Abstract: A key processing method includes receiving, in a trusted execution environment, an initial key from a file encryption system in a normal execution environment, decrypting, in the trusted execution environment, the initial key to obtain a file key, storing, in the trusted execution environment, the file key in a key register of a storage controller, where the file encryption system in the normal execution environment is forbidden to access the key register, obtaining, in the trusted execution environment, a key index of the file key in the key register, where the key index indicates a storage location of the file key in the key register, and sending, in the trusted execution environment, the key index to the file encryption system.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, apparatuses, and processes that securely track, manage, and provision elements of interaction data within a computing environment in accordance with encrypted permissioning data recorded onto a permissioned distributed ledger. For example, an apparatus may obtain query data that includes an identifier of a computing system and a query term, and access one or more ledger blocks of a permissioned distributed ledger that include encrypted permissioning data and interaction data. The apparatus may decrypt the encrypted permissioning data using a master cryptographic key of a centralized authority.

Abstract: A method for computer-aided testing and confirmation of at least one system state of a first system by a confirmation device, is provided. After the testing of a first item of integrity information, which is provided by the first system, the confirmation device provides a second, combined item of integrity information and confirms the same cryptographically. The second item of integrity information includes at least part of the first item of integrity information and can be transmitted to a second system, in order to confirm the integrity of the first system to the latter. A confirmation device, to a first system, to a second system and to a computer program product in order to carry out the steps of the method is also provided.

Abstract: A method for associated at least one tamper-proof seal with an anti-counterfeiting system, allowing that system to verify the provenance of an associated item, and said system itself is provided for. By generating a series of serial numbers, hashes, verification codes, fixing said serial number and verification code to a tamper proof seal, and providing a means for a user to check those codes against a corresponding computerize database, a system and method for allowing an end-user to check the provenance of a real-world good is disclosed.

Abstract: An authentication device management device includes a generating unit, a registration unit, a transmission unit, and a responding unit. The generating unit generates a pair of a first key to attach a signature with respect to an authentication result obtained by an authentication device that performs personal authentication of a user, and a second key to verify the signature attached to the first key. The registration unit registers, in association with each other, the key identifier that identifies the generated key pair and user identification information. The transmission unit transmits the first key generated by the generating unit to the authentication device used by the user. When the responding unit accepts a transmission request for the second key related to the authentication device in which the first key transmitted by the transmission unit has been set, the responding unit responds by instructing the authentication server to transmit the second key.

Abstract: Delegating use of a DID from a first DID owner to a second DID owner. An indication is received that a first DID owner desires to delegate use of a DID owned by the first DID owner to a second DID owner. This may allow the second DID owner to act on behalf of the first DID owner in interactions with third-party entities. A signed claim is generated that specifies that the first DID owner has delegated use of the DID to the second DID owner. The signed claim identifies the DID owned by the first DID owner and defines a scope of permission for the second DID owner when the second DID owner uses the delegated DID on behalf of the first DID owner. The signed claim may then be provided to the second DID owner.

Abstract: A method for managing sensitive data, including: receiving an encryption key from a third party recovery agent; at a user agent executing on a user device, encrypting the sensitive data with the encryption key; and storing the encrypted sensitive data at a third party storage provider system. The method can optionally include, at the user agent: requesting the encryption key from the third party recovery agent using a set of recovery agent authentication credentials; requesting the encrypted sensitive data from the third party storage provider system using a set of storage provider authentication credentials; and decrypting the encrypted sensitive data using the encryption key.

Abstract: Exemplary implementations may: at one of the user devices, generate a master key; at one of the user devices, generate a basic key; at one of the user devices, generate a basic recovery key; at one of the user devices, perform a Shamir-type operation for obtaining n parts where m or more parts are necessary to recover (or compute a copy of) the master key; at one of the user devices, encrypt, using the basic key, the basic portion of a database for the user, the database being remote from the user devices; and at one of the user devices, encrypt, using the basic recovery key, the master key for storage into the recovery portion of the database, the database being remote from the user devices and the basic portion of the database being uncompromised by recovery of the basic recovery key.

Abstract: Project asset and preference sharing techniques are described. In one or more embodiments, a request is received to assign a project asset or preference to a member of a team. The received request includes an identifier of a project for which the project asset or preference will be assigned. To assign the asset or preference specified in the request, a list of teams to which the member belongs is ascertained. The assets and preferences associated with each of the teams are then checked for the identifier to identify the project assets and preferences associated with the project. Once the project assets and preferences associated with the project are identified, a response is generated for communication to the member. The response is configured to include indications of the identified project assets and preferences that enable the member to access the identified project assets and preferences via the application, such that the member is also given access to the assigned project asset or preference.

Abstract: Disclosed are various embodiments for account management using a portable data store. In one embodiment, an authentication client is stored in a portable data store. In response to receiving a master security credential from the user, the authentication client decrypts encrypted account data stored in the portable data store. The authentication client detects that a network site is being accessed. The authentication client automatically provides a corresponding security credential to the network site.

Abstract: A computer-implemented method includes receiving, by a federated identity computing system, identity information from a customer; receiving, by the computing system, preferences for the identity information from the customer, wherein the preferences govern distribution of the identity information to requesting parties; generating, by the computing system, a key specific to the customer; and provisioning, by the computing system, the key to an identification chip associated with the customer. The computer-implemented method further includes receiving, by the computing system, the key and a request for one or more pieces of the identity information from a requesting party and providing, by the computing system, the requested one or more pieces of identity information to the requesting party based on the key and the preferences.

Abstract: A trust token may be created including authentication data for a user and his or her associated communication device. The trust token may be transmitted by the communication device to one or more recipients, such as a token server. The recipients may interpret the trust token and verify it against data written to one or more nodes of a blockchain when the user and the communication device registered for the trust token. Once the trust token is verified, the token server may be configured to generate, maintain, and provision account tokens representing sensitive data. The token server may push one or multiple account tokens to the communication device, thereby allowing the communication device to perform transactions with the account tokens. In other words, the implementation of a trust token may allow the communication device to be provisioned with multiple account tokens, without requiring multiple logins or transmissions of sensitive data.

Abstract: A method for preventing account referral fraud includes: receiving a referral request, the request including a referring account identifier; transmitting a digital signature corresponding to the referral request to a processing server; verifying, by the processing server, the digital signature using a public key; identifying a plurality of blockchain data values included in a blockchain using the public key, wherein each data value is related to a blockchain transaction involving a blockchain wallet associated with the public key; generating an authenticity score for the blockchain wallet based on data included in the plurality of blockchain data values; receiving, by the referral server, the authenticity score from the processing server; and processing the referral request based on the authenticity score, wherein processing the referral request includes one of: declining the referral and awarding a referral reward.

Abstract: A method for managing access privileges is disclosed. The method includes: obtaining, based on employee data received from a first client server having access to a human resources database of an organization, a first indication identifying a change in a first employee structure of the organization, the first employee structure indicating an employee status associated with each of one or more of the employees; retrieving permissions data defining access privileges associated with one or more employee statuses within the first employee structure for accessing a protected resource; and updating a user permissions database associated with the protected resource to indicate a change in access privileges for at least one employee of the organization based on the first indication and the permissions data, the user permissions database indicating access privileges for employees of the organization that are authorized to access the protected resource.

Abstract: An anonymous attestation cryptographic protocol is provided for enabling a target (device 4) to attest to a predetermined property of the device without needing to reveal its identity to a verifier (8). When obtaining a credential from an issuer (6) to attest to the predetermined property, the credential is validated by an intermediary device (2) which is a separate consumer electronics device to the target device (4) itself. This allows the relatively processor-intensive calculations required for validating the credential to be performed on a separate device (2) from the device (4) for which the attestation has been made, allowing anonymous attestation protocols to be used for lower powered target devices such as sensors in the internet of things.

Abstract: A smart management device identification method includes: sending, by a smart management device, an activation request to a smart lock device, wherein the activation request is used to verify validity of the smart management device; in response to information indicating that the smart management device is valid, receiving, by the smart management device, an access control key from the smart lock device, wherein the access control key is generated according to a master key of the smart lock device and an identifier of the smart management device; and requesting, by the smart management device, the smart lock device to perform a state switching operation using the access control key.

Abstract: A system for providing dynamic, multi-factor authentication for machine-to-machine connections using unique authentication streams of chained, cryptographic blocks or codes by generating and managing a root authentication stream of chained cryptographic blocks representing an enterprise. The root authentication stream may be utilized by deployed machine instances to instantiate the unique authentication streams for each of the deployed machine instances, thereby enabling secure and continuous authentication for the machine-to-machine connections.

Abstract: The technology disclosed herein enables resource sharing for trusted execution environments.

Abstract: A system and method for insuring privacy, access control, and authentication for electronic user data submitted to social media platforms, email systems, web sites, and other electronics and software based communication and storage systems is provided. Control over user data is provided such that the user can determine which other users may have access to the data, and only such permitted users will be able to access the data. All other parties, including the operators of the system platform in use, will not be able to view the submitted data. Authentication is provided such that the viewer of the data is ensured that the author of the data is in fact the author indicated in the data, and that the data has not been modified since it was submitted. Data privacy, access control, and authentication is provided in a seamless and convenient manner for both the author and recipients of the data.

Abstract: Techniques are provided for security measures for extended sessions. Request data for a request is received from a client computing device to a web server system. The request comprises a session identifier (ID) for a session between an authenticated user and the web server system. It is determined, based on the request data, that the client computing device is a single-user device. It is determined, based on the request data, that the client computing device is not compromised. In response to determining that the client computing device is a single-user device and that the client computing device is not compromised, extension of the session between the authenticated user on the client computing device and the web server system is caused.

Abstract: A transparent proxy for malware detection includes a monitor module, a protocol determination module, a challenge generation module, a response determination module, and a data control module. The monitor module examines data originating from an application towards a remote server. The protocol determination module identifies the protocol type used for the data. The challenge generation module produces a challenge for the application based upon the protocol type, sends the challenge to the application, and maintains a state related to the data and the challenge. The response determination module makes a determination if an automatic non-interactive application response is received in response to the challenge from the application. The data control module allows the first data to continue to the remote server when the determination is valid. The data control module reports malware detection and blocks the data to continue to the remote server when the determination is invalid.

Abstract: The present disclosure includes apparatuses, methods, and systems for validating an electronic control unit of a vehicle. An embodiment includes a memory, and circuitry configured to generate a run-time cryptographic hash based on an identification (ID) number of an electronic control unit of a vehicle and compare the run-time cryptographic hash with a cryptographic hash stored in a portion of the memory.

Abstract: Transparently identifying users using a shared VPN tunnel uses an innovative method to detect a user of a shared VPN tunnel, after authenticating the user, using an assigned userid (that may be a virtual IP). The virtual IP is used as a cookie in each request made by the user. This cookie is an authentication token used by the gateway to detect the user behind a specific request for an Internet resource (such as an http/s request). The cookie is stripped by the gateway so the cookie is not sent to the resource.

Abstract: A secure access method performed by an authentication server includes receiving a first message from a non-3GPP access device. The method also includes performing fast re-authentication with the terminal when determining that fast re-authentication is allowed. The method further includes sending a second message to a home subscriber server. The second message carries a registration type identifier, an identifier of the terminal, and an address of the authentication server. The registration type identifier is used to indicate that current secure access of the terminal is secure access using a fast re-authentication procedure. The method additionally includes receiving a registration success indication from the home subscriber server. The method also includes sending an access success indication to the terminal based on the registration success indication.

Abstract: An aggregate median is efficiently obtained while confidentiality is kept. An order computing part generates ascending order a and descending order d within a group when a table which has been stably sorted based on a desired value attribute and a key attribute is grouped based on the key attribute. A subtracting part generates shares {a-d}, {d-a} of a-d, d-a. A bit deleting part generates shares {a?}, {d?} of a?, d? obtained by excluding least significant bits from {a-d}, {d-a}. An equality determining part generates shares {a?}, {d?} of {a?}:={|a?=0|}, {d?}:={|d?=0|}. A format converting part (15) converts {a?}, {d?} into [a?], [d?]. A flag applying part generates shares [va], [vd] of [va]:=[v1a?], [vd]:=[v1d?]. A permutation generating part generates shares {{?a}}, {{?d}} of permutations ?a, ?d which sort ¬a?, ¬d?. A median computing part generates a share [x] of a vector x.

Abstract: A method, system, and non-transitory computer readable medium are described for providing a sender a plurality of ephemeral keys such that a sender and receiver can exchange encrypted communications. Accordingly, a sender may retrieve information, such as a public key and a key identifier, for the first receiver from a local storage. The retrieved information may be used to generate a key-encrypting key that is used to generate a random communication encryption key. The random communication encryption key is used to encrypt a communication, while the key-encrypting key encrypts the random communication key. The encrypted communication and the encrypted random communication key are transmitted to the first receiver.

Abstract: A data monitoring system comprising a server communicatively coupled to a client device and a data module via a network. The server is configured to store a private key of a public-private key pair associated with the data module, receive a request from the client device for authenticated access to the data module, and generate an authentication key based at least on the private key and a time. The client device is configured to generate the request for authenticated access to the data module and transmit the request to the server. The data module is configured to store the private key of the public-private key pair associated with the data module, generate the authentication key based at least on the private key and the time, and grant access to the data module if the authentication key generated by the data module and the authentication key generated by the server match.

Abstract: Disclosed is system and method for authenticating secured file transactions. Hash of transaction is stored in distributed ledger. Unencrypted intent, encrypted intent of first agent module is generated. Unencrypted consent, encrypted consent of server arrangement is generated. Encrypted consent is communicated to the first agent module along with a location of second agent module. Encrypted consent, the unencrypted intent, the hash and the first agent key are communicated to the second agent module. Encrypted consent is communicated to server arrangement. Encrypted consent is validated by comparing encrypted consent received from second agent module with two newly generated encrypted consents at server arrangement. Two new encrypted intents are generated at second agent module based on validation of encrypted consent. Encrypted intent stored at server arrangement is validated by comparing encrypted intent with two newly generated encrypted intents to authenticate transaction.

Abstract: A method is disclosed. The method comprises receiving, from a communication device, a provisioning request message including a user device identifier and a cryptogram in a first message format, which is received from the user device by the communication device during a message exchange process between the user device and the communication device. The method also includes generating an authorization request message in a second message format, the authorization request message comprising the cryptogram, transmitting the authorization request message to an authorizing computer, and receiving an authorization response message from the authorizing computer. The method also includes providing access data to the communication device.

Abstract: An entertainment system to perform operations to securely pair and communicate with a user device based on multiple security controls. The operations include: Responsive to a request to pair the user device to a network interface, generating an encrypted code that includes network credentials for connecting to the network interface and a time-limited authentication credential that is unique to the user device. Responsive to a request to connect to a server of the entertainment system, generating a connection authorization decision for the user device based on two factor authentication validating (i) a second certificate of the user device, and (ii) the time-limited authentication credential that is unique to the user device. The entertainment system connects the user device to the server for secure communications when the connection authorization decision authorizes the connection based on successful two-factor authentication.

Abstract: Various embodiments of apparatuses and methods for protecting data integrity in a content distribution network (“CDN”) are described. Code or data in one of the servers or instances of a CDN might sometimes become incorrect or corrupt. One corrupted server or instance can potentially impact a considerable portion of the CDN. To solve these and other problems, various embodiments of a CDN can designate one or more parameters, which are then identified in a request for content to another entity. In these embodiments, the CDN can generate an encoding of the expected values of the designated parameters. The CDN can then compare, in these embodiments, its encoding of the expected values to an encoding of the values received from the other entity in response to the request. The CDN can validate the content of the response, as well as the identity of the other entity, in some embodiments.

Abstract: When personally identifiable information (PII) is to be stored or updated, a system first seeks consent from the user for the PII store or update. If the user grants consent, then the system stores the PII in the user's personal device or updates the PII stored in the user's personal device. The system then retrieves that PII and generates a token representing that PII. Even if the token were taken by a malicious user, it would not be possible for the malicious user to determine the user's actual PII from the token. In this manner, the security of the PII is improved over conventional systems.

Abstract: Systems and methods for mobile application integration are described. These may include receiving a payment request a mobile application, sending a payment application detection request, receiving a detection response, and sending a customized user interface to the mobile device. The customized user interfaces are determined by whether an associated payment application is present on the mobile device and whether the mobile device is authenticated with the payment processing platform. These techniques can allow for a better user experience when interacting with the payment processing platform.

Abstract: Systems, methods, and computer-readable media for managing credentials of multiple users on an electronic device are provided.

Abstract: A method for real-time processing of data retrieval requests is disclosed. The method includes: receiving, from a client device, a first login request to log in to a service; authenticating the user for login to the service; in response to authenticating the user, generating a first data string representing at least a unique device identifier for the client device and a validity period; storing the device identifier; sending, to the client device, the first data string; receiving, from the client device, a data retrieval request to retrieve a data set from a remote server, the data retrieval request including the first data string; determining whether the first data string is valid based on checking the validity period; in response to determining that the first data string is valid: obtaining the data set from the remote server; and sending, to the client device, first data based on the obtained data set.

Abstract: A method for generating cryptograms in a webservice environment includes: receiving, in a first environment of a computing system, a credential request transmitted by an external computing device using a secure communication protocol, the credential request including a transaction identifier and account identifier; transmitting, by the first environment, a data request to a second environment of the computing system, the data request including the account identifier; receiving, by the first environment, an account profile and session key from the second environment; transmitting, by the first environment, a cryptogram request to a third environment of the computing system, the cryptogram request including the account profile and session key; receiving, by the first environment, a cryptogram from the third environment generated using the account profile and session key; and transmitting, by the first environment, the cryptogram and transaction identifier to the external computing device via the secure communic

Abstract: A device is provisioned and authorized for use on a network. The device may generate a cryptographic key and provide a digital certificate the cryptographic key, a hardware identifier, and attribute information and provide such information to an authorization host as part of the provisioning process. The authorization host may use attribute information to determine whether to authorize the device for use on the network, and whether the generated cryptographic key should be trusted for use on the network.

Abstract: The present invention discloses a method of processing data, comprising: sending, a first data to a first image capturing device, by the first computer, through an image output interface of the first computer; sending, the first data to the second computer, by the first image capturing device. The first data comprises a first information and a second information, the second data comprises a third information and a forth information. The second computer processes the third data or the forth data by a first method if the third information is consistent with the first information and the forth information is consistent with the second information; and the second computer processes the third data or the forth data by a second method if the third information is inconsistent with the first information and the forth information is inconsistent with the second information.

Abstract: A broadcast encryption method that allows a broadcaster to send encrypted content to a set of users such that only a subset of authorized users can decrypt the content, and to perform both temporary and permanent revocation of users. Accordingly, during a Setup stage, a Key Service generates a public key and a Master Secret Key (MSK) and sends the Public Parameters PP used to generate the public key to a broadcaster and to all users. The broadcaster uses the Public Parameters PP to create a message M, with which the broadcaster encrypts the content, and further creates a Cipher Text (CT), which is sent to all users. During a Key Gen stage, whenever a user wishes to decrypt the message M for decrypting the content, the user sends a request with his ID1 to the Key Service. The Key Service generates a corresponding secret key SKID1 and the secret key SKID1 is sent to the user ID1 via a secure data channel.

Abstract: A method of method of manufacturing a surgical waste collection manifold with a volume collected datum and a rover type to ensure compatibility with a surgical waste collection rover is provided. The surgical waste collection rover including a vacuum pump and a receiver defining an opening. The method includes obtaining a second manifold. The second manifold having a second housing defining a surface, the housing defining a second manifold volume and a second outlet opening in fluid communication with the second manifold volume. The method may further include coupling a second circuit to the surface of the second manifold, the second circuit comprising a second memory device including a third memory bank and a fourth memory bank, the third memory bank including a fifth memory field and the fourth memory bank including a sixth memory field.

Abstract: A resource distribution method, when different peer nodes communicate with each other, a key pair is used for encryption. A resource is transmitted in a ciphertext form in a peer-to-peer (P2P) network. In particular, each resource may have a corresponding key pair, and different key pairs may be used to encrypt resources of different users.

Abstract: A method for importing a digitally signed assertion to a temporally sequential listing includes receiving, by an evaluating device, at least a communication including a first digitally signed assertion recorded, assigning, by the evaluating device, a confidence level to the first digitally signed assertion, authenticating, by the evaluating device, the first digitally signed assertion as a function of the confidence level, generating, by the evaluating device, a second digitally signed assertion as a function of the first digitally signed assertion, and entering, by the evaluating device, the second digitally signed assertion in at least an instance of a first temporally sequential listing.

Abstract: An example operation may include one or more of connecting, by a participating node, to a blockchain configured to store user assets, receiving, by the participating node, login data from a user, receiving, by the participating node, an asset transfer request from the user identified by the login data, the asset transfer request including identification data of an asset recipient, confirming, by the participating node, that the user is an owner of the asset based on a previous asset transfer transaction associated with the user, verifying, by the participating node, integrity and validity of the asset based on blockchain records, determining, by the participating node, that the asset recipient is a registered user of the blockchain, in response to the determining, by the participating node, that the asset recipient is the registered user of the blockchain, encrypting, by the participating node, an asset transfer transaction by a public key associated with a private key of an auditor; and providing, by the par

Abstract: Disclosed embodiments relate to performing secure and flexible searches of encrypted data. Operations may include maintaining a database of a plurality of sets of encrypted data; receiving a transformed search query for the database, the transformed search query having undergone a transformation process at a client including: identifying a plaintext string in a search query at the client, applying the plaintext string to a language dictionary accessible to the client, receiving, based on the language dictionary, one or more plaintext search strings, and encrypting, at the client, the one or more plaintext search strings; and returning a result based on the transformed search query, the result being based on the encrypted one or more plaintext search strings.

Abstract: Disclosed is an automatic authentication processing method and system using a dividing function.

Abstract: In one embodiment, a method for securely distributing secret keys for hardware devices is disclosed. A distributor server transmits to a provider server an order for hardware devices. Each hardware device has a unique identifier and at least one secret key for authentication. The provider server sends a database associated with the distributor, for each of the hardware devices, the unique identifier and an unencrypted version of the at least one secret key. In response to an order received by the distributor from a customer for a portion of the hardware devices, the distributor server provides the database the unique identifiers and an associated customer order identifier, and the distributor server provides a customer server the unique identifiers. In response to the customer logging into the database and providing the order information, the database provides the customer the unencrypted keys for the hardware devices to allow authentication.

Abstract: Methods, non-transitory computer readable media, network traffic manager apparatuses, and systems that assist with managing hypertext transfer protocol (HTTP) requests using extended SYN cookie includes establishing a network connection with a client without allocating a plurality of computing resources to the established network connection, in response to aa request to establish a connection from a client. Presence of a digital signature in a first data packet comprising a request for a webpage is determined. The digital signature is compared to a plurality of stored signatures to determine when the client is a nefarious computing device when the determination indicates that the received request includes the signature. The established network connection is terminated with the client without allocating the plurality of computing resources when the comparison indicates the client is the nefarious computing device.

Abstract: Techniques for transparently adding one or more security controls to a challenge-response-based protocol are provided. In one technique, a client device sends a request for a resource to a resource server. The client device receives a challenge as part of a challenge-response handshake and forwards, to a proxy server, the challenge as part of a cryptographic request that includes a key identifier and certain data. In response, the proxy server initiates one or more security controls and sends the key identifier and the certain data to a cryptographic device that generates output based on the certain data. The proxy server receives the output from the cryptographic device. The proxy server determines whether at least one of the security controls resulted in a success. The proxy server sends the output to the client device only in response to determining that at least one of the security controls resulted in a success.

Abstract: A disk lock management method, apparatus, and system are disclosed. The method is performed by a first node, including: sending an obtaining request to a data storage system, where the obtaining request is used to request to obtain a disk lock; receiving a release request, where the release request is used to request the first node to release the disk lock; and sending, a release message to the data storage system, where the release message is used to release the disk lock. This method avoids frequent application and releasing operations performed on the disk lock, reduces disk IO resource occupancy caused by application and releasing of the disk lock, and improves overall system performance.

Abstract: An onboarding server uses an ultrasound token to securely onboard a new device to an organizational structure. The onboarding server obtains a registration from the new device and provides the new device with an ultrasound token. The onboarding server also obtains a notification from a user device that detected the ultrasound token broadcast from the new device. The onboarding server determines a device identity for the new device and provides cryptographic information to the new device. The cryptographic information enables the new device to connect to an organizational structure with the device identity.