Abstract: In some instances, a method for authenticating a user using key pair authentication is provided. The method comprises enrolling the user into key pair authentication by generating a private and public key pair for an authentication domain, accessing the content on the first domain based on enrolling the user into the key pair authentication with a key pair authentication server using the private and public key pair for the authentication domain, requesting access for different content on a second domain, based on enrolling the user into the key pair authentication for the first domain, redirecting a browser from the second domain to the authentication domain, and accessing the different content on the second domain based on performing the key pair authentication with the key pair authentication server using the private and public key pair for the authentication domain.

Abstract: A method including encrypting, by a user device, a file based at least in part on utilizing a file symmetric key and a first encryption algorithm to determine a first-encrypted file; storing, by the user device, the first-encrypted file in a local memory; encrypting, by the user device, the file based at least in part on utilizing a synchronization key and a second encryption algorithm to determine a second-encrypted file, the second encryption algorithm being different from the first encryption algorithm; encrypting, by the user device, metadata associated with the file based at least in part on utilizing a metadata key to determine encrypted metadata; and transmitting, by the user device to a storage device, the second-encrypted file in association with the encrypted metadata is disclosed. Various other aspects are contemplated.

Abstract: The present disclosure relates to a trustworthy data exchange. Embodiments include receiving, from a device, a query, wherein the query comprises a question. Embodiments include identifying particular information related to the query. Embodiments include receiving credentials from a user for retrieving the particular information related to the query. Embodiments include retrieving, using the credentials, the particular information related to the query from one or more data repositories that are part of a distributed database comprising an immutable data store that maintains a verifiable history of changes to information stored in the distributed database. Embodiments include determining, based on the particular information related to the query, an answer to the query. Embodiments include providing the answer to the device.

Abstract: Managing client access token requests is provided. It is determined whether a current time interval between a last allowed access token request matches a regular access token request interval for a client. In response to determining that the current time interval does match the regular access token request interval for the client, a current access token request is allowed. An access token is generated for the client to access a protected resource hosted by a resource server based on allowing the current access token request. The access token is issued to the client via a network.

Abstract: A computer-implemented method is disclosed. The method includes: authenticating a user for login to a service for a first authenticated user session; in response to authenticating the user, generating a first data string associated with a first validity period; sending, to a client device associated with the user, the first data string; receiving, from the client device, a data access request to access a first data set at a remote data source, the data access request including the first data string; determining that the first authenticated user session has been terminated at a time of receiving the data access request; validating the first data string based on checking the first validity period; and in response to determining that the first authenticated user session has been terminated and that the first data string is valid, transmitting, to the client device, a data access response including at least a subset of the first data set.

Abstract: A system for authenticating a requesting device using verified evaluators includes an authenticating device. The authenticating device is designed and configured to receive at least a first digitally signed assertion from a requesting device, the at least a first digitally signed assertion linked to at least a verification datum, evaluate at least a second digitally signed assertion, signed by at least a cryptographic evaluator, conferring a credential to the requesting device, validate the credential, as a function of the at least a second digitally signed assertion, and authenticate the requesting device based on the credential.

Abstract: Apparatus and methods to manage recording of streaming packetized content (such as for example live IP packetized content) for access, retrieval and delivering thereof to one or more users. In one embodiment, the foregoing is accomplished via communication between a recording manager and a receiver/decoder device. The recording manager manages and schedules recording of content on behalf of the receiver/decoder device (and/or mobile devices) disposed at a user's premises. The recording manager runs one or more computer programs designed to receive requests to record packetized content from one or more consumer devices, and use metadata contained within the requests to cause a cloud storage entity or premises storage device to record the content at its scheduled date/time (either via the receiver/decoder device itself, or another network entity).

Abstract: Fault-tolerant storage of cryptographic information maintained on a fleet of HSMs may be provided by dividing the cryptographic information into a number of stripes which are distributed and stored on individual HSMs in the HSM fleet. Parity information is generated which allows one or more stripes to be regenerated if one or more stripes becomes corrupt or is lost. The parity information may be stored on an HSM in the HSM fleet, or outside the fleet on a storage service, HSM management hub, tangible computer-readable media, or other device. If an HSM in the HSM fleet fails, resulting in the loss of a stripe, an HSM in the fleet can recover the missing stripe by re-creating the missing stripe from the remaining stripes combined with the parity information. In some examples, stripes are mirrored within the fleet of HSMs.

Abstract: The present disclosure provides systems and methods for secure identification retrieval. The method includes retrieving a value of a periodic variable and calculating a plurality of query tokens from a corresponding plurality of client device identifiers and the value of the periodic variable. Each query token is associated with a corresponding client device identifier in a first database. The method further includes receiving a first query token calculated from a client device identifier of the first client device and the value of the periodic variable and identifying a second query token of the calculated plurality of query tokens in the first database matching the first query token. The method further includes, responsive to the identification, retrieving the associated client device identifier and retrieving one or more characteristics of the first client device according to the associated client device identifier. The method further includes transmitting the retrieved one or more characteristics.

Abstract: At least one machine readable medium comprising a plurality of instructions that in response to being executed by a system cause the system to send a unique identifier to a license server, establish a secure channel based on the unique identifier, request a license for activating an appliance from a license server over the secure channel, receive license data from the license server over the secure channel; determine whether the license is valid, and activate the appliance in response to a determination that the license data is valid.

Abstract: A method for attestation of Control Flow Integrity (CFI) of an application running on an end entity whereby an asymmetric key pair is generated by a Key Management Module (KMM) comprising a private key and a public key, then the public key is signed with a device key unique to the end entity thereby generating a public key certificate which attests to the private key being in possession of the end entity. The asymmetric key pair is based on the executing code of the application and the device key. The attestation claims regarding CFI of the application are signed by the private key in a dedicated signature module.

Abstract: An authentication system prevents leakage of a key-reading speech during user authentication based on the key-reading speech of a user reading an authentication key. For each user ID, a storage stores a voiceprint of a user in association with a recorded sound including speech spoken previously by the user. A specifier specifies the user ID of a user attempting to receive authorization. An outputter outputs a masking sound that includes the recorded sound recorded in association with the specified user ID. An acquirer acquires a key-reading speech of the user reading the authentication key and the output masking sound. A remover acquires a second sound by removing the masking sound from the acquired first sound. A determiner determines whether the user has authority pertaining to the specified user ID based on the acquired second sound.

Abstract: Systems and methods are provided for managing dynamic controls over access to computer resources and, even more particularly, for evaluating and re-evaluating dynamic conditions and changes associated with user sessions. The systems and methods are configured to automatically make a determination as to whether new or additional authentication credentials are required for a user that is already authorized for accessing resources in a user session, in response to triggering events such as the identification of a new or changed condition associated with the user session.

Abstract: The present invention relates a method for ensuring search completeness of searchable public key encryption, applicable to a blockchain network formed by a plurality of computer nodes. The method at least comprises: the blockchain network receiving a keyword ciphertext and a corresponding file-identifier ciphertext generated by a transmitting end based on the public key encryption, and at least one miner storing the ciphertexts in a ciphertext table; the blockchain network receiving a search trapdoor Tw transmitted by a receiving end, generated according to a private key and a keyword w to be searched; the at least one miner in the blockchain network performing a secure search based on information of a state table and the search trapdoor Tw, and outputting a search result to the blockchain network; and the blockchain network feeding the search result back to the receiving end.

Abstract: Configuration methods and systems include a smart vehicle router associated with router information stored in a router file in a cloud network, and a smart mobile device comprising a camera and software application tool. The router information includes a unique authentication certificate to permit a one-to-one pairing such that another pairing is not available. The configuration system is configured to read an image of an identification component associated with the smart vehicle router and the router information, apply an authentication algorithm to the image to provision the tool with the unique authentication certificate, authenticate the smart vehicle based on the image and authentication algorithm, pair the authenticated smart vehicle with the tool in the one-to-one pairing based on the unique authentication certificate and the router information, and automatically configure the tool on the smart mobile device to retrieve data associated with the authenticated smart vehicle.

Abstract: Risk assessment in an authentication service is performed where an authorization request is received from a third-party application. Risk assessment policies for the authorization request are determined based on a class of the third-party application. The risk assessment policies are applied to the authorization request to determine an action to be performed for the authorization request, such as sending an authorization message in response to the authorization request or taking a remedial action (e.g., suspending the application, limiting the available actions, or sending a notification to a trusted security application).

Abstract: A method is disclosed. The method comprises receiving, from a communication device, a provisioning request message including a user device identifier and a cryptogram in a first message format, which is received from the user device by the communication device during a message exchange process between the user device and the communication device. The method also includes generating an authorization request message in a second message format, the authorization request message comprising the cryptogram, transmitting the authorization request message to an authorizing computer, and receiving an authorization response message from the authorizing computer. The method also includes providing access data to the communication device.

Abstract: A computer-implemented method for generating multiple valid OTP (One Time Password) for a single identity using a shared logic, including using an OTP solution based on the shared logic generating and validating multiple valid OTPs that are capable of transferring additional info in a OTP validation process; changing the shared logic in a OTP client and/or in a OTP server dynamically if there is a logic overlapping in the shared logic in a moving factor value and in one or more rules addressed by a rules-based engine; and/or using the OTP solution for one or more distributed disconnected environments only if the shared logic, the moving factor value, and the one or more rules addressed by the rules-based engine are overlapping.

Abstract: This disclosure leverages multi-attach to block store volumes for more reliable live migration of virtualized resources. A block storage client of a virtualized resource operating on a source host in a first data center can be attached to a block storage volume stored on block storage hosts in the first data center. State data associated with the virtual machine can be transmitted from the source host to a target host, after which the virtual machine can run on the target host and operations of the virtualized resources may be ceased on the source host. Failure of the migration may require roll back to the source host. The source host may remain connected to the volume while the target host client connects to the volume, such that the volume may be accessed by the block storage client on the source host after rollback to provide uninterrupted operation of the virtual machine.

Abstract: Systems and methods of automatically controlling a user's data footprint are provided. Data associated with a user may be analyzed to determine an action the user is preparing to take. Based on the analysis, a potential risk associated with the action the user is preparing to take may be identified. The potential risk associated with the action the user is preparing to take may be, for example, a data security risk, a data privacy risk, a physical risk, a risk of damage to property, and/or a financial risk. A notification indicating the potential risk associated with the action the user is preparing to take may be provided to the user. The notification may include one or more suggestions for mitigating the potential risk associated with the action the user is preparing to take.

Abstract: Cumulative risk-based scoring may be implemented for quorum controls. Requests for authorization of a proposed action may be received. Approvals from members of a quorum set authorized to approve the action may be received. Risk assessments of the members may be used to generate authorization scores. The combined authorization scores may be compared with a quorum authorization threshold to determine whether the proposed action is authorized or denied.

Abstract: Disclosed herein are systems and methods executing a security server that perform various processes using alert elements containing various data fields indicating threats of fraud or attempts to penetrate an enterprise network. Using alert elements, the security server generate integrated alerts that are associated with customers of the system and assign a risk score for the integrated alerts, which the security server uses to store and sort the integrated alerts according to a priority, based on the relative risk scores. Analyst computers may query and fetch integrated alerts from an integrate alert database, and then present the integrate alerts to be addressed by an analyst according to the priority level of the respective integrated alerts. This allows to ensure that the right customer, is worked by the right analyst, at the right time, to maximize fraud prevention and minimize customer impact.

Abstract: A method is disclosed. The method includes constructing a table by encrypting a plurality of unencrypted match values using a public key to produce a plurality of encrypted match values. Each unencrypted match value being an indication of a degree of match between an input biometric template and an enrollment template. The method includes arranging each row so that each row has a match value and a corresponding encrypted match value. The method also includes storing, in a database, the table comprising the plurality of encrypted match values and the plurality of unencrypted match values. The server computer can be programmed to receive an encrypted biometric template and the table is used to determine a match value using the encrypted biometric template, and the match value is used to determine if a person is enrolling a biometric template associated with the encrypted biometric template more than once.

Abstract: Various embodiments of the present application set forth a computer-implemented method that includes receiving, by a first service operating within a computing system, a modified identity data object from a second service operating within the computing system, where the modified identity data object includes at least one identifier associated with a client of the computing system determining, by the first service, that the second service performed a first action on an identity data object to generate the modified identity data object, and validating the modified identity data object based on whether the second service is authorized to perform the first action.

Abstract: A system for presenting a clinical process of a patient in a clinical facility having a network, a system backend communicable with the network, and at least one mobile device communicable with the system backend, the mobile device comprising a mobile processor and a display, the mobile processor configured to operate in at least one first user interface mode and at least one second user interface mode, where the mobile processor is configured to enable the operation of at least one built-in function when operating in the at least one first user interface mode and where the mobile processor is configured to disable the operation of the at least one built-in function when operating in the at least one second user interface mode.

Abstract: Certain aspects of the present disclosure provide techniques for entering user credentials through a proxy. One example method generally includes receiving, at a user device, a push request for user data from a cloud server and receiving a request file from an aggregation system. The method further includes injecting user credentials stored on the user device into the request file, wherein when injected the user credentials replace at least one dummy entry of the request file, and transmitting the request file to a data source associated with the request file. The method further includes receiving user data from the data source and transmitting the user data to the aggregation system.

Abstract: Techniques for validating digital certificate information before signing are described. A method of validating digital certificate information before signing may include generating a to-be-signed (TBS) certificate, providing the TBS certificate to a certificate pre-issuance validation service to perform one or more validations on the TBS certificate, and receiving a request to issue a signed certificate based on the TBS certificate following validation of the TBS certificate by the certificate pre-issuance validation service.

Abstract: An embodiment device comprises a first processing unit configured to process an initial data line and deliver a first processed data line, a first delay unit coupled to the output of the first processing unit and configured to deliver a delayed first processed data line delayed by a first delay, a second delay unit configured to deliver the delayed initial data line delayed by a second delay, a second processing unit coupled to the output of the second delay unit and configured to process the delayed initial data line and deliver a delayed second processed data line, and a comparison unit configured to compare the contents of the delayed first and second processed data lines and deliver a non-authentication signal if the contents are not identical, the first and second delays being equal to a variable value.

Abstract: Example methods and system for providing content are disclosed. One or more cryptographic keys may be generated. At least a portion of the one or more cryptographic keys may be used to generate a token associated with a user interface service. The token may indicate a valid origin domain. The token may be provided to a user device, which may use the token to request content from a content service. The content service may authorize the request based on a comparison of the valid origin domain and an origin identifier associated with the request.

Abstract: A method including encrypting, by a processor associated with a user device, authentication information associated with authenticating the user device with a service provider, the authentication information including first factor authentication information for determining a first factor and second factor authentication information for determining a second factor; detecting, by the processor, an attempt to access a service to be provided by the service provider; determining, by the processor based at least in part on detecting the attempt, the first factor based at least in part on decrypting the first factor authentication information and the second factor based at least in part on decrypting the second factor authentication information; and enabling, by the processor, authentication of the user device with the service provider based at least in part on utilizing the first factor and the second factor. Various other aspects are contemplated.

Abstract: Techniques are disclosed to provide enforceable pseudonymous reputation through chained endorsers. In various embodiments, a request associated with a chained endorsement operation is received via a communication interface. A client identity information is extracted from the request. Data comprising or associated with the client identity information is combined with a secret value. A one-way transform of the combined value is performed. A result of the one-way transform is returned to a client with which the chained endorsement operation is associated.

Abstract: Aspects include encrypting data based at least in part on a session key to generate encrypted data. The session key is encrypted based at least in part on a sender key to generate an encrypted session key. A request for an encrypted sender key index is transmitted to the key management system (KMS), the request includes an index of the sender key and an index of each of one or more additional keys. The encrypted sender key index is received from the KMS. An object that includes the encrypted data, the encrypted session key, the index of each of the one or more additional keys, and the encrypted sender key index is generated. Access to the data via the object is controlled based at least in part on whether a receiver has access to the sender key and to the one or more additional keys.

Abstract: A method is disclosed. A node in a plurality of nodes can perform an identity set generation process. The node can then determine a leader node. The node may diffuse an identity set from each node of the plurality of nodes to the plurality of nodes. The node can then determine a majority set including identities occurring in at least one half of the identity sets, wherein the leader node diffuses the majority set of the leader node to the plurality of nodes. The node can verify the majority set of the leader node. The node may then update the identity set based on the majority set of the leader node.

Abstract: Systems and methods provide decentralized MEC compute services. A network device receives, from a user device associated with a user account, an access request for Multi-access Edge Computing (MEC) services. The user account includes a MEC service token that indicates parameters for the MEC services. The network device validates a user of the user device to access MEC services for the user device; removes, after the validating, the MEC service token from the first user account; and grants, based on the removing, access to a MEC cluster by the user device, wherein granting access includes granting access according to the parameters.

Abstract: Techniques are disclosed relating to user authentication using multi-party computation and public key cryptography. In some embodiments, a server may receive, from a client, a request to authenticate a user to a service. The server may access key-pair information that includes, for a server key-pair, a first component of a server private key and, for a client key-pair, a client public key and a first component of a client private key. The server may generate a partial signature value that is based on the first component, but not the entirety, of the server private key. The server may send, to the client, an authentication challenge that includes challenge information and the partial signature value. The server may then determine whether to authenticate the user based on an authentication response from the client.

Abstract: Improved pseudonym certificate management is provided for connected vehicle authentication and other applications. Temporary revocation of a certificate is enabled. With respect to Security Credential Management Systems (SCMS), pre-linkage values can be employed. The pre-linkage values can be encrypted using homomorphic encryption. Other embodiments are also provided.

Abstract: Disclosed herein are systems and methods executing a security server that perform various processes using alert elements containing various data fields indicating threats of fraud or attempts to penetrate an enterprise network. Using alert elements, the security server generate integrated alerts that are associated with customers of the system and assign a risk score for the integrated alerts, which the security server uses to store and sort the integrated alerts according to a priority, based on the relative risk scores. Analyst computers may query and fetch integrated alerts from an integrate alert database, and then present the integrate alerts to be addressed by an analyst according to the priority level of the respective integrated alerts. This allows to ensure that the right customer, is worked by the right analyst, at the right time, to maximize fraud prevention and minimize customer impact.

Abstract: An unlock method and system for an air-conditioning unit. The unlock system includes: a display apparatus; an input apparatus; and a control apparatus in communication with the display apparatus and the unlock system is configured to perform the following operations: generating a dynamic graphic according to at least an identification code and an update code; generating an unlock password according to at least a certificate, the identification code and the update code; receiving an unlock password through the input apparatus; comparing the unlock password received from the input apparatus with the generated unlock password; and granting a corresponding permission if the acquired unlock password is consistent with the generated unlock password.

Abstract: The present disclosure relates to a trustworthy data exchange. Embodiments include receiving, from a device, a query, wherein the query comprises a question. Embodiments include identifying particular information related to the query. Embodiments include receiving credentials from a user for retrieving the particular information related to the query. Embodiments include retrieving, using the credentials, the particular information related to the query from one or more data repositories that are part of a distributed database comprising an immutable data store that maintains a verifiable history of changes to information stored in the distributed database. Embodiments include determining, based on the particular information related to the query, an answer to the query. Embodiments include providing the answer to the device.

Abstract: Secure communications can be established in which a request is received from a client computing device to instantiate a virtual key store (VKS) node. In response to the request, a cryptographically calculated uniform resource locator (URL) is generated. In addition, a crytopgraphic identity certificate is received from a certification authority server. Subsequently, a virtual desktop infrastructure (VDI) instance is instantiated and configured with the cryptographic identity certificate. Communications are then established between the client computing device and the VDI instance using the generated cryptographically calculated URL such that the VDI instance acts as a cryptographic proxy with at least one remote computing device.

Abstract: The invention relates generally to the field of content authentication, and more particularly, to a system and methods for verifying the authenticity of content output to a user. In certain preferred embodiments, the content is verified by identifying the source data of the content, distributing the content, and authenticating the distributed content. Where the content has not been changed, the system may authenticate the content using a cryptographic hash. When minor changes to the content are made, the system may use a perceptual hash to authenticate the content. Further, the system may utilize machine learning algorithms to identify patterns between the same content in, for example, multiple formats and sizes. Advantageously, the content that is uploaded to the system may be used to train machine-learning models that the system may use to authenticate content that has been converted but unmanipulated.

Abstract: A method, system, and computer program product for running workflows and events using a stateless orchestrator includes: receiving first task data for a first task, where the first task data is information necessary for execution of the first task. The method may also include transmitting a request for a worker node to a provider, where the provider creates the worker node. The method may also include receiving a request from the worker node for the first task data. The method may also include transmitting the first task data to the worker node, where the worker node executes the first task. The method may also include, receiving results of the execution of the first task from the worker node. The method may also include, in response to the receiving the results, transmitting the results to a database.

Abstract: An improved One Time Password (iOTP) is used in a two-factor authentication mechanism to decode a username, and the inherent security of the iOTP eliminates the need for a password. When the user is identified by the iOTP, a second challenge is sent. The second challenge may be confirmed by user biometrics or via a PIN code if the user's device does not support biometrics. Benefits of the subject invention include: (1) no username, which eliminates exposure to multiple domain attacks (i.e., attacks on other sites with the same username) that attempt to extract passwords from less secure sites (e.g., where a user used the same username and password across multiple sites); and (2) password-less access—the iOTP replaces both the username and password function, thereby eliminating the need for the user to manage multiple usernames and passwords.

Abstract: The disclosed technology provides for packaging a secure cloud workload at a workload provisioning service. A unique device identifier is received from an edge device. The unique identifier is associated with the edge device. A unique packaging key is cryptographically generated based on the received unique device identifier, a unique workload identifier corresponding to a secure cloud workload to be executed on the edge device, and a nonce. The secure cloud workload is encrypted to generate a packaged secure cloud workload using the cryptographically generated unique packaging key. The encrypted secure cloud workload is transmitted to the edge device. The edge device is capable of independently cryptographically generating the unique packaging key using the unique device identifier, the unique workload identifier, and the nonce. The edge device is also capable of decrypting the packaged secure cloud workload using the generated unique packaging key cryptographically generated by the edge device.

Abstract: Systems and methods are provided for object identifier translation using a key pairs platform in a virtualized or cloud-based computing system. A key pair refers to a pair of identifiers held by an entity. Each key pair includes at least one anonymized object identifier. Advantageously, the key pair system protects privacy and provides anonymity for objects by not disclosing the identity of the objects or the underlying data associated with the objects.

Abstract: Example methods are provided for a host to perform authentication offload in a virtualized computing environment that includes the host and a destination server. The method may comprise detecting, from a virtualized computing instance, a packet destined for the destination server. The method may also comprise: in response to determination that the detected packet is an authentication request, obtaining, from the virtualized computing instance, metadata associated with a client application for which authentication is requested; and sending the authentication request and the metadata to the destination server to cause the destination server to authenticate the client application based on the metadata.

Abstract: Systems and methods of automatically controlling a user's data footprint are provided. Data associated with a user may be analyzed to determine an action the user is preparing to take. Based on the analysis, a potential risk associated with the action the user is preparing to take may be identified. The potential risk associated with the action the user is preparing to take may be, for example, a data security risk, a data privacy risk, a physical risk, a risk of damage to property, and/or a financial risk. A notification indicating the potential risk associated with the action the user is preparing to take may be provided to the user. The notification may include one or more suggestions for mitigating the potential risk associated with the action the user is preparing to take.

Abstract: Methods and systems for establishing a chain of relationships are disclosed. An identity verification platform receives a first request for registration comprising an identification of a first user, identification of an entity, and a relationship between the first user and the entity; verifies the identity of the first user and the relationship between the first user and the entity; and verifies that the entity is legitimate. Once a relationship between a first individual, invited by the first user, and the entity is confirmed, the platform creates a custom badge representing the relationship between the first individual and the entity for display on the entity's website. The platform receives an identification of a selection by an end user of the custom badge and, responsive to receiving the identification of the selection, renders, on a domain controlled by the identity verification platform, a verification that the relationship between the first individual and the entity is valid.

Abstract: A method of exchanging information with network devices using web browsers includes executing an application on a client device to implement a local web server on the client device, loading in a web browser on the client device a webpage independent of the web browser and including a script for generating a first request to the local web server, accepting the first request from the web browser by the local web server, and sending requested information to the web browser by the local web server. In some embodiments, the method also includes generating a second request to a remote server by the web browser and using the script, where the second request includes the requested information sent to the web browser.

Abstract: A key management apparatus receives a key request including a first device identification information and a second device identification information, encrypts a common key using the first device identification information to generate a first encrypted common key, encrypts the common key using the second device identification information to generate a second encrypted common key, and transmits a key response including the first encrypted common key and the second encrypted common key. A first device receives the key response, decrypts the first encrypted common key using the first device identification information to obtain the common key, and transmits the second encrypted common key. A second device receives the second encrypted common key and decrypts the second encrypted common key using the second device identification information to obtain the common key.