Abstract: Various examples are directed to systems and methods for exchanging encrypted information. A first computing device may select a first private key and generate a session key based at least in part on the first private key. The first computing device may receive from a second computing device a second public key and generate a first public key based at least in part on: the second public key, a shared secret integer, and the first private key. A second computing device may select a second private key and generate the second public key based at least in part on the second private key; a generator, a first group constant and the shared secret integer.

Abstract: A system may transmit, to a first entity, data to indicate an association between the first entity and a public key, wherein the public key is to be used to establish a cryptographically protected communications session between the first entity and a second entity, receive the data in response to a request to verify the association, and transmit, to the second entity, an indication that the data is valid. The system may be a cryptography service that is partially by the first and second entities. A partially trusted system can a computer system that is trusted in some respects but not trusted in other respects. A partially trusted cryptography service may be trusted to generate digital signatures and verify authenticity of digital signatures, but not trusted with access to a cryptographic key that can be used to access a cryptographically protected communications between a first entity and a second entity.

Abstract: A blockchain includes blocks that each store a hash value computed using a hash function from data of the block. Another hash value is computed for each block using a different hash function, and added to the block within the blockchain. New blocks subsequently added to the blockchain have hash values computed using just the different hash function.

Abstract: Systems, methods, and computer-readable media are provided for mobile-based transaction pre-authorization. One example method comprises receiving, from a device (such as a mobile device), a pre-authorization request including at least selection of a payment method, and generating a pre-authorization for a purchase based on the selected payment method. The method further comprises receiving a transaction request, determining whether the received transaction request is associated with the pre-authorization, and processing the transaction request based on the determination. Systems and computer-readable media implementing the above method are also provided. User interfaces are also provided for enabling the use of such methods, systems, and computer-readable media on, for example, mobile devices.

Abstract: Methods and apparatus are described for facilitating donation of a digital asset from a user to an entity. A mechanism is provided by which the user may designate the digital asset to be donated. The mechanism is configured to receive at least a representation of the digital asset. A type of the digital asset is identified with reference to the received representation of the digital asset. Further processing of the received representation of the digital asset is effected with reference to the type. At least the representation of the digital asset is stored in a repository associated with the entity. A notification is provided to the user that ownership of the digital asset has been transferred to the entity.

Abstract: A method relates to receiving, by a processing device of an authentication server over a public network, an authentication request from a client device, the authentication request comprising a user identifier associated with first factor data, in which the first factor data comprises a password stored in a storage associated with the authentication server, calculating a generator value in view of the first factor data and a second factor data associated with the user identifier, and generating a session key in view of the generator value and a first public key received from the client device.

Abstract: Systems and methods for producing shared secret data are generally described. A first device may receive a public key from a second device. The public key may be based on a first secret element. The first device may generate a first ephemeral private key based on a second secret element, and may generate a second ephemeral private key based on a third secret element. The first device may generate a first element based on the public key and the first ephemeral private key, and may generate a second element based on the public key and the second ephemeral private key. The second element may relate to the shared secret data. The first device may generate a session public key based on the first element, the second secret element, and the third secret element. The shared secret data may be derivable, by the second device, from the session public key.

Abstract: The invention relates to a method for securely exchanging data (5) between a communication device (1) and a server (8) of a service provider (2) via a communication network (3), the communication device (1) enabling at least one user (13) of the communication device (1) to use the services (4) provided by said service provider (2), said method being characterized in that it includes the following steps for exchanging data (5) between the communication device (1) and at least one server (8) of the service provider (2): in order to send the data (5), encrypting at least a portion of the sent data (5) using a physical key (7) which is known to the service provider (2) and which is physically written in a read-only memory of an electronic chip (6) of the communication device (1); and, upon receiving the data (5), decrypting the received data using said physical key (7).

Abstract: A method and apparatus for distributing cryptographic material are disclosed. In the method and apparatus, cryptographic material is obtained and it is determined that the cryptographic material is to be made available for use by one or more computing resources. The cryptographic material is then sent to one or more secure modules, whereby a secure module of the one or more secure modules is programmatically accessible to a computing resource of the one or more computing resources and programmatic access enables the computing resource to request performance of one or more cryptographic operations using the cryptographic material while exporting the cryptographic material to the computing resource is denied.

Abstract: An information processing system that is capable of performing communication at a high security level even when no encryption key having a predetermined or higher encryption strength is stored. An information processing system includes an MFP as an information processing apparatus and a client PC as the other information processing apparatus that is connected to the MFP. The MFP stores encryption keys in a key storage dedicated area of an HDD. When a strong key which is an encryption key difficult to crack is not stored in the key storage dedicated area, the strong key is generated. Communication between the MFP and the client PC is performed using the generated strong key.

Abstract: A system includes a secure processor and an unsecure processor. The secure processor is configured to: split a secure scalar K into m2 random values ki, where i is an integer index; randomly select m1-m2 values ki for the indices m2<i?m1; select m1 mask values ?i; compute m1 residues ci based upon random residues ai, ??(i)?1, and k?(i), wherein ?(i) is a random permutation; compute m1 elliptic curve points Gi based upon random residues ai and an elliptic point to be multiplied; receive m1 elliptic curve points; and compute the elliptic curve scalar multiplication by combining a portion of the received elliptic curve points and removing the mask values ?i from the portion of the received elliptic curve points. The unsecure processor is configured to: receive m1 residues ci and elliptic curve points Gi; compute m1 elliptic curve points Pi based upon the m1 residues ci and elliptic curve points Gi; and send the m1 elliptic curve points Pi to the secure processor.

Abstract: There is provided an authentication server apparatus connected with a terminal device through a network including a storage device configured to store pattern descriptions, wherein characters used for an authentication password for authenticating a user are divided into groups, and the divided characters are associated with IDs of the respective groups in one of the pattern descriptions, a password processing unit configured to generate an authentication code composed of a string of the IDs of the groups and to store it, wherein the authentication code is generated on a pattern description—by —pattern description basis, a screen transmitting unit configured to transmit data of an authentication screen including one of the pattern descriptions to the terminal device, and an authentication unit configured to authenticate the user based on the string of the IDs corresponding to the authentication password and the authentication code corresponding to the pattern description.

Abstract: The present disclosure relates to network security software cooperatively configured on plural nodes to authenticate and authorize devices, applications, users, and data protocol in network communications by exchanging nonpublic identification codes, application identifiers, and data type identifiers via pre-established communication pathways and comparing against pre-established values to provide authorized communication and prevent compromised nodes from spreading malware to other nodes.

Abstract: An ID service provisioned on a server interacts with a corresponding ID app installed on a user device such as a smart phone for secure user authentication (login). A user acquires two asymmetric encryption keys pairs. One of the private keys is secured on SIM on the user device, and the other one stored in the ID app on the user device. At login attempt, the ID service generates two random challenge messages, and encrypts each of them with one of the public keys. Decryption of one challenge is conducted by the SIM and decryption of the other is done by the ID app. A token based on the two decrypted challenge results is returned to the ID service. Alternatively, a single challenge can be double-wrapped with the two keys. The verifies the results and enables secure login without requiring a password.

Abstract: A method and apparatus prevents hacker code from infecting an application program by requiring decryption of the application program prior to running the application program on a computer. The device is preferably a computer system that includes a dongle, or a separate unit that is connected or connectable to the computer. A security program decrypts a first key with a second key stored on the dongle. When a new application is installed the first time on the computer, the security program uses a decrypted first key to encrypt whatever is installed such that the encrypted application program is the only installed version of the application program on any non-transitory computer readable memory accessible by the computer. When a command is given to startup the application program, whatever code is needed for startup is first decrypted using the decrypted first key.

Abstract: A user-portable computing device configured as a smart card enables a user to carry identification information and to generate security tokens for use in authenticating the user to a service provider. The device includes memory for storing user identities as information cards that are exported to a host computer, presented to a user in visual form, and then selected for use in the authentication process. A security token service installed on the device issues a security token in response to a token request sent from the host computer that references the selected user identity. The security token service uses user attribute information stored on the user device to compose the claim assertions needed to issue the security token. The token is returned to the host computer and used to facilitate the authentication process.

Abstract: As disclosed herein a computer system for secure database backup and recovery in a secure database network has N distributed data nodes. The computer system includes program instructions that include instructions to receive a database backup file, fragment the file using a fragment engine, and associate each fragment with one node, where the fragment is not stored on the associated node. The program instructions further include instructions to encrypt each fragment using a first encryption key, and store, randomly, encrypted fragments on the distributed data nodes. The program instructions further include instructions to retrieve the encrypted fragments, decrypt the encrypted fragments using the first encryption key, re-encrypt the decrypted fragments using a different encryption key, and store, randomly, the re-encrypted fragments on the distributed data nodes. A computer program product and method corresponding to the above computer system are also disclosed herein.

Abstract: Embodiments of an invention for cryptographic key generation using a stored input value and a stored count value have been described. In one embodiment, a processor includes non-volatile storage storing an input value and a count value, and logic to generate a cryptographic key based on the stored input value and the stored count value.

Abstract: Technology is disclosed herein for a timestamped license data structure. In at least one implementation, program instructions stored on one or more computer readable storage media, when executed by a processing system, direct the processing system to at least, responsive to a launch of an application, obtain a license file for the application, the license file comprising a license data structure comprising: a user license; a licensing service signature; a licensing service public key; and a trusted timestamp package. The processing system is also directed to analyze the license data structure using the trusted timestamp package to determine if the licensing service public key was valid when the user license was signed by the licensing service signature if the licensing service public key is invalid. If the licensing service public key was valid when the user license was signed by the licensing service signature: enable features of the application.

Abstract: Systems, methods, architectures, mechanisms or apparatus for using provider equipment based resources such as cloud or data center resources to implement various STB functions entirely at the head end, such as changing channels presented via the STB using PE actions only.

Abstract: In some embodiments, an instance of a distributed database can be configured at a first compute device within a set of compute devices that implements the distributed database via a network. A database convergence module can define a first event linked to a first set of events and receive, from a second compute device from the set of compute devices, a second event (1) defined by the second compute device and (2) linked to a second set of events. The database convergence module can define a third event linked to the first event and the second event. The database convergence module can identify an order associated with a third set of events based at least on the first set of events and the second set of events, and store in the instance of the distributed database the order associated with the third set of events.

Abstract: Embodiments of the invention can establish secure communications using a single non-traceable request message from a first computer and a single non-traceable response message from a second computer. Non-traceability may be provided through the use of blinding factors. The request and response messages can also include signatures that provide for non-repudiation. In addition, the encryption of the request and response message is not based on the static keys pairs, which are used for validation of the signatures. As such, perfect forward secrecy is maintained.

Abstract: Systems and methods are disclosed which use a block chain (“blockchain”) to enable the establishment of file dates and the absence of tampering, even for documents held in secrecy and those stored in uncontrolled environments, but which does not require trusting a timestamping authority or document archival service. A trusted timestamping authority (TTSA) may be used, but even if the TTSA loses credibility or a challenger refuses to acknowledge the validity of a timestamp, a date for an electronic document may still be established. Systems and methods are disclosed which enable detection of file duplication in large collections of documents, which can improve searching for documents within the large collection.

Abstract: A data search method of a first device storing multiple sets of privacy data acquired from multiple persons and multiple reference features corresponding to the multiple sets of privacy data, where the multiple reference features each are expressed by an n-dimensional vector, includes receiving first encrypted features from a second device connected to the first device, generating multiple second converted features by a second conversion of the multiple reference features, generating of multiple second encrypted features by encrypting the multiple second converted features using inner product encryption, acquiring multiple inner product values by performing inner product computation of each of the first encrypted features and the multiple second encrypted features, determining whether or not the first features and the first reference features are similar, and transmitting of first privacy data corresponding to the first reference features out of the multiple sets of privacy data to the second device.

Abstract: Methods and systems for obtaining reconstructing activities of target users in social networks, such as for decoding and displaying social network sessions held by a target user, or identifying other users who are associated with the target user. This analysis is typically carried out based on passive monitoring of network traffic. A social network decoding system constructs and maintains a replica database, which mimics a portion of the user profile database maintained by the social network servers. The social network decoding system monitors network traffic between users and social network servers. Based on the monitored traffic, the system gradually constructs a replica database that attempts to replicate a portion of the social network user profile database, relating to one or more predefined target users. Using the replica database, the system is able to correlate loosely-coupled information objects, events and interactions between the target users and social network pages.

Abstract: This patent describes a method, apparatus and computer program which factor a large integer N0 in a time of the order of p2·logp4 N0, where p denotes a prime.

Abstract: The present invention relates to the field of identity authentication. Provided are a method, device, and system for identity authentication, solving the technical problem that existing identity authentication technologies are incapable of protecting personal privacy, and that authentication technologies comprising personal privacy must provide a traceability feature.

Abstract: A system and method are described in which a document transaction management platform coordinates performance of trust actions across a plurality of trust service providers. For example, a system including one or more processors, working memory, persistent storage device and a network connect executes instructions to evaluate a policy including multiple rules controlling performance of trust actions. The instructions when executed cause the system to perform operations including processing a first transaction request including a first trust action, evaluating the first transaction request to determine a type of the first trust action, selecting, based on applying the policy against the type of the first trust action, a trust provider rule from the plurality of trust provider rules, and facilitating performance of the first trust action according to the selected trust provider rule.

Abstract: The present disclosure relates to secure storage of a detailed set of elements relating to fingerprint features for a finger and to a method for authenticating a candidate fingerprint of a finger using said detailed set of elements, allowing for improved security and user convenience.

Abstract: Authenticating a user is provided. A decryption key corresponding to an authentication account of the user of a client device and authentication credential data obtained from the user of the client device is received during authentication. Encrypted authentication credential data corresponding to the user is decrypted using the received decryption key corresponding to the authentication account of the user. The decrypted authentication credential data is compared with the received authentication credential data to authenticate the user of the client device.

Abstract: A dynamic webpage that displays data in groupings. The groupings are determined by users who score the data as representative of a specific category. The system dynamically rearranges the data and re-renders the webpage in response to receiving different scores for data previously scored.

Abstract: A system and method for securing information associates a party with a node that communicates messages over one or more channels based on a channel access privilege. One or more authorities sign a cryptographic authorization permit (CAP) to authorize the channel access privilege, which can be a write privilege or a read privilege. In one embodiment, the authorization for the channel access privilege is based on a public key issued by an authority and the CAP comprises a cryptographic certificate digitally signed by the authority.

Abstract: Certain embodiments provide means for managing automated access to computers, e.g., using SSH user keys and other kinds of trust relationships. Certain embodiments also provide for managing certificates, Kerberos credentials, and cryptographic keys. Certain embodiments provide for remediating legacy SSH key problems and for automating configuration of SSH keys, as well as for continuous monitoring.

Abstract: Processes and systems described herein enable a computing device to detect compromised accounts. The computing device may obtain a user credential including a user ID, and further modify the user ID. The computing device may transmit the modified user ID to a service including a database related to compromised accounts, receive a record corresponding to the modified user ID that includes information of a compromised account, and further determine whether an account of the user ID is compromised based on the received record.

Abstract: A method begins by, for a data access request, a user computing device accessing a plurality of estimated efficiency models of a plurality of dispersed storage (DS) processing units of a dispersed storage network. The method continues by selecting one of the DS processing units from the plurality of DS processing units based on the plurality of estimated efficiency models, a type of request of the data access request, and a randomizing factor to produce a selected DS processing unit. The method continues by sending the data access request to the selected DS processing unit for execution. The method continues by determining an actual processing efficiency of the processing of the data access request by the selected DS processing unit. The method continues by updating the estimated efficiency model of the selected DS processing module based on the actual processing efficiency.

Abstract: A system for authenticating a user and his local device to a secured remote service with symmetrical keys, which utilizes a PIN from the user and a unique random value from the local device in such a way that prevents the remote service from ever learning the user's PIN, or a hash of that PIN. The system also provides mutual authentication, verifying to the user and local device that the correct remote service is being used. At the same time, the system protects against PIN guessing attacks by requiring communication with the said remote service in order to verify if the correct PIN is known. Also, the system works in such a way as to change the random value stored on the user's local device after each authentication session.

Abstract: A method for updating a public key is provided. The method includes: acquiring, by a transmitting-end device, a first hash value calculated based on a first current public key; generating a first update public key and a first update private key; generating an update string such that a hash value of a hash function calculated based at least on the first update public key and the update string is equal to the first hash value; calculating, by a receiving-end device, a second hash value based at least on the first update public key and the update string according to the hash function; and verifying the first update public key by comparing the first hash value and the second hash value.

Abstract: Systems and methods are described for orchestrating a security object, including, for example, defining and storing a plurality of policies in a database coupled to a policy engine and receiving, by the policy engine, the security object and at least one object attribute associated with the security object. In addition, the policy engine determines the acceptability of the security object based, at least in part, on the at least one object attribute and at least one of the plurality of policies corresponding to the at least one object attribute. The security object to at least one communication device associated with the policy engine is distributed when the security object is determined to be acceptable. The at least one communication device establishes communication based, at least in part, on the security object.

Abstract: A method and system are provided for securing telecommunications traffic data. A method is provided for transmitting messages via a telecommunications network between a number of subscribers by means of a telecommunications service, wherein the telecommunications service receives at least one first message of individual first size from at least one first subscriber to the telecommunications service that is intended for at least one second subscriber of the telecommunications service. In reaction to receiving a message, the telecommunications service sends at least one second message to the at least one second subscriber, wherein the at least one second message obtains a second size. The first size cannot be conclusively deduced from the second size.

Abstract: Clients within a computing environment may establish a secure communication session. Sometimes, a client may trust another client to read, but not modify, a message. Clients may utilize a cryptography service to generate a message protected against improper modification. Clients may utilize a cryptography service to verify whether a protected message has been improperly modified.

Abstract: The present disclosure relates to devices and device configurations. In one embodiment, a process for providing application discovery and trial includes presenting a widget element on a display of the device, wherein the widget element includes graphical elements for a plurality of trial applications, and detecting a selection of one of the trial applications in the widget element. The process also includes updating the display to present a selected trial application based on the selection, wherein presentation of the selected trial application includes display of an overlay element, detecting a selection of the overlay element, and presenting a trial application control window based on the selection of the overlay element, the trial application control window including graphical elements for one or more of terminating, continuing and conversion of the selected trial application.

Abstract: An identity authentication method is provided.

Abstract: Methods and systems for enabling sizing of storage array resources are provided. Resources of a storage array can include, for example, cache, memory, SSD cache, central processing unit (CPU), storage capacity, number of hard disk drives (HDD), etc. Generally, methods and systems are provided that enable efficient predictability of sizing needs for said storage resources using historical storage array use and configuration metadata, which is gathered over time from an install base of storage arrays. This metadata is processed to produce models that are used to predict resource sizing needs to be implemented in storage arrays with certainty that takes into account customer-to-customer needs and variability. The efficiency in which the sizing assessment is made further provides significant value because it enables streamlining and acceleration of the provisioning process for storage arrays.

Abstract: An organizational signature authority delegates signature authority to one or more subordinate signature authorities by rolling up public keys from the subordinate signature authorities into a public key for the organization. A subordinate signature authority of the organizational signature authority generates cryptographic keys for use by the subordinate signature authority, and cryptographically derives a public key for the subordinate signature authority based at least in part on the cryptographic keys. In some examples, the subordinate signature authority acquires public keys from a lower subordinate signature authority, and the public key of the subordinate signature authority is cryptographically derived in part from the public key of the lower subordinate signature authority. The public key of the subordinate signature authority is provided to the organizational signature authority.

Abstract: A method of protecting a modular exponentiation calculation executed by an electronic circuit using a first register and a second register, successively comprising, for each bit of the exponent: a first step of multiplying the content of one of the registers, selected from among the first register and the second register according to the state of the bit of the exponent, by the content of the other one of the first and second registers, placing the result in said one of the registers; a second step of squaring the content of said other one of the registers by placing the result in this other register, wherein the content of said other one of the registers is stored in a third register before the first step and is restored in said other one of the registers before the second step.

Abstract: Techniques to secure computation data in a computing environment from untrusted code. These techniques involve an isolated environment within the computing environment and an application programming interface (API) component to execute a key exchange protocol that ensures data integrity and data confidentiality for data communicated out of the isolated environment. The isolated environment includes an isolated memory region to store a code package. The key exchange protocol further involves a verification process for the code package stored in the isolated environment to determine whether the one or more exchanged encryption keys have been compromised. If the signature successfully authenticates the one or more keys, a secure communication channel is established to the isolated environment and access to the code package's functionality is enabled. Other embodiments are described and claimed.

Abstract: The present invention relates to methods for verifying the integrity of data blocks and for accessing the blocks and relates more particularly to a method for verifying the integrity of a digital data block, the method comprising steps of: searching for a digital fingerprint in a data block of a reference point, calculating a digital fingerprint by applying a fingerprint calculation function to the data block, the fingerprint calculated having a value which depends on each of the bits of the data block excluding the bits of a fingerprint found in the data block, and verifying the fingerprint found in the data block by comparing it with the fingerprint calculated.

Abstract: A method, computer readable medium, and system are disclosed for error coping. The method includes the steps of receiving, by a processing unit, a set of program instructions including a first program instruction that is responsive to error detection, detecting an error in a value of a first operand of the first program instruction, and determining that error coping execution is selectively enabled for the first instruction. The value for the first operand is replaced with a substitute value and the first program instruction is executed by the processing unit.

Abstract: A method of verifying the sensitivity of an electronic circuit executing a modular exponentiation calculation in a first register and a second register, successively including, for each bit of the exponent: a first step of multiplying the content of one of the registers, selected from among the first register and the second register according to the state of the bit of the exponent, by the content of the other one of the first and second registers, placing the result in said one of the registers; a second step of squaring the content of said other one of the registers by placing the result in this other register, wherein the content of that of the first and second registers which contains the multiplier of the operation of the first step is disturbed, for each bit of the exponent, during the execution of the first step.

Abstract: An embodiment includes an electronic device, comprising: a control intellectual property (IP) including a plurality of first special function registers (SFRs); a basic operation IP including a plurality of second SFRs and coupled to the control IP through a first path and a second path; and a random number generator configured to generate a random signal; wherein the control IP is configured to: select one of the first path and the second path based on the random signal; and set the second SFRs using the selected path.