficiently combine multiple wireless networks or devices resulting in faster, more reliable, and more secure mobile Internet. A Virtual Private Network (VPN) service application is operated to route outgoing and incoming data packets of a mobile device. The mobile device is (i) either coupled to a remote server through the VPN service application for data packets transfer between the remote server and the mobile device or (ii) performs cross-layer translation for data packets transfer between the mobile device and direct target hosts on the Internet. Concurrently using multiple channels secures data packets transfer by sending encrypted data packets over multiple channels and receiving the encrypted data packets by a single apparatus. Data packets are designated to be transferred via a Wi-Fi channel or a cellular channel, and then transferred using both the Wi-Fi channel and the cellular channel.

Abstract: In one embodiment, a method for automatic inference of meeting attendance is provided. The method comprises sending a calendar request to a plurality of users that are invited to a meeting. The method further comprises receiving from each user of the plurality, a unique string identifying the user. The method further comprises generating a lookup table identifying the users of the plurality and their respective unique strings. The method further comprises receiving a first string broadcasted by a first user during the meeting. The method further comprises, responsive to determining that the broadcasted first string does not match one of the unique strings in the lookup table, performing an action to prevent the first user from receiving meeting content determined to be confidential.

Abstract: Various aspects of the present disclosure generally relate to wireless communication. In some aspects, a user equipment concurrently communicates with a source base station (BS) and a target BS on a connection with the source BS and a connection with the target BS as part of a make-before-break (MBB) handover procedure; and performs a common packet data convergence protocol (PDCP) function for the connection with the source BS and the connection with the target BS before the connection with the source BS is released as part of the MBB handover procedure. Numerous other aspects are provided.

Abstract: A system and related methods for providing greater security and control over access to classified files and documents and other forms of sensitive information based upon a multi-user, multi-modality permission strategy centering on organizational structure, thereby making authentication strategy unpredictable so to significantly reduce the risk of exploitation. Based on the sensitivity or classification of the information being requested by a user, approvers are selected dynamically based on the work environment, e.g., mobility, use of the computing device seeking access, authentication factors under applicable environmental settings, access policy, and the like.

Abstract: A method and system for deterring attacks at potential breach points between servers and an account and login server for creating and subsequent verification of accounts. Various cryptographic primitives are used to manipulate passwords to generate verifiers. The verifiers are used with external hardware security modules (HSMs) to eliminate HSMs and intermediate steps between the HSM and login servers as potential breach points.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for creating source-specific, persistent patient identifiers for healthcare service providers. One method includes accessing a record of healthcare data, wherein the record includes patient identifying information (PII) associated with one or more persons to whom the healthcare data pertains. The portions of PII included in the accessed record of healthcare data are extracted from the accessed record and encrypted. Based on one or more business rules, one or more hashed tokens are created by applying one or more hashing functions to the extracted portions of PII. A source-specific identifier is received, the source-specific identifier having been encoded in a manner specific to an organization associated with the computer system and having been encoded with reference to the one or more hashed tokens. An association is stored between the source-specific identifier and the accessed record of healthcare data.

Abstract: A computer-implemented method of a distributed database system includes generating a database index. The method includes mapping a first specified number of bits of the database index to a database key. The method includes mapping a second specified number of bits to a data object associated with the database key. The method includes storing the first specified number of bits of the database key in a dram memory. The method includes storing second specified number of bits with the data object in a solid-state device (SSD) storage.

Abstract: This invention establishes means and protocols to secure data, and practice online authentication, using large undisclosed amounts of randomness, replacing the algorithmic complexity paradigm. Computation is limited to basic primitives like transposition, and bit-flipping. Security is credibly appraised through combinatorics calculus, and this transfers the security responsibility to the user who determines how much randomness to use.

Abstract: Users desire a system that provides for the setting of custom, content-agnostic, permissions at a message, document, and/or sub-document-level through a communications network. Such a system may also allow the user to apply customized privacy settings and encryption keys differently to particular parts of a document. Customized encryption keys may be applied to particular parties (or groups of parties) to enhance the security of the permissions settings. In the case of structured document file types, dynamically-rendered content can present a challenge to accurately display to viewers, because one or more of the document's values referred to by the dynamically-rendered content may be encrypted or otherwise unavailable to the recipient—even though the dynamically-rendered content itself is viewable by the recipient.

Abstract: An improved financial terminal automatically reconfigures into different financial processing terminal types. In one embodiment, the terminal comprises a housing; a card reader configured to accept at least a portion of a card having an integrated circuit; at least one display; at least one processor; and at least one memory configured to store machine readable code, the machine readable code comprising a first kernel corresponding to a first transaction type and a second kernel corresponding to a second transaction type.

Abstract: The present disclosure relates to a method and a device for processing a verification code. The method includes: acquiring the verification code in a message; determining whether the verification code has expired; and allowing an operation corresponding to the verification code if the verification code has not expired.

Abstract: A system includes a processor configured to detect a vehicle wireless signal at a first frequency-band. The processor is also configured to choose a second signal at a second frequency-band having a predefined relationship to a requested action. The processor is further configured to connect to the second signal and lower a signal data-transfer rate, responsive to the detection, and use the second signal to perform a time-of-flight based user-proximity detection, to determine if a user is within a vehicle proximity range associated with the requested action.

Abstract: A method for leveraging a first secure channel of communication between a first agent and a second agent to create a second secure channel of communication between the first agent and a third agent. The method includes creating the first secure channel of communication between the first agent and the second agent using a configurable data-driven initial process on a first computing device. Responsive to the first agent receiving a request from the third agent to establish the second secure channel of communication, the method further includes retrieving identifying information from the third agent. The method further includes ending the identifying information from the third agent to the second agent over the first secure channel of communication. Responsive to receiving approval of the third agent's request from the second agent, the method further includes establishing the second secure channel of communication.

Abstract: There is provided a communication device including: a storage unit configured to store an authentication key generated from a plurality of keys; a communication unit configured to receive authentication key identification information for specifying the authentication key; and an authentication unit configured to perform an authentication process for a transmission source of the authentication key identification information using the authentication key specified from the storage unit based on the authentication key identification information.

Abstract: A secure instant messaging (IM) system integrates secure instant messaging into existing instant messaging systems. A certificate authority (CA) issues security certificates to users binding the user's IM screen name to a public key, used by sending users to encrypt messages and files for the user. The CA uses a subscriber database to keep track of valid users and associated information, e.g. user screen names, user subscription expiration dates, and enrollment agent information. A user sends his certificate to an instant messaging server which publishes the user's certificate to other users. Users encrypt instant messages and files using an encryption algorithm and the recipient's certificate. A sending user can sign instant messages using his private signing key. The security status of received messages is displayed to recipients.

Abstract: A wireless communication device 1 encrypts a passphrase which corresponds to a communication mode after change and which is a character string for authentication by using an encryption key PTK corresponding to a communication mode before change, and transmits the encrypted passphrase to a wireless communication device 2, and also creates an encryption key PTK corresponding to the communication mode after change from the passphrase corresponding to the communication mode after change. The wireless communication device 2 receives the encrypted passphrase transmitted from the wireless communication device 1 and decrypts the encrypted passphrase by using an encryption key PTK corresponding to the communication mode before change, and also creates an encryption key PTK corresponding to the communication mode after change from the decrypted passphrase.

Abstract: A method for communicating medical data includes forming a secure channel between a first medical device and a second medical device connected to each other through a network on the basis of first authentication information of the first medical device and second authentication information of the second medical device; encrypting medical data that is obtained by the first medical device using a secure circuit that is provided in the first medical device; and transmitting the encrypted medical data to the second medical device through the secure channel.

Abstract: A method of authenticating to a computer server involves a first authentication client transmitting an authentication token to the computer server via a first communications channel, and a second authentication client receiving a payload from the computer server via a second communications channel distinct from the first communications channel in accordance with an outcome of a determination of authenticity of the authentication token by the computer server.

Abstract: Using the same mathematical principle of paring with errors, which can be viewed as an extension of the idea of the LWE problem, this invention gives constructions of a new key exchanges system, a new key distribution system and a new identity-based encryption system. These new systems are efficient and have very strong security property including provable security and resistance to quantum computer attacks.

Abstract: Using the same mathematical principle of paring with errors, which can be viewed as an extension of the idea of the LWE problem, this invention gives constructions of a new key exchanges system, a new key distribution system and a new identity-based encryption system. These new systems are efficient and have very strong security property including provable security and resistance to quantum computer attacks.

Abstract: Using the same mathematical principle of paring with errors, which can be viewed as an extension of the idea of the LWE problem, this invention gives constructions of a new key exchanges system, a new key distribution system and a new identity-based encryption system. These new systems are efficient and have very strong security property including provable security and resistance to quantum computer attacks.