Abstract: Disclosed are systems and method for utilizing a dedicated computer security service. An exemplary method includes storing in an electronic database rules that indicate when to use either a first cloud service or a second cloud service for one of the security services, receiving a request from a client computer to access the security service, determining parameters relating to the received request, applying the parameters to the plurality of rules to determine an instruction indicating whether to transmit the request to the first cloud service or the second cloud service; and transmitting the request to either the first cloud service or the second cloud service, based on the instruction, to use the at least one security service.

Abstract: A data transmission and reception system for sending and receiving data between a sender and a receiver via a network. The system includes an authorizing server maintaining time information and authorizing a sender server after subjecting the sender server to examination and after the sender server is licensed by the authorizing server to issue electronic postmarks. The sender server is connected to a network to send data via the network, wherein the sender server is authorized by the authorizing server to issue the electronic postmarks. A receiver server is connected to the network to receive the data from the sender server via the network. The sender server issues the time information and attaches the time information to the data to be sent from the sender server.

Abstract: The technologies relate to a system and method for electronic signature agnostic verification. The method involves receiving a request to verify an electronic signature, thereafter validating an integrity of the electronic signature on the basis of one or more predefined validation parameters and validation fields, then analyzing the validated electronic signature to obtain one or more features of the validated electronic signature, further decoding the analyzed electronic signature using one or more decode parameters, and finally comparing the decoded electronic signature with a predefined value received from one or more sources, to check the correctness of the decoded electronic signature. The technique supports various electronic signature formats and electronic signature standards.

Abstract: An Internet infrastructure delivery platform (e.g., operated by a service provider) provides an RSA proxy “service” as an enhancement to the SSL protocol that off-loads the decryption of the encrypted pre-master secret (ePMS) to an external server. Using this service, instead of decrypting the ePMS “locally,” the SSL server proxies (forwards) the ePMS to an RSA proxy server component and receives, in response, the decrypted pre-master secret. In this manner, the decryption key does not need to be stored in association with the SSL server.

Abstract: Methods and systems are disclosed for generating a public-private key pair. A programmed processor displays a plurality of questions and inputs two or more answers to two or more of the plurality of questions in response to user input. The processor computes the public-private key pair as a function of the two or more answers to the two or more questions and stores the public-private key pair in memory coupled to the processor.

Abstract: A digital certificate incorporated within a communication is received from a server associated with a host name. Resource records associated with the host name are caused to be queried for a list of certificate authorities. In response to causing the resource records to be queried, the list of certificate authorities is received. A certificate authority is identified within the received digital certificate. The identified certificate authority is compared to the received list of certificate authorities. A determination is made, based on the comparison, that the identified certificate authority is included in the received list of certificate authorities.

Abstract: An image forming apparatus having a hardware resource including at least a scanner device or a printer device, a display device, and processing circuitry that activates a platform program and a plurality of application programs, the platform program being used from each of the plurality of applications, the plurality of application programs including at least a secure application program, the secure application program conducting a user authentication, receives an input of a user authentication information for the user authentication, conducts the user authentication using the received user authentication information, and displays, in response to satisfying the user authentication, a screen for using a function of the image forming apparatus on the display device.

Abstract: A method for deriving a verification token from a credential may be provided. The credential may be a set of attributes certified by an issuer to a user using a public key of the issuer. The method may comprise generating the verification token out of the credential and binding the verification token to a context string, wherein the verification token may comprise at least one commitment. A commitment may be a blinded version of an attribute. The method may also comprise generating an opening key for the verification token enabling a generation of a confirmation for a validity of the attribute.

Abstract: Mobile device key management is disclosed. A master key is secured using a password-based key to generate a first encryption information. The password-based key is generated based at least in part on a password associated with a mobile device. The master key is also secured using an unlock key to generate a second encryption information. The unlock key is stored at a server, and in certain cases is not stored on the mobile device. The first encryption information and the second encryption information are stored on the mobile device. The mobile device is configured to extract the master key from the first encryption information using the password. In the event that the master key is not extracted using the password, the mobile device is configured to extract the master key from the second encryption information using the unlock key received from the server.

Abstract: A hierarchical key generation and distribution mechanism for a computer system in which devices are organized into secure enclaves. The mechanism enables network access to be tailored to approximate minimum needed privileges for each device. At the lowest level of the hierarchy, keys are used to form security associations between devices. Keys at each level of the hierarchy are generated from keys at a higher level of the hierarchy and key derivation information. Key derivation information is readily ascertainable, either from identifiers for devices or from within messages, supporting hardware offload of cryptographic functions. Because keys may be generated based on the enclaves in which the hosts participating in a security association are located, the system includes a mechanism by which devices can discover the enclave in which they are located.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for implementing virtual network pairs between virtual machines and other devices. In one aspect, a method includes associating each of a plurality of different virtual machine network addresses with a respective host machine network address; receiving, from a sender, a request for a source virtual machine to communicate with a destination virtual machine; determining that the source virtual machine is authorized to communicate with the destination virtual machine; selecting, from the associations, a host machine network address for the destination virtual machine; generating a token based at least partly on the selected host machine network address and on a secret key of the destination virtual machine, wherein the secret key is not known by the source virtual machine; and sending the selected host machine network address and generated token to the sender.

Abstract: Technologies are provided in embodiments to establish trust between a trusted execution environment (TEE) and a peripheral device. Embodiments are configured to communicate with an attestation server to generate an encryption key, and to establish, using the encryption key, a secure connection with an authentication server to enable communication between the authentication server and the peripheral device. Embodiments are also configured to receive a pairwise master key if the peripheral device is authenticated and to receive a trusted communication from the peripheral device based, at least in part, on the pairwise master key. Embodiments may also be configured to identify a connection to the peripheral device before the peripheral device is authenticated to the authentication server, receive an identifier from the peripheral device, and establish a connection to an attestation server based on at least a portion of the identifier.

Abstract: Method and system for user authentication are described. The method comprises receiving an authentication code from an application server seeking authentication of the user. Further, a private key of the user is computed in real time based on a user identity (ID) of the user and a master secret key of the PKG. The method further comprises, ascertaining a verification code based on the private key of the user and a verification timestamp, wherein the verification timestamp indicates a time at which the ascertaining of the verification code was initiated. Further, the authentication code is compared with the verification code. Further, the method comprises authenticating the user based on the comparison.

Abstract: A device that displays signed application cards. The device receives a card object that includes: an application function identifier that identifies an application function of a native application, a digital signature, and a certificate that comprises a public key. The device verifies the authenticity of the digital signature with the public key in the certificate. The device determines that the certificate is signed by a developer of the native application referenced by the card object. The device renders an application card on the display based on the information included in the card object. The application card includes a text string, an image, an audio, and/or an image. The device overlays an indicator onto the application card. The indicator indicates that the authenticity of the digital signature has been verified. The indicator also indicates that the developer of the native application authorized the rendering of the application card.

Abstract: A device that displays signed application cards. The device receives a card object that includes: an application function identifier that identifies an application function of a native application, a digital signature, and a certificate that comprises a public key. The device verifies the authenticity of the digital signature with the public key in the certificate. The device determines that the certificate is signed by a developer of the native application referenced by the card object. The device renders an application card on the display based on the information included in the card object. The application card includes a text string, an image, an audio, and/or an image. The device overlays an indicator onto the application card. The indicator indicates that the authenticity of the digital signature has been verified. The indicator also indicates that the developer of the native application authorized the rendering of the application card.

Abstract: A method of signature capture for a document uses a portable digital media device with a touch responsive screen on which the signer traces his signature. An URL address is sent to the device and opened in the web browser. The URL address is valid for a limited period of time, and the signature is stored at a webpage associated with the URL address.

Abstract: A first circuit representation of a given function is obtained at a first processing device. The given function comprises at least two computer programming switch statement clauses. A second circuit representation is generated at the first processing device from the first circuit representation wherein the at least two computer programming switch statement clauses are respectively represented by at least two tree circuits that are embedded in the second circuit representation such that the second circuit representation is characterized by a given cost (e.g., a minimum cost). The second circuit representation is encrypted at the first processing device, and sent to a second processing device for secure evaluation of the given function by the second processing device.

Abstract: Homomorphic evaluation of a function is performed on input ciphertext(s), which were encrypted using a public key of an encryption scheme that also includes multiple secret keys. Each input ciphertext includes multiple real numbers that are kept with finite precision. Performing the homomorphic evaluation of the function includes performing operation(s). Performing each of one or more operations includes the following. A key-switching transformation is performed on selected ciphertext(s), including converting a first version of a selected ciphertext with respect to a first of the secret keys and with some number r bits of precision to a second version of the selected ciphertext with respect to a second of the secret keys and with some other number r? bits of precision, r?>r. Each key switching transformation is performed prior to or after the operation(s) are evaluated. Results of the operation(s) are output.

Abstract: A method, system and computer program product for ensuring PKI key pairs are operatively installed within a secure domain of a security token prior to generating a digital certificate. The public key component of the PKI key pair is incorporated into a digital certificate which is returned to the security token for storage. The arrangement included herein incorporates the use of a critical security parameter to ensure a chain of trust with an issuing entity such as a registration authority. Furthermore, the arrangement does not require security officer or system administrator oversight during digital certificate generation as the critical security parameter provides a sufficient level of trust to ensure that digital certificate generation is being performed in conjunction with a designated security token rather than a rogue application. Lastly, separate inventive embodiments allow alternate communications and verification arrangements to be implemented.

Abstract: Providing efficient data replication for a transaction processing server is provided. A notification is received from the transaction processing server which completes a transaction of a message. The notification includes a message digest and a message identifier. The message identifier in the received notification is compared with a stored message identifier. In response to a match of the comparing of the message identifier, the message digest in the received notification is compared with a stored message digest. In response to a match of the comparing of the message digest, a stored input message is directly stored in a physical storage.

Abstract: Mechanisms for tracking an entity are provided. A time is determined by a sensor having a clock, the time being within a time slot in a series of time slots. First data of the time slot is provided and shared between a plurality of sensors. The sensor receives data from the movable entity. The sensor calculates identifying data from the received data for identifying the entity. Derivative identifying data is calculated by applying a modifying function using the provided first data for modifying the identifying data. The sensor calculates a hash value by taking the derivative identifying data as input. The sensor sends a message to a central server for determining the position of the entity, the message comprising the hash value and an identifier of the sensor.

Abstract: An improved secure programming technique involves reducing the size of bits programmed in on-chip secret non-volatile memory, at the same time enabling the typical secure applications supported by secure devices. A technique for secure programming involves de-coupling chip manufacture from the later process of connecting to ticket servers to obtain tickets. A method according to the technique may involve sending a (manufacturing) server signed certificate from the device prior to any communication to receive tickets. A device according to the technique may include chip-internal non-volatile memory to store the certificate along with the private key, in the manufacturing process.

Abstract: A Universal TAI handles multiple identifications by means of an internal lookup table. When authenticating and authorizing requests, from a pre-registered customer, that are serviced by an application server, a reverse proxy security server receives requests of different protocols and associates user identification information of a single user with different formats based on the types and protocols of the requests. The Universal TAI determines a fundamental identification of the user from a lookup table, substitutes the fundamental identification into the requests of different protocols for the same user principal, and passes the request with the fundamental identification to the application server.

Abstract: A method includes receiving a first input value and a second input value, and obtaining a set of pre-computed values, wherein each pre-computed value is computed as the first input value multiplied by a given multiple in a set of multiples comprising powers of 2. A cryptographic process is performed to generate a cryptographic value based on the first and second input values, and one or more of the pre-computed values, wherein the cryptographic value that is generated is usable to generate a secure message or digital signature. The cryptographic process includes performing an iterative scalar multiplication process in which each step of the iterative scalar multiplication process is performed using a single point add operation to multiply a bit of the second input value with one of the pre-computed values in the set of pre-computed values.

Abstract: An apparatus may include an interface to receive a multiplicity of user information samples at a respective multiplicity of instances; a processor circuit, and an entropy multiplexer for execution on the processor circuit to generate a pseudo random number based upon a pseudo random number seed and pseudo random number algorithm for each user information sample of the multiplicity of user information samples. Other embodiments are described and claimed.

Abstract: Embodiments of the invention are directed to systems, methods and computer program products for receiving a request from a user for access to at least one function associated with a first application; determining that access to at least one function requires user authentication; initiating sensing of an authentication validating carrier comprising a first credential; determining the first credential based at least in part on the sensed authentication validating carrier; validating the first credential, thereby resulting in a first successful user authentication; and granting access to at least one function associated with the first application based on the validation of the first successful user authentication.

Abstract: Distribution of verification of passwords for electronic account. Password verification is distributed (divided) across multiple entities to reduce potential exposure in the event of a server exposure.

Abstract: A device for decrypting data includes a number of devices secured by at least one security device. The secured devices include a receiver for receiving calculation data encrypted using a homomorphic encryption function and a decryptor for decrypting the encrypted calculation data by carrying out the inverse of the homomorphic encryption function on the encrypted calculation data using a private key assigned to the homomorphic encryption function. A method and a computer program product for decrypting data are also provided.

Abstract: There is provided an information processing device including a secret key generator that generates a secret key from a random number received from an external device that provides a service, and a given value, a public key generator that generates a public key on the basis of the secret key by using a function identically set in a plurality of the services, a transmitter that transmits the public key to the external device, and an authentication processor that conducts authentication with the external device using the secret key.

Abstract: The invention relates to a method for generating a prime number, implemented in an electronic device, the method including steps of generating a prime number from another prime number using the formula Pr=2P·R+1, where P is a prime number having a number of bits lower than that of the candidate prime number, and R is an integer, and applying the Pocklington primality test to the candidate prime number, the candidate prime number being proven if it passes the Pocklington test. According to the invention, the size in number of bits of the candidate prime number is equal to three times the size of the prime number, to within one unit, the generated candidate prime number being retained as candidate prime number only if the quotient of the integer division of the integer by the prime number is odd.

Abstract: Nested commit/reveal sequences using randomized inputs from each participant in a gaming transaction (e.g., the house and each player) may be employed to provide a selection of outcome or outcomes that can be verified by each participant as free from cheating. In general, techniques may be employed in a variety of distributed gaming transaction environments and as a verification facility for any of a wide variety of games in which the risk of player collusion can be eliminated. Nonetheless, several variations on a distributed card dealing method are illustrative and will be appreciated by persons of ordinary skill in the art as applicable in other gaming environments, including games employing outcomes denominated in die (or dice) rolls, coin toss, wheel spins, blind selection or other ostensibly random selection of an outcome from a predefined set thereof.

Abstract: There is a need to perform recalculation against a fault attack on any public key e within a time period required for one-time modulo exponentiation. A modulo exponentiation operation is expressed as Y=XdmodN. The modulo exponentiation operation is performed to yield C0=Xd?modN, C1=XdmodN, and T=X2^nmodN, where d? denotes two's complement of d and n denotes the number of bits in d. The modulo exponentiation operation determines whether or not a remainder resulting from the product of a value of C0 and a value of C1 modulo N matches a value of T. The modulo exponentiation operation assigns the value of C1 to Y if a match is found. The modulo exponentiation operation reports an error if a match is not found. The modulo exponentiation operation applies an RSA decryption process to a modulo exponentiation operation using the Chinese remainder theorem.

Abstract: Embodiments of the invention are directed to systems, methods and computer program products for receiving a request from a user for access to at least one function associated with a first application; determining that access to at least one function requires user authentication; initiating sensing of an authentication validating carrier comprising a first credential; determining the first credential based at least in part on the sensed authentication validating carrier; validating the first credential, thereby resulting in a first successful user authentication; and granting access to at least one function associated with the first application based on the validation of the first successful user authentication.

Abstract: A computer-implemented method of pre-permissioning a computer application is disclosed. The method includes receiving a request from a user to install a software application, identifying one or more computing services required for operation of the software application, presenting the one or more computing services to the user for review, determining whether the user approves installation of the computer application, and installing the application on a computing device assigned to the user if the user approves installation of the computer application.

Abstract: By comparing a chip unique password, certification for activating a debug function can be established on the chip unique password. Thus, even when the chip unique password is lost due to negligence, not only certification for activating debugging on other motherboards of the same model number can remain unaffected, but also risks caused by replacing a chip or by a private key leakage from a system manufacturer are eliminated.

Abstract: Various technologies pertaining to authenticating a password in a manner that prevents offline dictionary attacks are described. A protected module, which can be a hardware security module, a trusted platform module, or the like, is in communication with an authentication server. The protected module comprises a key that is restricted to the protected module. The key is employed in connection with authenticating the password on the protected module.

Abstract: A method of managing devices in a dispersed data storage network is disclosed. A device list is maintained including entries for every device in the dispersed data storage network. Each entry lists a public key, a network address, and hardware identifier for the corresponding device. On startup each device sends a request to join the network. The request includes the device's public key, network address, and hardware identifier. The request is compared with the device list, and, based on the comparison, and, in some cases, administrator action, the request is granted or denied.

Abstract: Embodiments of the present invention relate to encryption key allocation with additional security elements to lessen vulnerability to certain attacks. In one embodiment, a method and computer program product is provided for broadcast encryption. A key bundle encoded in a non-transient machine-readable medium is received. The key bundle comprises a first cryptographic key and an associated first cryptographic function identifier. Encrypted content is received. A key block corresponding to a subset difference tree is received. A first cryptographic triple function corresponding to the first cryptographic function identifier is determined. The subset difference tree is traversed using the first cryptographic key and the first cryptographic triple function to obtain a content cryptographic key. The content cryptographic key is applied to the encrypted content to obtain decrypted content.

Abstract: The present invention relates to information security and discloses a method of establishing public key cryptographic protocols against the quantum computational attack. The method includes the following steps: definition of an infinite non-abelian group G; choosing two private keys in G by two entities; a second entity computing y, and sending y to a first entity; the first entity computing x and z, and sending (x, z) to the second entity; the second entity computing w and v, and sending (w, v) to the first entity; the first entity computing u, and sending u to the second entity; and the first entity computing KA, and the second entity computing KB, thereby reaching a shared key K=KA=KB. The security guarantee of a public key cryptographic algorithm created by the present invention relies on unsolvability of a problem, and has an advantage of free of the quantum computational attack.

Abstract: Methods and apparatuses for managing keys in a computerized system are disclosed. A key is determined as a shared key, a key being a shared key when information of the key can be shared by a plurality of entities or would be shared by a plurality of entities as a result of a requested key management operation. A shared key operation is then performed based on the determining.

Abstract: An infrastructure delivery platform provides a RSA proxy service as an enhancement to the TLS/SSL protocol to off-load, from an edge server to an external cryptographic server, the decryption of an encrypted pre-master secret. The technique provides forward secrecy in the event that the edge server is compromised, preferably through the use of a cryptographically strong hash function that is implemented separately at both the edge server and the cryptographic server. To provide the forward secrecy for this particular leg, the edge server selects an ephemeral value, and applies a cryptographic hash the value to compute a server random value, which is then transmitted back to the requesting client. That server random value is later re-generated at the cryptographic server to enable the cryptographic server to compute a master secret. The forward secrecy is enabled by ensuring that the ephemeral value does not travel on the wire.

Abstract: Various embodiments relate to a method of generating tokens for use in modular exponentiation and a related device and non-transitory machine readable storage medium, including: generating a public token, ?, based on an identifier associated with another device; generating a private token, L, as a modular exponentiation of the public token, ?, using a private exponent, d, and modulus, N, from a cryptographic key; and communicating the private token, L, to the other device.

Abstract: The present invention provides a service for allowing secure financial transactions to be carried out, the service involving authenticating a user's identity and/or status as part of a financial transaction with another party and in the event that the user is authenticated arranging for the transaction to be completed without revealing the user's financial details and/or other personal details to that other party. Authentication data and transaction data may be communicated over any suitable communications channel(s). The invention provides a trusted authentication and payment environment that protects a user's financial details, but allows them to be securely authenticated and arranges for transactions to be fulfilled, while providing other parties with reassurance that transactions will be completed. In this way, fraud and theft due to misappropriation of financial details can be minimized.

Abstract: One feature pertains to an electronic device that includes a memory circuit and a processing circuit. The processing circuit computes a scalar multiplication output Z where Z=k·P by receiving an input multiplier k and a base P, and adds a modifier s to the input multiplier k to generate k?. The processing circuit also computes an intermediate scalar multiplication output Z? where Z?=k?·P by using a digit expansion of k? that includes a sequence of digits ki belonging to a digit set D. Additionally, the processing circuit subtracts s·P from Z? to obtain the scalar multiplication output Z if k? is odd or subtracts (s+1)·P from Z? to obtain the scalar multiplication output Z if k? is even. The scalar multiplier output Z may be used in a cryptographic security algorithm to secure data.

Abstract: An endpoint, method, and authorization server are disclosed which can be used to allow concurrent secure and clear text communication. An endpoint includes a computing system including a programmable circuit operatively connected to a memory and a communication interface, the communication interface configured to send and receive data packets via a data communications network. The endpoint also includes a filter defined in the memory of the computing system, the filter configured to define one or more access lists, each access list defining a group of access permissions for a community of interest. The community of interest includes one or more users, and an access list from among the one or more access lists defines a set of clear text access permissions associated with a community of interest. The endpoint also includes a driver executable by the programmable circuit, the driver configured to cooperate with the communication interface to send and receive data packets via the data communications network.

Abstract: In an embodiment, a system includes at least one core and a trusted execution environment (TEE) to conduct an identity authentication that includes a comparison of streamed video data with previously recorded image data. Responsive to establishment of a match of the streamed video data to the previously recorded image data via the comparison, the TEE is to generate an identity attestation that indicates the match. Other embodiments are described and claimed.

Abstract: A server module evaluates a circuit based on concealed inputs provided by respective participant modules, to provide a concealed output. By virtue of this approach, no party to the transaction (including the sever module) discovers any other party's non-concealed inputs. In a first implementation, the server module evaluates a garbled Boolean circuit. This implementation also uses a three-way oblivious transfer technique to provide a concealed input from one of the participant modules to the serer module. In a second implementation, the server module evaluates an arithmetic circuit based on ciphertexts that have been produced using a fully homomorphic encryption technique. This implementation modifies multiplication operations that are performed in the evaluation of the arithmetic circuit by a modifier factor; this removes bounds placed on the number of the multiplication operations that can be performed.

Abstract: A re-programmable wireless cryptographic device can store data securely and use near field communication (NFC) to exchange functionality data and/or program code from a central server system through a mobile device. A user requests a new cryptographic device or a new device function via an application on the mobile device. The central server system transmits program code and a public key used to identify the cryptographic device to the mobile device, which functions as a pass-through conduit for the information, storing it until the devices are synced. A NFC communication channel is created, and the mobile device authenticates the cryptographic device by cross-referencing the public key received from the central server system with the public key transmitted by the cryptographic device once the communication channel is established. Upon authentication, the cryptographic device is synced with the mobile device, and the mobile device passes the program code to the cryptographic device.

Abstract: Techniques are disclosed for efficient computation of consecutive values of one-way chains and other one-way graphs in cryptographic applications. The one-way chain or graph may be a chain of length s having positions i=1, 2, . . . s each having a corresponding value vi associated therewith, wherein the value vi is given by vi=h (vi+1), for a given hash function or other one-way function h. An initial distribution of helper values may be stored for the one-way chain of length s, e.g., at positions given by i=2j for 0?j?log2 s. A given one of the output values vi at a current position in the one-way chain may be computed utilizing a first helper value previously stored for another position in the one-way chain between the current position and an endpoint of the chain. After computation of the given output value, the positions of the helper values are adjusted so as to facilitate computation of subsequent output values.

Abstract: Before establishing a connection between a first and a second devices, the first device determines whether a third device is a trusted or untrusted device. If it is a trusted device, the first device receives from the third device a public key and information indicating the public key of the second device; and, uses the public key by combining its own private key and the public key of the second device to generate a shared secret, and using the shared secret to communicate to the second device. Otherwise, the first device refrains from communications with the third device. Also, the second device combines its private key with the public key of the first device received from the trusted third device to generate the same shared secret, and uses the shared secret to provision the first device to access a secured wireless network provided by the second device.