Abstract: Mechanisms and methods are provided for managing OAuth access in a database network system, and extending the OAuth flow of authentication to securely store the OAuth encrypted refresh token in the storage available with current browsers or any other non-secure storage on user system.

Abstract: A system, apparatus, method, and machine readable medium are described for sharing authentication data.

Abstract: A printing system includes at least one processor that acts as a storing unit and a determination unit. The storing unit causes history data about a print job to be stored into storage. The determination unit determines whether to cause a user to perform confirmation processing at a time of printing based on the history data about the print job that is stored in the storage.

Abstract: Improved methods and systems for integrating client-side single sign-on (SSO) authentication security infrastructure with a mobile authorization protocol are disclosed that provide clients with secured SSO mobile access to third-party services. Embodiments of the present invention leverage SSO authentication protocols that are utilized at many client-side systems already and integrate these SSO authentication protocols with a mobile SSO authorization protocol, thereby effectively extending the SSO framework to mobile service requests of web services at third-party service provider systems. Embodiments of the present invention provide a secure and automated solution which may be implemented in any existing client-side SSO frameworks with minimum cost and time, while providing a lightweight and secure solution that provides users using either native applications or mobile web application to access third-party web services.

Abstract: An information processing apparatus includes: a first wireless, communication unit; a first acquisition unit that acquires first identification information which identifies a second wireless communication unit that is included in an external wireless terminal device, through the first wireless communication unit; and a use authorization unit that gives use authorization associated with the first identification information which is acquired by the first acquisition unit to a user of the wireless terminal device based on a table for managing the use authorization of a function of a host information processing apparatus in association with the first identification information.

Abstract: This disclosure relates to a method and system for exchanging data between users of a vehicle, including a main user equipped with a first personal electronic device and a secondary user equipped with a second personal electronic device. The method includes a preparatory phase and a transmission phase, which comprise the following steps: the application installed on the first personal electronic device sends data to a remote server including the second email address of the secondary user and instructions for the transfer of information regarding the vehicle; the remote server sends data to an information cloud including the mobile identifier assigned to the application installed on the second device and information regarding the vehicle, and the cloud sends information regarding the vehicle to the application installed on the second personal electronic device.

Abstract: A method and system of an identity service to provide a single point of access for a plurality of applications for an authentication of a user identity. An authentication request is received from an application via an application program interface (API), wherein the authentication request includes logon information. The authentication request is translated to one or more identity providers. Upon authentication, serially executing one or more programmatic extension scripts associated with the user. Privileges are granted to the user based on at least one of the programmatic extension scripts associated with the user.

Abstract: A unique pre-shared key plug-in is installed on a Chromebook device. Identification data associated with the Chromebook device is received, from the unique pre-shared key plug-in through a Chromebook client management system API. A unique pre-shared key is assigned to the Chromebook device using the identification data. The unique pre-shared key is sent to the Chromebook device. The Chromebook device is configured to seamlessly authenticate for a wireless network using the unique pre-shared key.

Abstract: A graphical user interface for uploading an application data file may be generated by a computing platform and communicated to a computing device. The computing platform may receive the application data file from the computing device. A graphical user interface comprising a link configured to provide the computing device with access to a modified version of the application data file that comprises an element for tracking dissemination of the application data file may be generated by the computing platform and communicated to the computing device.

Abstract: Some embodiments provide non-transitory machine-readable medium that stores a program which when executed by at least one processing unit of a device synchronizes a set of keychains stored on the device with a set of other devices. The device and the set of other devices are communicatively coupled to one another through a peer-to-peer (P2P) network. The program receives a modification to a keychain in the set of keychains stored on the device. The program generates an update request for each device in the set of other devices in order to synchronize the set of keychains stored on device with the set of other devices. The program transmits through the P2P network the set of update requests to the set of other devices over a set of separate, secure communication channels.

Abstract: A method of private mutually authenticated key exchange is provided. The method may include receiving, at the first device, a message transmitted from a second device and including a hierarchical inner-product encryption (HIPE) ciphertext. Further, the method may include decrypting, at the first device, the HIPE ciphertext to generate a first authenticated encryption (AE) ciphertext. The method may further include decrypting, at the first device, the first AE ciphertext. Further, the method may include encrypting, at the first device, a second AE ciphertext including a signature and one or more attributes of the first device. Moreover, the method may include transmitting, to the second device, another message including the second AE ciphertext.

Abstract: A printing apparatus of the present invention makes wireless LAN connection in at least either one of a first connection mode for making wireless LAN connection to an image processing apparatus in which inherent authentication information is stored and a second connection mode for making wireless LAN connection to the image processing apparatus via a second access point provided by an apparatus other than the printing device and the image processing apparatus. The printing apparatus controls, in a case of connection in the first connection mode, a first function provided by the printing apparatus to be enabled and a second function which is enabled in the second connection mode to be disabled.

Abstract: The disclosed embodiments provide a system that authenticates a user. During operation, the system obtains a request to transfer an authentication of the user on a first electronic device to a second electronic device. Next, the system enables, in response to the request, an authentication mechanism for transferring the authentication of the user from the first electronic device to the second electronic device. Upon detecting use of the authentication mechanism on the first electronic device or the second electronic device, the system authenticates the user on the second electronic device without requiring authentication credentials for the user from the second electronic device.

Abstract: The disclosed method for creating credential vaults that use multi-factor authentication to automatically authenticate users to online services may include (1) detecting a user account for an online service that uses multi-factor authentication comprising a token that generates a cryptographic authentication code, (2) creating a virtual representation of the token that is capable of generating the cryptographic authentication code, (3) storing the virtual representation of the token and a set of credentials for the user account in a credential vault for a user, (4) sending a message to the online service that associates the virtual representation of the token with the user account, (5) authenticating the user to the credential vault, and (6) automating the multi-factor authentication process for the online service by providing the cryptographic authentication code and the set of credentials to the online service. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: In accordance with an embodiment, described is a system and method for integrating a transactional middleware platform with a centralized access manager to provide single sign-on authentication in an enterprise-level computing environment. The enterprise-level computing environment can include the transactional middleware platform and one or more SOA middleware platforms. Each middleware platform can include one or more access agents to access the centralized access manager configured to store user identity and security policy information for the enterprise-level computing environment. A request from a client for an application service in the transactional middleware platform can be intercepted by an access agent therein, which can communicate with a centralized access server of the centralized access manager to obtain a session token.

Abstract: Systems and methods are described herein for managing peering relationships and applying peering policy between service providers and content distribution networks. Aspects discussed herein relate to establishing secure peering connections between service providers to exchange application and/or network information. In some embodiments, an application peering manager may apply peering policy based on token information or other suitable information configured to uniquely identify an application and/or subscriber. In other embodiments, policy enforcement points or other elements residing within a network may be configured to accept and/or apply peering policy to application sessions.

Abstract: The disclosure relates to initiating and completing peer to peer payments or peer to merchant payments initiated by financial cards and cameras of mobile devices. In some embodiments, the disclosed systems and methods may provide an accurate determination of parties involved in a peer to peer transaction, be useable with hardware and software that users are already in possession of, and securely initiate a peer to peer transaction. The disclosed systems may include a server communicatively coupled to a mobile device by a network. The server may receive an image of one or more financial cards, retrieve account information for each financial card in the received image, generate a proposed transaction based on the retrieved account information, transmit the proposed transaction to the mobile device, receive approval for the proposed transaction and initiate a payment or a transfer to an account based on the retrieved account information.

Abstract: Systems, methods, and apparatuses are described wherein a block chain or block chain network can be created and the mining of new blocks can be limited to certain actors holding a specific set of private keys and verified by the corresponding public keys accessible to consumers interested in validating the block chain. These keys are stored in software or on specific hardware devices designed to not reveal the private key. Only blocks mined using those keys are acceptable on the block chain. The signing of the blocks in the particular block chain is integrated in such a fashion as to be integral to the proof of work for the block chain.

Abstract: A system and method for a service level application are described. The service level application receives authentication data from a client seeking access to establish an account in an online marketplace. The service level application identifies a source of truth corresponding to the authentication data and verifies the authentication data with the corresponding source of truth. The service level application determines an access level tier to the online marketplace for the client based on the source of truth.

Abstract: The subject matter discloses a computerized system, comprising a computerized device communicating with a third party server, that comprises a memory unit that stores a representation of a Boolean circuit and a processing unit for calculating a result of the Boolean circuit according to a string used as input for the Boolean circuit and calculating a first predefined function on the result of the Boolean circuit. The system also comprises a first auxiliary server communicating with the computerized device, the first auxiliary server comprises a processing unit for calculating a second predefined function on the result of the Boolean circuit received from the computerized device and a second auxiliary server communicating with the computerized device comprises a processing unit for comparing the result of the first predefined function and the result of the second predefined function.

Abstract: A client device may provide, to a host device, a request to access a website associated with a host domain. The client device may receive, based on the request, verification code that identifies a verification domain and a resource, associated with the verification domain, to be requested to verify a public key certificate. The verification domain may be different from the host domain. The client device may execute the verification code, and may request the resource from the verification domain based on executing the verification code. The client device may determine whether the requested resource was received, and may selectively perform a first action or a second action based on determining whether the requested resource was received. The first action may indicate that the public key certificate is not valid, and the second action may indicate that the public key certificate is valid.

Abstract: An electronic device is provided. The electronic device includes a first short-range communication module configured to execute short-range communication with a second electronic device, a security module configured to store security information, and a processor configured to receive, from the second electronic device, a pairing key that registers the electronic device as being linked to the second electronic device, transmit session key generation information to the second electronic device when authentication with the second electronic device is completed based on the pairing key, generate a session key based on the session key generation information, encrypt the security information based on the session key, and transmit the encrypted information to the second electronic device.

Abstract: A communication method for a data sharing system which is constituted by a plurality of communication nodes, and through which data transmitted from a transmission source node are propagated by having the respective communication nodes repeatedly transmit the data, includes: a transmission step in which a first communication node transmits a transmission stop message including a hash value of data in relation to which repeated transmission is to be stopped; a reception step in which a second communication node receives the transmission stop message; and a stopping step in which the second communication node stops transmission of data having an identical hash value to the hash value included in the transmission stop message. The hash value is preferably encrypted using a public key cryptosystem. A transmission source node of the transmission stop message may be a transmission source node or a destination node of the data to be stopped, or another node.

Abstract: Access to a module element within a first module by a second module is prohibited if the module element within the first module has not been exposed to the second module. If a particular module element within a first module has been exposed to a second module, then access to the particular module element by the second module may or may not be allowed depending on: (a) whether the particular module element has been declared with a public or non-public access modifier, (b) whether a second exposed module element, which includes the particular module element, has been declared with a public or non-public access modifier, (c) a level of access associated with the operation that attempts to access the particular module element of the first module, and/or (d) whether an accessibility override configuration is set for accessing the particular module element.

Abstract: Systems and methods for controlling access to multiple applications on a computing device are provided. One embodiment of a system includes an access device configured to: receive a request to access a first application and a device identifier; authenticate the user using a user credential associated with the user and store the device identifier in association with a login identifier in response to authentication of the user. The access device can be further configured to receive a request to access a second application and the device identifier. The access device can allow access to the second application based on the previous authentication of the user.

Abstract: One embodiment of seamless device configuration between a network device and an access point sends a device credential associated with the network device to the access point before the network device communicates with the access point. The device credential can be used to verify the identity of the network device and can authenticate the network device with the access point without requiring user interaction. Another embodiment can incorporate a central authority maintaining a database of network devices, access points and associated users. The central authority can determine when one or more network devices can seamlessly be configured for use with a particular access point. The central authority can send the device credential associated with the one or more network devices to the access point before the network device communicates with the access point.

Abstract: In some embodiments, a method includes receiving encrypted information associated with a user, and calculating a first portion of a shared secret based on the encrypted information associated with the user. The method also includes defining a completed portion of the shared secret based on the first portion of the shared secret and a second portion of the shared secret and storing the completed portion of the shared secret in a memory for a pre-defined period of time. The method includes defining a ticket based on the completed portion of the shared secret, and sending the ticket to a device associated with the user such that data associated with the ticket is accessible based on the ticket within the pre-defined period of time, and not accessible without the ticket or after the pre-defined period of time.

Abstract: Methods and systems for performing an authenticated boot; performing a continuous data protection; performing automatic protection and optionally a consolidation; and performing other defenses and protection of a protected computing device (such as a computer system) are provided. The aspects include integrating security mechanisms (which may include a “call home” function, role and rule-based policies, validating technologies, encryption and decryption technologies, data compression technologies, protected and segmented boot technologies, and virtualization technologies. Booting and operating (either fully or in a restricted manner) are permitted only under a control of a specified role-set, rule-set, and/or a controlling supervisory process or server system(s). The methods and systems make advantageous use of hypervisors and other virtual machine monitors or managers.

Abstract: There is disclosed a technique for use in authentication. In one embodiment, the technique comprises receiving behavioral information associated with a user. The technique also comprises performing an analysis based on the behavioral information. The technique further comprises determining whether to authenticate the user based on the analysis.

Abstract: Devices between which packets are transmitted and received include mutually corresponding packet counters. The same random number value is given to the packet counters as their initial values and the packet counters are updated with packet transmission/reception. The transmission-side device generates a MAC value, draws out part thereof on the basis of a counted value of its own packet counter, sets it as a divided MAC value, generates a packet by adding the value to a message and transmits the packet onto a network. The reception-side device generates a MAC value on the basis of the message in the received packet, draws out part thereof on the basis of a counted value of its own packet counter, compares the part with the divided MAC value in the received packet and thereby performs message authentication.

Abstract: In an aspect, a method for protecting software includes obtaining a payload including at least one of instructions or data, establishing a realm in a memory device, encrypting the payload based on an ephemeral encryption key (EEK) associated with the realm, and storing the encrypted payload in the realm of the memory device. In another aspect, a method for protecting software includes receiving a memory transaction associated with the memory device, the memory transaction including at least a realm identifier (RID) and a realm indicator bit, obtaining the EEK associated with the RID when the RID indicates the realm and when the realm indicator bit is enabled, decrypting an instruction and/or data retrieved from the realm based on the EEK when the memory transaction is a read transaction, and encrypting second data for storage in the realm based on the EEK when the memory transaction is a write transaction.

Abstract: An image processing apparatus performs: in a case where an operating mode is a second mode when identification information receiving process is executed, determining whether a first memory stores first identification information corresponding to second identification information; in response to determining that the first memory stores the first identification information, determining whether a second memory stores third identification information corresponding to the second identification information; in response to determining that the second memory stores the third identification information, determining whether a first screen is displayed; in response to determining that the first screen is displayed, executing a first logout process of switching the operating mode from the second mode to the first mode and deleting the third identification information stored in the second memory; in response to determining that the first screen is not displayed, maintaining the operating mode in the second mode without ex

Abstract: An multi-level privacy evaluation technology is described for increasing the performance of applications or services that experience high volumes of queries for data with privacy attributes. The multi-level privacy evaluation technology evaluates data using a subset of privacy policy rules and privacy information determined for the data at a backend server and thereby reduces the volume of data that need to be filtered at a frontend server. The multi-level privacy evaluation technology first applies an initial privacy check on a large data set at the backend to authoritatively filter out any data that a viewing user is not permitted to view or access and return as results a smaller data set that the viewing user may be permitted to view or access. A full privacy check is then performed at the frontend on the smaller data set, resulting in reduction in the overall cost of performing privacy checks and reducing latency in displaying data to the viewing user.

Abstract: The present disclosure is directed to a digital system for managing a wind farm having a plurality of wind turbines electrically coupled to a power grid. The system includes a farm-based first communication network having one or more individual wind turbine control systems communicatively coupled to the one or more wind turbines and an overall wind farm control system. The system also includes a cloud-based second communication network communicatively coupled to the first communication network via an industrial gateway. The second communication network includes a digital infrastructure having a plurality of digital models of the one or more wind turbines, wherein the plurality of digital models of the one or more wind turbines are continuously updated during operation of the wind farm via data supplied by the farm-based first communication network.

Abstract: The present invention relates to a method, system and apparatus for authentication using an application. Particularly, this invention can use an integrated ID by acquiring a reliable relationship between applications installed in a single terminal, or can perform the authentication of other applications by sharing authentication information through a representative application among applications. According to this invention, the account registration is performed by referring to the representative application, and thus the SSO authentication scheme may be implemented even in a mobile environment.

Abstract: The present invention discloses a method and a system for checking revocation status of digital certificates in a virtualization environment.

Abstract: A first information handling system receives a security challenge and forwards it to a second information handling system. The second information handling system retrieves a private key from a public/private encryption key pair and satisfies the challenge with the private key. The second information handling system forwards the satisfied challenge without divulging the private key. The second information handling system is in a more secure environment than the first information handling system. The challenge may be satisfied by signing the challenge with the private key. Satisfying the challenge may be a step in creating a secure shell connection between the first information handling system and an organization maintaining the first information handling system and the second information handling system.

Abstract: Methods and apparatus are provided for identifying suspicious domains using common user clustering. An exemplary method comprises obtaining network event data comprising a plurality of network connections; identifying users and domains associated with the network connections in the network event data; creating a connection between each user/domain pair that communicate with one another in the identified users and the identified domains to generate a graph; connecting domains in the graph using inter-domain edges that share common users to obtain a graph of interconnected domains; identifying bi-connected components in the graph of interconnected domains, wherein the bi-connected components comprise node pairs having at least two paths in the graph of interconnected domains between them; and processing the bi-connected components to identify a plurality of suspicious domains that are likely to participate in a computer security attack.

Abstract: Systems and methods for securing objects in a computing environment. Objects are encrypted using keys that are also encrypted after encrypting the objects. In order to access the objects, a master key that is unknown to the service storing the objects and/or managing the keys is used to decrypt the keys so that the objects can be decrypted with the decrypted key. Thus, a key is needed to access the key needed to access the object. The master key is typically maintained separately from all of the encrypted objects and corresponding encrypted keys.

Abstract: Any of various comparisons of computer folders from different points in time is performed. Such comparisons provide the ability to discover missing documents or documents with modification dates that have changed when there would otherwise have been no need to change them and thus allows discovery of missing documents to discover fraud or to search for evidence after a fraud is suspected. In another embodiment, deltas in accounting system vendor invoice accounts are compared at different points in time, potentially exposing the practice of moving fraudulent vendor transactions into a large group of legitimate transactions for a legitimate vendor. Per period transaction totals for specific periods for legitimate vendors are compared over historical time for suspicious activity. A comparison of reports from the two different periods, using exact data and software from those separate periods (instead of reporting from “current” data), may raise a red flag otherwise missed.

Abstract: The present disclosure is directed towards systems and methods for scanning of a target range of IP addresses to verify security certificates associated with the target range of IP addresses. Network traffic may be monitored between a plurality of clients and a plurality of servers over an IP address space. Traffic monitors positioned intermediary to the plurality of client and the plurality of servers can identify a target range of IP addresses in the address space for targeted scanning. The target range of IP address may be grouped into a priority queue and a scan can be performed of the target range of IP addresses to verify a security certificate associated with each IP address in the target range of IP addresses. In some embodiments, a rogue security certificate is detected that is associated with at least one IP address in the target range of IP addresses.

Abstract: Cross-domain single login is disclosed. In an example system, a first application server hosts a first application that has a first user-visible page. The first application server is configured to serve, the first user-visible page on a user device. The first application server is also configured to request a first hidden page. An authentication server is configured to receive a first hidden authentication request from the user device, to obtain a first authentication result, and send a first message to the user device. The first message may include the first authentication result obtained by the authentication server based on the first hidden authentication request. The user device is configured to send, a second message to the first user-visible page based on the first message.

Abstract: There are disclosed herein techniques for use in authentication. In one embodiment, the techniques include a method comprising several steps. The method comprises receiving a request to access an application. The method also comprises determining a level of sensitivity associated with the application. The method further comprises selecting an authentication method based on the level of sensitivity. The method still further comprises utilizing the authentication method during an authentication operation to determine whether to grant access to the application.

Abstract: The present invention provides methods for executing a private computer program on untrusted computers. The present invention also provides for products produced by the methods of the present invention and for apparatuses used to perform the methods of the present invention.

Abstract: Systems and methods for monitoring user authenticity during user activities in a user session on an application server is provided. The method being carried out in a distributed manner by a distributed server system. The method comprises a user modeling-process and a user-verification process. The user-modeling process is performed on a user-model server in which a user model is adapted session-by-session to user activity data received from the application server. The user-verification process is performed on the application server on the basis of the user model adapted on the user-model server. The user-verification process comprises comparing the user model with features extracted from user activity in the user session on the application server and determining a total risk-score value based on the comparison. If the total risk-score value is greater than a given threshold, a corrective action is performed.

Abstract: In general, aspects of the disclosure are directed towards techniques for initiating an authorization flow with a user to enable a user interface-limited client computing device to obtain access to protected resources hosted by a resource service. In some aspects, a computing device comprises at least one processor. The computing device also comprises a short-range wireless communication module operable by the at least one processor to receive, using short-range wireless communication, an authentication request from a client device. The computing device also comprises an authorization module operable by the at least one processor to receive authorization to provide at least one security credential to the client device, wherein the authorization module is further configured to, responsive to receiving the authorization, send an indication of the authorization to an authentication service.

Abstract: In a general aspect, shared secrets for lattice-based cryptographic protocols are generated. In some aspects, a public parameter (a) is obtained, where the public parameter is an array defined for a lattice-based cryptography system. A first secret value (s) and a second secret value (b) are obtained. The first secret value is a second array defined for the lattice-based cryptography system, and is generated based on sampling an error distribution. The second secret value is a third array defined for the lattice-based cryptography system, and is a product of the first and second arrays (b?as). A public key ({circumflex over (b)}) is then generated by applying a compression function to the second secret value (b), and the public key is sent to an entity. A shared secret (?) is then generated based on information received from the entity in response to the public key.

Abstract: A network security system that employs space-time separated and jointly-evolving relationships to provide fast network access control, efficient real-time forensics capabilities, and enhanced protection for at-rest data in the event of a network breach. The network security system allows, in part, functionality by which the system accepts a request by a user to access the data stored in the database, identifies a sequence of security agents to participate in authenticating and protecting the access of the data by the user, generates a sequence of pseudorandom IDs and space-time varying credentials, checks at each one of the security agents a corresponding one of the credentials, determines that the user is permitted to access the data using access control logs if all the security agents accept the corresponding credentials, and varies the credentials based on a space-time relationship.

Abstract: A system includes reception, at a server and in a first browser session, of a request from a client for a token to access a first software service, determination of a token stored in a server memory of the server and associated with the first service and the client, determination, at the server, of whether a validity period of the token is within a predetermined period of expiration, and, if it is determined that the validity period of the token is within a predetermined period of expiration, transmission of a request for a new token to access the first software service from a token provider associated with the first service, reception of the new token from the token provider, and provision of the new token to the client in the first browser session.

Abstract: A technique is provided for a transmitting optical network element with an encrypting entity. The transmitting optical network element has an interface for receiving key information from a key management entity, storage means for storing a public key received by the key management entity, and a key generation entity configured for generating a symmetric encryption key. The transmitting optical network element is adapted to encrypt a received payload to be transmitted to a receiving optical network element using the generated symmetric encryption key, encrypt the generated symmetric encryption key using the public key of the receiving optical network element, and transmit the encrypted payload and the encrypted symmetric encryption key via an optical network to the receiving optical network element.