Abstract: The present disclosure provides a provisioning method and a terminal device. The provisioning method is applied to the terminal device, including: the security module establishes a secure channel with the certificate authority CA server through one or more session keys shared by the security module and the CA server; and obtains one or more digital certificates from the CA server; wherein, the security module is to implement Universal Subscriber Identity Module (USIM) functions.

Abstract: In some aspects, the techniques described herein relate to a device including: a processor; and a storage medium for tangibly storing thereon logic for execution by the processor, the logic including instructions for: storing a group digital certificate, the group digital certificate including a plurality of unique identifier (UID) values and a plurality of corresponding public keys; receiving onboarding data and a digital signature from a client device, the onboarding data including a UID of the client device and a public key of the client device and the digital signature generated using the onboarding data and a private key corresponding to the public key; validating the digital signature using the public key; confirming that the UID matches at least one UID in the group digital certificate; and onboarding the client device.

Abstract: The system includes an electronically controllable access point device and a server. The server includes one or more processors, which are communicatively coupled to the access point device and a portable device. The one or more processors are configured to determine whether a user of the portable device is authorized to access the access point device based on one or more credentials received from the portable device and retrieve a location of the portable device. The one or more processors are further configured to determine whether the location of the portable device is within a pre-defined geographical area. Upon determination of user authorization to the access point device and that the location of the portable device is within the pre-defined geographical area, the one or more processors direct the access point device to provide access to the user.

Abstract: A base unit of a wearable device for continuous analyte monitoring includes a cup configured to receive a power source. A first power source contact is at least partially located in the cup and configured to electrically contact a first terminal of the power source in response to the power source being received in the cup. At least one base contact is electrically coupled to the first power source contact, the at least one base contact configured to electrically contact at least one transmitter contact of a transmitter unit in response to the transmitter unit and the base unit being coupled together. Numerous other embodiments are provided.

Abstract: Disclosed is a method for ultra-wide band (UWB) security ranging and a UWB device configured to perform secure ranging. The method includes obtaining, from a UWB sub-system of the UWB device, first encryption data including a symmetric key encrypted with a public key of a secure application of the UWB device; transferring the first encryption data to the secure application; obtaining, from the secure application, second encryption data including a ranging data set (RDS) encrypted with the symmetric key; and transferring the second encryption data to the UWB sub-system. In this case, the RDS may include a ranging session key configured to secure a UWB ranging session, and the secure application may be included in a trusted execution environment area.

Abstract: A peer-to-peer offline communication method, including: at a mobile device executing a mobile device communication application, generating a mobile device certificate signing request and sending the mobile device certificate signing request to a cloud server; at the mobile device communication application, receiving a signed mobile device certificate from the cloud server; at a vehicle executing a vehicle communication application, generating a vehicle certificate signing request and sending the vehicle certificate signing request to the cloud server; at the vehicle communication application, receiving a signed vehicle certificate from the cloud server; broadcasting the presence of the mobile device and discovering the presence of the mobile device at the vehicle; exchanging and verifying the signed certificate signing requests between the mobile device communication application and the vehicle communication application; and encrypting and decrypting data exchanged between the mobile device and the vehicle.

Abstract: A consumer device is described, comprising a sensor which is adapted to register sensor data that describe a physical behavior of an authentication chip of a consumable component, an authentication circuit which is adapted to implement a machine learning model that is trained to classify consumable components with the aid of sensor data that describe the physical behavior of authentication chips of the consumable components into originals and copies, to deliver the registered sensor data to the machine learning model, and to authorize the use of the consumable component by the consumer device depending on whether the machine learning model classifies the consumable component as original.

Abstract: When a network element attempts to establish a session with another network element, a security verification agent may be activated in one or both network elements. The security verification agents, such as front-end processors, virtual network functions, or other software agents, may reside in each of the network elements.

Abstract: A Certification Authority (CA) server for issuing digital certificates generates a first digital certificate associated with a first public key of the device and calculates an update factor for the first private key. Based on the first public key, the calculated update factor, and a predefined public system parameter, the CA server calculates a second public key for a determined time period for the device. The CA server generates a second digital certificate valid at the determined time period and associated with the second public key and sends the second digital certificate to the device. A device may calculate an update factor for a stored first private key, calculates a second private key based on the calculated update factor and the first private key, receives from the CA server a second digital certificate associated with a second public key, and validates the device based on the second digital certificate.

Abstract: A system can receive a request from a user device to disable a password-based mode of authentication associated with a user account. The user account can have a password usable for accessing account data associated with the user account and account functions associated with the user account. The system can receive verification from the user device for the request. The system can disable the password-based mode of authentication associated with the user account. The system can enable a password-less mode of authentication associated with the user account. The password-less mode of authentication can enable the user device to access account data associated with the user account and account functions associated with the user account without requiring the user to enter the password.

Abstract: The codebook-based homomorphic compression system is a novel approach that combines data compression and homomorphic encryption to enable efficient and secure computation on compressed data. It involves quantizing the input data, generating an optimized codebook using techniques like Huffman coding or deep learning, and compressing the data by replacing each value with its corresponding codeword. The compressed data is then encrypted using a homomorphic encryption scheme, such as the Paillier cryptosystem, allowing computations to be performed directly on the encrypted compressed data without decryption. Homomorphic properties of the encryption scheme enable operations like addition and multiplication on the ciphertexts, while preserving the confidentiality of the underlying data. The system also incorporates error correction techniques to mitigate the impact of quantization and encryption on the accuracy of the computations.

Abstract: Systems and methods of automatically controlling a user's data footprint are provided. Data associated with a user may be analyzed to determine an action the user is preparing to take. Based on the analysis, a potential risk associated with the action the user is preparing to take may be identified. The potential risk associated with the action the user is preparing to take may be, for example, a data security risk, a data privacy risk, a physical risk, a risk of damage to property, and/or a financial risk. A notification indicating the potential risk associated with the action the user is preparing to take may be provided to the user. The notification may include one or more suggestions for mitigating the potential risk associated with the action the user is preparing to take.

Abstract: A method for identifying alternate delivery endpoints for mobile originated data and monitoring reports in a communications network includes establishing, by a network exposure function (NEF) in a communications network, priority rules in a priority configuration database that define routing priority indicators corresponding to a plurality of applications functions (AFs) and receiving a service request or notification request message directed to one of the plurality of AFs from a consumer network function (NF) in the communications network. The NEF accesses a context database to validate context information associated with a destination AF belonging to the plurality of AFs. If the destination AF is unavailable or is not in proximity to the NEF, an event notification request message associated with the service request or notification request message is directed to a prioritized AF specified in the priority configuration database, wherein the prioritized AF is a peer of the destination AF.

Abstract: There are provided systems and methods for a dynamic value appended to cookie data for fraud detection and step-up authentication. A service provider, such as an electronic transaction processor for digital transactions, may utilize computer cookies for authentication and/or login for a user account. In order to further secure cookies from being compromised and used by malicious parties for fraudulent account access, the service provider may add or append a dynamic value that changes at each subsequent login to the computer cookie. The dynamic value may be used so that if a computer cookie is misappropriated, only one device may use the cookie once without the cookie updating and invalidating the cookie with another device or application on the device. Thereafter, when a login is requested, the dynamic value is matched to an expected value by the service provider when determining whether to authenticate the device.

Abstract: Techniques for certificate authority (CA) selection are described. A certificate management service of a cloud provider network receives a first request to generate a certificate from an electronic device, the first request including an indication of an identity of a user and an identification of a domain name to associate with the certificate. A CA selection policy applicable to the first request is identified, the CA selection policy including a CA selection rule. A CA to generate the certificate is identified by evaluating the CA selection rule, the CA selection rule associates at least a portion of the domain name with the CA. A second request to generate the certificate is sent to the identified CA. The certificate or an identification of the certificate from the CA is returned to the electronic device.

Abstract: A method performed by a security system of a 5G network to protect against cyberattacks on a personalized basis. The security system can identify a cybersecurity threat to a wireless device based on contextual information relating to the wireless device, a user preference, or a call detail record. The security system can determine a one-time fee to charge the user in exchange for protecting the wireless device against the cybersecurity threat, generate an coupon to protect the wireless device against the cybersecurity threat, and send the coupon to the wireless device based at least in part on the contextual information relating to the wireless device and the user preference. When the security system receives an indication that the coupon was redeemed, responds by deploying a network asset to protect the wireless device against the cybersecurity threat.

Abstract: A method is described of managing service events in a distributed computing system. The distributed computing system comprises a plurality of computing nodes able to perform a service using a service process. The method takes place at one of the computing nodes. A service event is received or created. This service event is identified by a combination of a node identifier, a time element, and a local counter value. The local counter value represents a number of service events performed by a service process for a user since a last reset. The identified service event is then stored in a service process database according to node identifier and local counter values. The service process database is used to manage service events in the distributed system. Service events are removed from the service process database when no longer valid using the time element.

Abstract: A method including configuring, by an infrastructure device, a first user device to select an encryption key, from among a plurality of encryption keys available to the first user device, for encrypting a metadata key that is utilized to encrypt metadata associated with a file; receiving, by the infrastructure device from the first user device, an encrypted metadata key; transmitting, by the infrastructure device to a second user device, the encrypted metadata key; and configuring, by the infrastructure device, the second user device to select a decryption key, from among a plurality of decryption keys available to the second user device, for decrypting the encrypted metadata key, the decryption key being associated with the encryption key is disclosed. Various other aspects are contemplated.

Abstract: Disclosed methods for enabling flexible policies for user access to BIOS attribute settings perform operations including creating a BIOS attribute map encompassing one or more configurable BIOS attributes, generating a role-based authorization table associating an authorization role to each of the configurable BIOS attributes, and deploying the role-based authorization table to an information handling system. Responsive to a user launching a BIOS attribute configuration tool, a user role associated with the user is detected and the role-based authorization table is retrieved. Based on the role-based authorization table and the user role, configurable BIOS attributes for the user are identified. The configurable BIOS attributes may then be presented to the BIOS configuration to enable the user to perform configuration operations for the configurable BIOS attributes.

Abstract: Broadly speaking, the present techniques relate to a computer implemented method for establishing a secure communication session between a client device and a server resource.

Abstract: Risk assessment in an authentication service is performed where an authorization request is received from a third-party application. Risk assessment policies for the authorization request are determined based on a class of the third-party application. The risk assessment policies are applied to the authorization request to determine an action to be performed for the authorization request, such as sending an authorization message in response to the authorization request or taking a remedial action (e.g., suspending the application, limiting the available actions, or sending a notification to a trusted security application).

Abstract: A system implemented on a server computer for managing digital certificates includes a certificate management agent module, a digital certificate processing module and a configuration module. The certificate management agent module processes requests to create a plurality of certificate management agents. Each of the certificate management agents is configured to manage a lifecycle of a digital certificate for a client electronic device. The digital certificate processing module processes requests from the certificate management agent module for digital certificates for the plurality of certificate management agents. The configuration module receives and processes configuration parameters for the certificate management agents and for the digital certificates.

Abstract: Device access authorization via connected user equipment is performed with a device including a controller, a memory in communication with the controller, the memory storing a device identifier, a registration service, and a limited access service, and a secure element in communication with the controller, the secure element storing a device authentication key and a registry certificate.

Abstract: A method of operating the physically unclonable function (PUF)-based key management system includes upon receiving a key generation request including a parameter, a load balancer dispatching a key generation request including a parameter from an external device according to workloads of a plurality of key management components (KMCs). A KMC having minimum workload among the plurality of KMCs is designated as the key-generation KMC and the key generation request is dispatched thereto, and remaining KMCs of the plurality of KMCs are designated as backup KMCs. The method further includes the key-generation KMC generating a key according to the parameter and a first PUF sequence, transmitting the key and an identifier associated therewith to the backup KMC via a backup channel, and the backup KMC generating a wrapped key according to the key and a second PUF sequence.

Abstract: A method of secure automated communication comprises communicating by a computer with a cloud computing service having an address in a first Internet domain, the communicating performed during a first electronic commerce session using an electronic commerce web page rendered by a browser executing on the computer; communicating by the computer with a transaction server having an address in the first Internet domain via a virtual private network (VPN), the communicating performed during the first electronic commerce session using the electronic commerce web page rendered by the browser; determining when the browser is accessing a product information portion of the electronic commerce web page during the first electronic commerce session; determining when the browser is providing confidential information to the electronic commerce web page during the first electronic commerce session; and directing the confidential information to the transaction server via the virtual private network during the first electronic

Abstract: The disclosed exemplary embodiments include computer-implemented systems, apparatuses, and processes that securely track, manage, and provision elements of interaction data within a computing environment in accordance with encrypted permissioning data recorded onto a permissioned distributed ledger. For example, an apparatus may obtain query data that includes an identifier of a computing system and a query term, and access one or more ledger blocks of a permissioned distributed ledger that include encrypted permissioning data and interaction data. The apparatus may decrypt the encrypted permissioning data using a master cryptographic key of a centralized authority.

Abstract: A communication device that communicates with an external device performs authentication by exchanging information for authentication processing with the external device. In a case where the communication device detects a request to share unique information that is used to provide a communication parameter during the authentication processing, the communication device shares the unique information with the external device after authentication has been successfully completed.

Abstract: A software based application for assessing, processing, and remediating cyber-risk in real time may comprise, without limitation, a profiling component, an analytic component, an evaluation component, a documentation component, an implementation component, a validation component, and a monitoring component which may, in conjunction therewith, operate to allow an organization to adaptively adjust an organization's network security to continuously improve and mature same. Such components may operate to: (1) determine an organization's operational baseline; (2) identify risks and hazards inherent therein; (3) generate, and verify the efficacy of, remedial controls to such risks and hazards; (4) document and audit such determinations; and (5) continually monitor the organization's network security.

Abstract: Techniques are described for enabling users of a certificate management service to create certificate issuance policies that can be applied to certificate issuance requests across both public and private certificate authorities (CAs) and other certificate-related services. According to embodiments described herein, a certificate issuance policy includes one or more certificate issuance rules to be applied to requests associated with one or more specified user accounts or roles for certificate-related resources (e.g., public certificates, private certificates, etc.). The application of a certificate issuance rule can be conditioned on a particular request context (e.g., based on a user account or role associated with a request, a type of certificate requested, a subject name identified in the request, etc.) and can specify a wide range of actions to be performed on requests matching a rule (e.g., allowing or denying a request, modifying one or more parameters of the request, etc.).

Abstract: The present disclosure provides for a system ensuring the integrity of received data. The system includes a processor, a trusted platform module, and a memory storing instructions. Upon a request from the processor, the trusted platform module generates an asymmetric key pair including a private key and a public key. The trusted platform module provides the public key and an encrypted private key to the processor. The processor generates a checksum of received content data and sends the checksum to the trusted platform module. The processor also loads the encrypted private key into the trusted platform module. The trusted platform module decrypts the encrypted private key, encrypts the checksum with the private key, and provides the encrypted checksum to the processor. The processor sends the content data together with the encrypted checksum to an external device. The external device may decrypt the encrypted checksum with the public key.

Abstract: Methods, systems, and computer-readable storage media for authorizing execution of processes that access cached data of an application running in a virtualized cloud environment. A first composite encrypted value comprising a first encrypted secret and a first secure hash value of a first secret is retrieved at a first virtual machine. The first encrypted secret is decrypted using a cryptographic key to determine a second secret to be used for initiating a first process (p?) on the first virtual machine. A second secure hash value of the second secret is generated. The second secure hash value is compared with the first secure hash value to determine whether to authorize execution of the first process on the first virtual machine using the first secret. In response to determining that the second secure hash value and the first secure hash value match, the first process is initiated at the first virtual machine.

Abstract: A process includes a first tenant of a plurality of tenants communicating with a security processor of a computer platform, via a first physical request interface of the security processor, to acquire ownership of a first command execution engine of the security processor associated with the first physical request interface. The process includes a second tenant of the plurality of tenants communicating with the security processor, via a second physical request interface of the security processor, to acquire ownership of a second command execution engine of the security processor associated with the second physical request interface. The process includes the security processor receiving a first request from the first tenant in the first physical interface, and the second processor receiving a second request from the second tenant in the second physical request interface.

Abstract: A permissions management system is disclosed for enabling a user to securely authorize access to user accounts and/or securely authorize execution of transactions related to user accounts via one or more application programming interfaces (“APIs”) and/or one or more authorization mechanisms.

Abstract: According to an example aspect of the present invention, there is provided an apparatus configured at least to determine whether a cryptographic signature of a token received in the apparatus from a network function consumer is valid, obtain a cryptographic signature of the apparatus of the token responsive to the cryptographic signature of the token being valid, and provide the token to a peer entity of the apparatus, wherein the cryptographic signature of the apparatus is either included into the token or provided in a header external to the token, wherein the peer entity is comprised in a second network, different from a first network where the apparatus is comprised in. The request may serve a user equipment, directly or indirectly.

Abstract: The techniques described herein relate to a system including a simulator for instantiating a simulated device associated with a device public key and at least one generated device public key and generated device certificate. The system includes a server configured to receive the device public key, generate a server unique device secret (UDS) using the device public key and a server private key, generate at least one generated server key using the server UDS, generate at least one generated server certificate using the at least one generated server key, receive the at least one generated device key and at least one generated device certificate, and validate the at least one generated device key and generated device certificate by comparing the at least one generated device key and generated device certificate to the at least one generated server key and generated server certificate, respectively.

Abstract: Systems and methods are disclosed for providing a secure and assured method for updating software of a cyber-physical system (CPS) device, maintaining a CPS device, diagnosing a CPS device, and transferring of CPS data. The method may include authenticating a moment a secure maintenance device (SMD) is connected to a first device before a software-based communication is established, establishing a secure communication channel between the SMD and the first device, authenticating a user of the first device and determining access rights of the user using an identity of the first device; transmitting digitally signed updates from the SMD to the first device; receiving, at the SMD, digitally signed first data from the first device, performing diagnostic and maintenance functions at the first device, and exporting data from the first device to the SMD for mobile transfer to another platform.

Abstract: In a method for software attestation, an enclave including an operating system (OS) library is initialized in a trusted execution environment, wherein software attestation is performed to verify an identity of the enclave, wherein an application is executed inside the enclave using the OS library, and wherein performing the software attestation includes attestation of a content of a disk image associated with the application.

Abstract: Systems and methods for multi-stage, identity-based, digital authentication are provided. Methods include a first and a second stage of authentication. The first stage may include a user profile submitting a first request to access a first digital application; the computing device receiving, as input, one or more authenticating factors; the computing device transmitting, to a central server, the one or more authenticating factors; the central server processing and authenticating the user profile to the first digital application.

Abstract: A method and apparatus provides debug information and employs a central debug service in a management environment that issues, to a client debug agent in a client environment, a cryptographically secure signed request for access to debug information that is generated by code executing in the client environment. The request is signed using a private key of a public/private key pair associated with the central debug service. The central debug service receives from the client debug agent, a request that requests the public key of public/private key pair associated with the central debug service and provides the public key of the central debug service to the client debug agent, in response to the request, for verification of approval to access debug information in the client environment. The central debug service receives the requested debug information from the client debug agent, in response to a successful signature verification by the client debug agent.

Abstract: Techniques for a trusted system for secure content distribution and trusted recording of content consumption are described. In some embodiments, the trusted system transcodes and transcrypts a media content item using a key obtained from a content provider and one or more keys based on an entitlement from a service provider to generate an encrypted media content item. The trusted system further receives a request to provide the media content item to a client device. The trusted system also obtains a signed audit token recording the request upon an authorization by the service provider based on the entitlement and a confirmation by the content provider, where the signed audit token is signed by the content provider and the service provider. The trusted system additionally provides the one or more keys for decrypting the encrypted media content item and reports the signed audit token.

Abstract: A method for a user to access resources within a secure network without inputting a username or password is presented and claimed where the method comprises inputting, by the user, login credentials into an authentication service and obtaining from the authentication service at least one secret code; inputting the at least one secret code into an OTCP to initialize the OTCP; generating within the OTCP a one-time code (OTC) utilizing the at least one secret code but not including the user's login credentials or username; supplying, by the user, the OTC to a secure web portal wherein the secure web portal confirms authenticity of the OTC with the authentication service; and the secure web portal supplying access to the user of the secure web portal resources upon receipt of authentication of the user.

Abstract: One or more devices may include a credentials server. The credentials server may be configured to: receive primary Standalone Non-Public Network (SNPN) credentials for a User Equipment device (UE) and SNPN information. The primary SNPN credentials and the SNPN information are associated with the UE and an SNPN. The devices may be configured to generate temporary SNPN credentials based on the primary SNPN credentials and the SNPNN information. The devices may forward the temporary SNPN credentials to the SNPN.

Abstract: Securely loading digital blocks into memory for consumption by a processor. A method includes, at a memory protection shim, receiving a digital block and a manifest for the digital block. The manifest includes a transformation key for the digital block. The transformation key is configured to be used for at least one of validating the digital block or decrypting the digital block. The manifest is encrypted. The method further includes decrypting the manifest to obtain the transformation keys. The method further includes using the transformation keys to perform at least one of validating or decrypting the digital block. The method further includes retransforming the digital block using a memory protection shim ephemeral key to perform at least one of creating an authentication tag or encrypting the digital block. The method further includes storing the retransformed digital block in memory.

Abstract: A system is provided for protecting a computer system and/or control system against manipulation and functional anomalies. The system includes a monitoring module, which has at least a first interface, a second interface, and at least one memory. The system is configured to receive information characterizing the system state of the computer system and/or control system via the first interface, receive an encrypted request for system state via the second interface and decrypt it using a request key stored in the memory, and generate a response to the request from at least a portion of the information received via the first interface. The system is also configured to encrypt the response with a response key determined using the request and output it via the second interface, determine a new request key which is a shared secret also accessible to the sender of the request, and store this new request key in the memory.

Abstract: A system and methods for mitigating Kerberos ticket attacks within a domain is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to retrieve the new authentication object from the authentication object inspector, calculate a cryptographic hash for the new authentication object, and store the cryptographic hash for the new authentication object in a data store; wherein subsequent access requests accompanied by authentication objects are validated by comparing hashes for each authentication object to previous generated hashes.

Abstract: The invention relates to creating a secure, decentralized, cloud-based network or physical/virtual infrastructure that enables the payments industry to redefine payment processing and information sharing. The innovative network addresses key pain points by reducing payment delays and touch points, realizing faster and comprehensive payment tracking, real-time sanctions, AML and fraud management tools.

Abstract: Some embodiments are directed to a password generation device that includes an input unit arranged to receive, from a user device, a computer address for accessing a computer resource, a user identifier indicating a user of the user device, a user password, and a password unit arranged to determine a first combined identifier from a base address system-identifier, a user system-identifier, and the user password. Moreover, the password generation device may be configured for password verification and/or validation.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for rollback resistant security are disclosed. In one aspect, a method, during a boot process of a computing device, includes the actions of obtaining a secret key derived from device-specific information for the computing device. The method further includes verifying that a signature for a software module is valid. The method further includes obtaining information indicating a current version of the software module. The method further includes using the secret key to generate a first encryption key corresponding to the current version of the software module and a second encryption key corresponding to a prior version of the software module. The method further includes preventing future access to the secret key until the computing device is rebooted. The method further includes providing the software module access to the first encryption key and the second encryption key.

Abstract: A system includes a control computer that is programmed to perform an authentication based on an encryption key, upon being connected to a vehicle communication network. The computer is programmed to control vehicle operation including at least one of propulsion, braking, and steering, upon authentication by a vehicle computer that is physically attached to the communication network.

Abstract: Methods and systems described in this disclosure allow customers to quickly be authenticated. In some embodiments, a device and a user verifier are associated with a user profile. When a call is received from the device, the user may be requested to input the user verifier. After verifying that the device is unique to the user and that the user verifier matches the user verifier associated with the user profile, the user may be authenticated to the call or activity.