Abstract: Mechanisms for tracking an entity are provided. A time is determined by a sensor having a clock, the time being within a time slot in a series of time slots. First data of the time slot is provided and shared between a plurality of sensors. The sensor receives data from the movable entity. The sensor calculates identifying data from the received data for identifying the entity. Derivative identifying data is calculated by applying a modifying function using the provided first data for modifying the identifying data. The sensor calculates a hash value by taking the derivative identifying data as input. The sensor sends a message to a central server for determining the position of the entity, the message comprising the hash value and an identifier of the sensor.

Abstract: In a preferred aspect of the present invention there is disclosed method of authentication and over-the-air (OTA) registration of a new user without a subscriber identity module (SIM) card, comprising the steps of transmitting a set of first time registration parameters to a selected service provider by a user device. In response the user device receives a notification to initiate a captive environment for the new user registration. The service provider is provided with a set of temporary session parameters and a temporary key which then validates a set of registration parameters provided by the user. Subsequently storing, at the user device, a set of permanent user profile parameters in a user profile module.

Abstract: Systems and methods for controlling access to a private partition on a storage device are disclosed for. An example system includes a token reader that detects a hardware token storing a private key and obtains the private key stored on the hardware token. The system also includes a partition controller that determines whether the private key unlocks a private partition on a storage device. In response to determining that the private key unlocks the private partition, the partition controller unlocks the private partition on the storage device. The private partition is invisible to an operating system executing in the computer system when the private partition is locked.

Abstract: A method for creating a certificate to authenticate a user identity at a web browser includes receiving a login request including a first user identity for a user and generating a first browser-signed certificate using public and secret keys associating the first user identity to the web browser. The first browser-signed certificate is sent to a first identity provider server and in response a first server-signed certificate is received from the first identity provider server. The first server-signed certificate associates the first user identity to the first identity provider server. A final certificate is generated by merging the first browser-signed certificate with the first server-signed certificate.

Abstract: A server module evaluates a circuit based on concealed inputs provided by respective participant modules, to provide a concealed output. By virtue of this approach, no party to the transaction (including the sever module) discovers any other party's non-concealed inputs. In a first implementation, the server module evaluates a garbled Boolean circuit. This implementation also uses a three-way oblivious transfer technique to provide a concealed input from one of the participant modules to the serer module. In a second implementation, the server module evaluates an arithmetic circuit based on ciphertexts that have been produced using a fully homomorphic encryption technique. This implementation modifies multiplication operations that are performed in the evaluation of the arithmetic circuit by a modifier factor; this removes bounds placed on the number of the multiplication operations that can be performed.

Abstract: A method and system for payments for mobile phone payments with a disabling feature is disclosed. The method includes activating a mobile phone containing contactless payment systems, and having a timeout feature disable the contactless payment systems after a set period of time.

Abstract: A rate lowering technique for the baseband sample signals to lower the transmission rate between remote radio units and the cloud in cloud RAN architecture. The connection between cloud and remote radios is Ethernet and truncation and decimation is used to lower the transmission rate between these two components in LTE networks.

Abstract: A system and method for generating and transmitting data without personally identifiable information. The method may include receiving a set of one or more unique identifiers (IDs) and a first set of data associated with a subscriber. The method may send the IDs to a third party provider of datasets. The method may receive a second set of data associated with the subscriber identified using the unique IDs. The method may generate aggregated viewing data based on the first and second sets of data. The set of unique IDs may be based on a one-way hash of personally identifiable information associated with the subscriber. In this way, the unique IDs may be appended with the data from third party providers so additional information regarding the household is available to clients, but the personally identifiable information is unavailable to any of the parties.

Abstract: An information processing device includes: a data processing unit that executes a process of reproducing content recorded in a medium; and a memory storing a content revocation list in which an identifier (ID) of revoked content is recorded, wherein the data processing unit compares a minimum allowable version of a content revocation list recorded in a token which is management data corresponding to content recorded in the medium with a version of a content revocation list acquired from the memory, and when the version of the content revocation list acquired from the memory is an old version lower than the minimum allowable version of the content revocation list recorded in the token, the data processing unit halts determination on revocation of content based on the content revocation list acquired from the memory and reproduction of content.

Abstract: A system for supply of data, including generating a first digital certificate referred (empowerment certificate) signed with a first signing entity's electronic signature. The empowerment certificate includes attributes of the described entity, information identifying the first signing entity, indication of data relating to the described entity, indication of a source of the data, and identification of a relying entity to which the data can be supplied. The relying entity forwards the empowerment certificate to a source supplying the data indicated in the empowerment certificate. The data may be supplied to the relying entity by a second digital certificate (custom certificate), signed with a second signing entity's electronic signature. Custom certificates may appear in custom certificate revocation lists. A system and method for transfer of ownership of electronic property from a first entity to a second entity, and a method and system for electronic voting are also provided.

Abstract: A backup account recovery authentication of last resort using social authentication is described. The account holder requests trustees who have been previously identified to obtain an account recovery code. The account recovery system sends a communication to the trustee for information to verify the trustee as one of the previously identified trustees. The account recovery system then may transmit a link and code with instructions for the trustee to return the link. The account recovery system then transmits a situational query to the trustee to provide additional security. Finally, if all the communications have been completed for the required level of security, the account recovery code is transmitted to the trustee. The trustee sends the account recovery code to the account holder for access to an account.

Abstract: Multimedia content is featured on user pages of an online social network using embed codes that are generated using a configuration file associated with the source ID for the multimedia content and a content ID for the multimedia content. The configuration file, the source ID and the content ID are stored locally by the online social network so that any changes to the embed codes can be made by changing the configuration file associated with the source and regenerating the embed codes. By managing multimedia content in this manner, greater control can be exercised by the online social network over the multimedia content that are featured on its user pages.

Abstract: Logic on a first remote device causes the capture of personal data identifying a user from an identification card. The logic generates a hash value from the personal data using a hashing algorithm and signs the hash value with a digital signature created using a private key paired with a public key. The logic transmits, over a network, the signed hash value and the public key from the remote device to a distributed public database for storage. The logic receives, over the network, a transaction number from the distributed public database. The logic then transmits the transaction number and the personal data to a second remote device. Logic on the second remote device verifies that the hash value in the signed hash value is the same as a generated hash value and verifies that the signed hash value was signed with the private key.

Abstract: Data is split into a set of data packets and transmitted between a client computer system and a network service via a packet-switched network. The client computer system identifies a role, permission, group, or other credential that is associated with the data packets, and attaches a credential identifier such as a digital signature to the packets before they are transmitted over the network. A network service receives the data packets, and is configured to filter or route the data packets to a recipient using the attached credential identifier. The network service can adjust the filtering or routing process to occur within a data link, network, transport, or application layer. In some examples, the filtering or routing is provided from within a hypervisor.

Abstract: A method for supply of data, including generating a first digital certificate referred (empowerment certificate) signed with a first signing entity's electronic signature. The empowerment certificate includes attributes of the described entity, information identifying the first signing entity, indication of data relating to the described entity, indication of a source of the data, and identification of a relying entity to which the data can be supplied. The relying entity forwards the empowerment certificate to a source supplying the data indicated in the empowerment certificate. The data may be supplied to the relying entity by a second digital certificate (custom certificate), signed with a second signing entity's electronic signature. Custom certificates may appear in custom certificate revocation lists. A system and method for transfer of ownership of electronic property from a first entity to a second entity, and a method and system for electronic voting are also provided.

Abstract: The present invention comprises an input part for inputting image data, a receiving part for receiving production information relating to production transmitted from another apparatus, a recording part for recording the production information received by the receiving part and image data input by the input part, a detection part for detecting a recording position on a recording medium at an editing point of image data recorded by the recording part, and a transmission part for transmitting information of the recording position detected by the detection part, whereby identification information for identifying image data and voice data is recorded in a recording medium or a recording device, this relieving a burden on a photographer and an editor and facilitating extraction of image data and voice data.

Abstract: Generation of a message m of order ?(n) for a test of the integrity of the generation of a pair of cryptographic keys within the multiplicative group of integers modulo n=p·q, including: —key pair generation including, to generate p and q: a random selection of candidate integers; and a primality test; —a first search of the multiplicative group of integers modulo p for a generator a; —a second search of the multiplicative group of integers modulo q for a generator b; —a third search for a number y, as message m, verifying: 1???n?1, where ?=a mod p and ?=b mod q, the first or second search being performed during the primality test.

Abstract: A system and a computer program product are disclosed. The system is configured to generate a digital empowerment certificate of a voter. The digital empowerment certificate includes an indication of identification data that uniquely identifies the voter to the authentication body, references to sources for the identification data or the identification data itself, and an indication of a voting key. The system is further configured to sign the digital empowerment certificate with an electronic signature of the voter. Moreover, the system is configured to generate a voting message including a vote of the voter. In addition, the system is configured to generate a signature block combining the digital empowerment certificate and the voting message. Furthermore, the system is configured to send the encrypted digital empowerment certificate, the encrypted voting message, and the signature block to the authentication body.

Abstract: A system for two-way authentication using two-dimensional codes is provided. The system includes a memory and a processor coupled to the memory. The processor is to generate a two-dimensional code to be used by a user of a mobile device for accessing a remote resource. The processor is to generate the code in response to a request from the remote resource for the code. The processor is further to receive an authentication request from the mobile device to authenticate the remote resource. The authentication request includes information obtained from the two-dimensional code, the information including an authentication request identifier. The processor is also to compare the authentication request identifier to an expected value to create an authentication indication and to transmit the authentication indication and an authentication credential to the mobile device to authenticate the user to the remote resource.

Abstract: A method of performing cross-authentication in a vehicle controller interworking with an external device includes: generating a random number S and transmitting the random number S to the external device according to an authentication request message received from the external device; generating a variable i using a first function having the random number S as a parameter; generating a first session key Ks using a second function having the variable i and a pre-stored secret key K as parameters; receiving a first response key from the external device; generating a second response key using a third function having the random number S, the variable i and the first session key Ks as parameters; and authenticating the external device based on whether the first response key is equal to the second response key.

Abstract: Disclosed are systems, methods, and non-transitory computer-readable storage media for detecting compromised credentials. In some implementations, a content management system can receive information identifying compromised login credentials (e.g., account identifier, password, etc.) from a third party server. The login credentials can be represented by a first hash value generated using a hashing algorithm. When a user logs in to the content management system the user can provide the user's account identifier and password for the content management system. The content management system can generate a second hash value from the user-supplied password using the same hashing algorithm used for the compromised login credentials. The content management system can determine whether the second hash value matches the first hash value and prompt the user to provide a new password for the user's content management system account when the second hash value matches the first hash value.

Abstract: A method of securing data, the method comprising: dividing a secret key into a plurality of secret key shares; storing each of the plurality of secret key shares in a different server of a plurality of servers so that none of the servers has access to the secret key and to the secret key share stored in another of the servers; using a server of the plurality of servers to execute a secure computation protocol to determine a value of a function responsive to all of the plurality of secret key shares without providing any of the plurality of servers with access to the secret key and to the secret key share stored in another of the servers; and using the calculated value of the function to secure the data.

Abstract: A method for controlling access security at a vehicle gateway of a vehicle including at least one control unit in communication with the vehicle gateway includes: receiving a certificate from a diagnosis device; recognizing a rating of the certificate; and performing at least one of an integrity checking process and a security key authorization process according to the rating of the certificate to determine whether the diagnosis device is allowed to access to the vehicle.

Abstract: Methods and systems are disclosed for providing a plurality of virtual secure elements (virtual SEs) to mobile devices with secure elements (SEs). A method generates and forwards a certificate authority security domain (CASD) key for a plurality of virtual SEs to an SE supplier that created the CASD. The method receives a card serial number (CSN) and a card production life cycle (CPLC) key from the SE supplier and forwards these to a mobile device maker. An updated CSN and CPLC data is received from the device maker with an International Mobile Equipment Identity (IMEI) and an issuer security domain key (ISD key) is added to the CSN and CPLC data by a master secure element issuer trusted service manager (master SEI TSM). An application is provisioned to the device that retrieves the CSN, CPLC data, and the IMEI, which are used for to verify and activate the virtual SE.

Abstract: A system and a method for using a portable consumer device such as a mobile phone are disclosed. In one embodiment, a method according to the present invention comprises referencing data regarding an individual consumer stored as part of a payment processing network to generate an electronic coupon targeted to the individual consumer. The electronic coupon is transmitted to a mobile device of the individual consumer over a communications network, and purchase transaction utilizing the electronic coupon is processed over the payment processing network. In certain embodiments, the electronic coupon may be generated based upon temporal and/or geographic information of a prior purchase transaction conducted using the payment processing network.

Abstract: In a general aspect, a parameter is refreshed in a lattice-based cryptography system. In some aspects, a first value of a public parameter is obtained. The first value of the public parameter may have been previously used in an execution of a lattice-based cryptography protocol. A second value of the public parameter is generated based on the first value of the public parameter and random information. The second value of the public parameter is used in an execution of the lattice-based cryptography protocol.

Abstract: A system on chip includes a central processing unit and a key manager coupled to the central processing unit. The key manager includes a random number generator configured to generate a key and a key memory configured to store the key and a user setting value associated with the key.

Abstract: In one embodiment, a method includes establishing a first session between a first computing device and a second computing device, when the first computing device does not have connectivity to a credential manager; proxying a request to the credential manager from the second computing device on behalf of the first computing device and receive in the second computing device a first keyless ticket encrypted to the first device and a second keyless ticket encrypted to the second device; providing the second keyless ticket from the second computing device to the first computing device; and enabling communication between the first and second computing devices according to the first and second keyless tickets. Other embodiments are described and claimed.

Abstract: Methods, systems, and devices are described for the prevention of network peripheral takeover activity. Peripheral devices may implement an anti-takeover mechanism limiting the number of available device command classes when certain handshake and verification requirements are not met. Anti-takeover peripheral devices with protection enabled may be relocated within a controller network, or in certain cases, from one controller network to another controller network when certain conditions are met. That same device may be hobbled when removed from a controller network and may remain hobbled when connected to another network that fails to meet certain conditions. Unprotection and unhobbling of a device may occur through an algorithmic mechanism using values stored on the peripheral device and the controller device for one or more of anti-takeover code generation, anti-takeover code comparison, network identification value comparison, and manufacturer identification value comparison.

Abstract: In one aspect, a method comprises the steps of deriving a base point on an elliptic curve in a first processing device, generating authentication information in the first processing device utilizing the base point and a private key of the first processing device, and transmitting the authentication information from the first processing device to a second processing device. The base point on the elliptic curve may be derived, for example, by applying a one-way function to a current time value, or by computation based on a message to be signed.

Abstract: Cipher suites and/or other parameters for cryptographic protection of communications are dynamically selected to more closely match the intended uses of the sessions. A server selects and/or determines, for a cryptographically protected communications session, a plurality of supported cipher suites that may be used for communications with the server over an established protected communications session. A selected cipher suites may be a cipher suite that are selected from a plurality of acceptable cipher suites provided to the server, either implicitly or explicitly. The selection of a cipher suite may further require that the cipher suite be mutually acceptable to the server and one or more parties participating in the cryptographically protected communications session such as a client.

Abstract: A digital certificate for an entity is issued and signed by a certificate authority. One or more counter signing entities are identified in an extension to the digital certificate. Each countersigning entity adds a countersignature to the digital certificate using a private cryptographic key maintained by each countersigning entity. A client that receives the digital certificate validates the digital certificate by in part validating the digital signature of the issuing certificate authority and validating the digital signatures of the countersigning entities. In determining whether the digital certificate is valid, the client may consider the geographic regions, legal jurisdictions, and identity verification processes of the certificate authority and of the countersigning entities. In some examples, the client requires that the issuing certificate authority and the countersigning entities represent a minimum amount of geographic and jurisdictional diversity.

Abstract: In a general aspect, a key encapsulation mechanism is used in a communication network. In some aspects, an error vector derivation function is applied to a random value to produce an error vector, and a plaintext value is obtained based on the random value. The error vector and the plaintext value are used in an encryption function to produce a ciphertext, and a key derivation function (KDF) is applied to the random value to produce a key derivation function output that includes a symmetric key and a confirmation value. The symmetric key is used to generate an encrypted message based on an unencrypted message. The ciphertext, the confirmation value, and the encrypted message are provided for transmission in a communication network.

Abstract: Various embodiments relate to a method of encoding data and related device and non-transitory machine readable storage medium, the method including: determining a set of digits, X, representative of a value to be encoded; determining a set of factor values, S, to be used in generating an encoded value, wherein the set of factor values, S, is a set of input value factors for a modular exponentiated digital signature process; for a given digit, x, of the set of digits, X, determining at least one factor value, s, of the set of factor values, S, corresponding to the given digit, x; and including the at least one factor value, s, in an encoded value.

Abstract: The systems, methods and apparatuses described herein provide a computing environment for authenticating a user. An apparatus according to the present disclosure may comprise a non-volatile storage, a user interface, and a password engine. The password engine is configured to retrieve two or more predetermined prompts from the non-volatile storage, present the two or more predetermined prompts on the user interface to a user in a random order, receive a first set of input(s) in response to the two or more predetermined prompts, create an encryption keyword from the received first set of input(s) according to an original order of the two or more predetermined prompts stored in the non-volatile storage, and use the encryption keyword to authenticate the user.

Abstract: A computing device has a processor and a persistent memory, e.g., a fuse-based memory, storing two or more reduced sets of information. The processor is configured to derive a first cryptographic key using a first reduced set of information, e.g., prime numbers, and to use the first cryptographic key for performing cryptographic operations. The processor is also configured to detect a trigger event and, in response to the detected trigger event, derive a second cryptographic key using a second reduced set of information. The processor can then use the second cryptographic key for performing cryptographic operations.

Abstract: A dynamic licensing method, implemented in an integrated system, includes, responsive to an end user requesting a third-party application through the integrated system; determining a license key, for the third-party application, in the integrated system using a public key associated with the integrated system; receiving an encrypted validation result from a system associated with the third-party application that validates the license key using a private key and software provided with the integrated system, wherein the system returns the encrypted validation results to the third-party application which provides the encrypted validation results to the integrated system; and decrypting the encrypted validation results using previously allocated session key and determining whether to run the third-party application based on the validation results.

Abstract: One of the various aspects of the invention is related to suggesting various techniques for improving the tamper-resistibility of hardware. The tamper-resistant hardware may be advantageously used in a transaction system that provides the off-line transaction protocol. Amongst these techniques for improving the tamper-resistibility are trusted bootstrapping by means of secure software entity modules, a new use of hardware providing a Physical Unclonable Function, and the use of a configuration fingerprint of a FPGA used within the tamper-resistant hardware.

Abstract: This invention provides a simple and secure PIN unblock mechanism for use with a security token. A set of one or more passphrases are stored on a remote server during personalization. Likewise, the answers to the passphrases are hashed and stored inside the security token for future comparison. A local client program provides the user input and display dialogs and ensures a secure communications channel is provided before passphrases are retrieved from the remote server. Retrieval of passphrases and an administrative unblock secret from the remote server are accomplished using a unique identifier associated with the security token, typically the token's serial number. A PIN unblock applet provides the administrative mechanism to unblock the security token upon receipt of an administrative unblock shared secret. The remote server releases the administrative unblock shared secret only after a non-forgeable confirmatory message is received from the security token that the user has been properly authenticated.

Abstract: The risk of leakage of secret information caused by leakage of a secret key is reduced. A segmented secret-key storage system segments a secret key SK into segments that can be combined at the time of decryption or at the time of generation of a signature and records the secret-key segments sk1, . . . , skN in segment storage apparatuses. The secret-key segments are changed, periodically or under a predetermined condition, to another set of secret-key segments that satisfies a condition for combination. In the segmented secret-key storage system, the secret key SK is not revealed unless the secret-key segments are stolen from all the segment storage apparatuses in an interval between changes made to the secret-key segments. Accordingly, the risk of leakage can be greatly reduced in comparison with the risk of leakage of the secret key from a single apparatus.

Abstract: In an embodiment, a system is provided in which the private key is managed in hardware and is not visible to software. The system may provide hardware support for public key generation, digital signature generation, encryption/decryption, and large random prime number generation without revealing the private key to software. The private key may thus be more secure than software-based versions. In an embodiment, the private key and the hardware that has access to the private key may be integrated onto the same semiconductor substrate as an integrated circuit (e.g. a system on a chip (SOC)). The private key may not be available outside of the integrated circuit, and thus a nefarious third party faces high hurdles in attempting to obtain the private key.

Abstract: Described embodiments provide managing data collected from machine 2 machine (M2M) devices. A plurality of M2M devices may be grouped based on a common interest and the same group authorization key may be assigned to M2M devices in the same device group. A data collecting terminal having a group authorization key may be allowed to collect data in M2M devices when the M2M devices have the same group authorization key.

Abstract: Ongoing analytics streams are received over time from mobile computing devices. An analytics stream comprises data corresponding to monitored activity that occurred on the originating mobile computing device. Dynamic, personalized knowledge based authentication questions are generated from analytics stream data. In response to an authentication request from a user, the user is prompted to answer a given number of current dynamic, personalized knowledge based authentication questions.

Abstract: Certificates issued by a CA are distributed across multiple CRLs. Each certificate issued by the CA is assigned to a specific CRL, and the address of that CRL is written to the appropriate field of the certificate, such that an authenticating application can subsequently determine if the certificate is revoked. When the CA revokes a specific one of the issued certificates, it determines to which CRL the revoked certificate is assigned, and updates the specific CRL accordingly. In some embodiments, a single one of the multiple CRLs is active for assignment of certificates at any given time, and each certificate issued by the CA is assigned to the currently active CRL. In other embodiments, assignments of issued certificates are distributed between different ones of a pre-determined number of multiple CRLs by applying a statistical distribution formula to each issued certificate to determine a corresponding target CRL.

Abstract: An industrial process/safety control and automation system is provided. The system includes a user interface device and an industrial device/controller. The user interface device is configured to activate a password set function. The user interface device is also configured to receive a password for transmission to the industrial device/controller. The industrial device/controller is configured to receive the password from the user interface device. The industrial device/controller is also configured to detect a performance of a physical password replacement authentication procedure. The industrial device/controller is further configured to replace a current password with the received password in response to performing the physical password replacement authentication procedure.

Abstract: A method may be executed by a secure processor having secure cryptography hardware implemented thereon. The method may be executed in a security kernel of a secure on-chip non-volatile (NV) memory coupled to the secure processor. The method may include: storing a rewritable state and a device private key based at least in part on a programmed secret seed and the rewritable state, the device private key being part of a cryptographic key pair comprising a public key associated with the device private key, and the rewritable state being a state of a secure application encrypted with the public key; providing one or more instructions to gather the device private key and from the private key datastore; and using the device private key to generate a device certificate, the device certificate providing the device with access to the secure application.

Abstract: An infrastructure delivery platform provides a RSA proxy service as an enhancement to the TLS/SSL protocol to off-load, from an edge server to an external cryptographic server, the decryption of an encrypted pre-master secret. The technique provides forward secrecy in the event that the edge server is compromised, preferably through the use of a cryptographically strong hash function that is implemented separately at both the edge server and the cryptographic server. To provide the forward secrecy for this particular leg, the edge server selects an ephemeral value, and applies a cryptographic hash the value to compute a server random value, which is then transmitted back to the requesting client. That server random value is later re-generated at the cryptographic server to enable the cryptographic server to compute a master secret. The forward secrecy is enabled by ensuring that the ephemeral value does not travel on the wire.

Abstract: The present invention provides a system and method for providing certified voice and/or multimedia mail messages in a broadband signed communication system which uses packetized digital information. Cryptography is used to authenticate a message that has been compiled from streaming voice or multimedia packets. A certificate of the originator's identity and electronic signature authenticates the message. A broadband communication system user may be provisioned for certified voice and/or multimedia mail by registering with a certified mail service provider and thereby receiving certification. The called system user's CPE electronically signs the bits in received communication packets and returns the message with an electronic signature of the called system user to the calling party, along with the system user's certificate obtained from the service provider/certifying authority during registration. The electronic signature is a cryptographic key of the called party.

Abstract: Various embodiments are directed to a system for accessing a self-encrypting drive (SED) based on a blind challenge authentication response mechanism (BCRAM). An SED may be authenticated within a system, for example, upon resuming from a sleep state, based on a challenge generated within the SED, signed using a private key by a trusted execution environment (TEE) and authenticated using a corresponding public key within the SED.

Abstract: Various embodiments of a system and method for securely caching and sharing image data. A process can generate image data and store the image data into the protected cache using a UUID that is cryptographically derived from the image data. Any process with access to the UUID may retrieve the image data. Because the UUID is uniquely derived from the actual data of the generated file, a process will only be able to retrieve image data that could have been generated by a process associated with the user account, or from a process associated with a user account that could have generated the image data, or that otherwise has a record of the image data.