Abstract: The present disclosure provides a computer-implemented method, computer system and computer program product for user authentication. According to the method, identity information can be received from a user, and a plurality of questions can be presented to the user, the plurality of questions comprising one or more valid questions generated based on a password related to the identity information and one or more invalid questions. Then, an input can be received from the user, and in response to the input corresponding to the one or more valid questions, the user can be authenticated based on the input.

Abstract: A method is disclosed. The method includes: obtaining, by an authoritative directory router in an information centric network (ICN), a publish message associated with a publisher node and including: an identifier associated with a content item; and a first anchor prefix for a first anchor directory router for the publisher node; determining that a bidirectional code for the identifier falls within an authoritative code range assigned to the authoritative directory router; and updating, in response to the bidirectional code falling within the authoritative code range, a local code repository associated with the authoritative directory router with the first anchor prefix and the identifier.

Abstract: A computer-implemented user classification method includes: obtaining, by a target terminal device, an initial user classification model from a server, in which the initial user classification model is provided by the server to multiple terminal devices, the multiple terminal devices including the target terminal device; obtaining first operation data of a registered user of the target terminal device; updating the initial user classification model based on the first operation data, to obtain an updated user classification model that is personalized for the registered user; and classifying, based on the updated user classification model, an identity of a current user of the target terminal device.

Abstract: A method and system for employing biometric data includes first and second user computing systems coupled to respective first and second biometric devices for generating biometric data. A first user of the first user computing system uses the first biometric device, thus causing a generation of first biometric data which is then used as a database index to locate and authorize access to a database zone exclusively dedicated to the first user. The first user can further access the database zone on the second user computing system, and authorize access to a portion of data within the database zone to a second user of the second user computing system.

Abstract: A computer system for automating dynamic multi-user communication is configured to receive a first user dataset associated with a first user. The computer system can communicate first user interface elements to a first user. The computer system then receives, from the first user, a user data response based upon the first user interface elements. Upon receiving the user data response, the computer system identifies, using a correlating function, a second user from. The computer system communicates at least a portion of the user data response to the second user. The computer system then receives, from the second user, a first user data response ranking. The computer system updates a first user ranking with the first user data response ranking. The computer system then communicates the first user data response ranking to the first user.

Abstract: The disclosure relates to apparatuses and methods for a computer network comprising hosts accessible by directory users whose user identity information is maintained in a user information directory. The apparatus comprises at least one processor, and at least one memory for storing instructions that, when executed, cause the apparatus to manage information of configurations for attribute based filtering of access requests by the directory users for a plurality of hosts and separately from the user information directory.

Abstract: The present disclosure relates to deriving cryptographic keys for use in encrypting data based on a plaintext to be encrypted. An example method generally includes receiving, from a querying device, a request for a cryptographic key. The request generally includes data derived from a plaintext value to be encrypted and an indication of a type of the plaintext value to be encrypted. A cryptographic key is generated based, at least in part, on the derived data and the type of the plaintext value to be encrypted. The key deriver transmits the generated cryptographic key to the querying device.

Abstract: Example implementations relate to custom operating system (OS) images. For example, booting a user device to a custom OS image includes presenting a user interface (UI) for creating a custom OS image for portable use, storing the custom OS image on a database for information technology (IT) management purposes, sending, based on a request, the custom OS image from the database to an secure external device, and authenticating, based on a policy, the custom OS image on the secure external device for use on a user device without an OS image or a hard drive disk (HDD).

Abstract: Computing systems and processes of creating provisional account profiles of users are disclosed herein. In one embodiment, a computing system is configured to detect at least one ingoing or outgoing communication to or from a first globally unique identifier of a first user that has not already linked to an account of said service. In response to said detection, the computing system is configured to create a provisional user profile for the first user linked to the first globally unique identifier and gather public information associated with the first user from one or more third-party sources outside said service. When the first user joins said service, the computing system can be configured to allocate the provisional user profile to an account belonging to the first user linked to the first globally unique identifier.

Abstract: In some embodiments, a method receives one or more address resolution mappings and sends the one or more first address resolution mappings to a manager for verification of the one or more first address resolution mappings. The method receives one or more responses based on the verification of the one or more first address resolution mappings and allows or disallows use of the one or more address resolution mappings based on the one or more responses. A list of verified address resolution mappings is received from the manager based on the verification of the one or more first address resolution mappings. Then, the method receives a second address resolution mapping and verifies the second address resolution mapping using the list of verified address resolution mappings.

Abstract: An apparatus in one embodiment comprises a processing platform having at least one processing device. The processing platform implements a database configured to store bindings between user identity information and respective cryptocurrency addresses for users of an address-based cryptocurrency, and an account-identity service system accessible to at least one cryptocurrency vendor. The account-identity service system is configured to utilize the stored bindings to respond to queries from the cryptocurrency vendor. A given one of the queries from the cryptocurrency vendor identifies a particular one of the users and a corresponding cryptocurrency address for which the particular user has requested to purchase an amount of the address-based cryptocurrency.

Abstract: Embodiments describe receiving a user input identifying a name associated with the website. A directory server receives a request for application programming interface (API) fingerprint data associated with the name. In response to receiving, from the directory server, a response indicating that no API fingerprint data has been found for the name, a secured connection is initiated via the wireless transceiver from a headless browser of the native application to the remote server. First web page data of the website is received from the remote server via the secured connection and the first web page data parsed to identify first locations of one or more elements of the website. A first application programming interface (API) fingerprint data is generated indicating a mapping between the one or more elements of the website and the native application and the first API fingerprint data is sent to the directory server.

Abstract: Embodiments of the disclosure provide a method for enhancing standard authentication systems to include risk-based decisions. Risk-based decisions can be selectively implemented within existing authentication systems to strategically modify and supplement security if an unacceptable risk is detected. Embodiments capture information pertaining to a user and user device. Information is stored to create a profile for the user and user device. A comparison between the stored information and live data can be performed within authentication systems to optimize security. If the results of the comparison demonstrate the presence of an acceptable risk, then the need for subsequent authentication can be reduced or eliminated, which improves a user experience.

Abstract: Methods and systems for establishing a chain of relationships are disclosed. An identity verification platform receives a first request for registration comprising an identification of a first user, identification of an entity, and a relationship between the first user and the entity; verifies the identity of the first user and the relationship between the first user and the entity; and verifies that the entity is legitimate. Once a relationship between a first individual, invited by the first user, and the entity is confirmed, the platform creates a custom badge representing the relationship between the first individual and the entity for display on the entity's website. The platform receives an identification of a selection by an end user of the custom badge and, responsive to receiving the identification of the selection, renders, on a domain controlled by the identity verification platform, a verification that the relationship between the first individual and the entity is valid.

Abstract: Methods for use in a storage unit of a dispersed storage network (DSN) to securely store cryptographic key information. In various examples, the storage unit receives a slice access request relating to a key slice generated by performing a dispersed storage error encoding function on an encryption key. When the slice access request includes a request to store the key slice, the storage unit encrypts the key slice using a local key and stores the encrypted key slice (e.g., in a key region of a storage vault). When the slice access request includes a request to recover a key slice stored in the storage unit, the encrypted key slice is recovered from memory and decrypted using the local key to produce a decrypted key slice for provision to the requesting entity. For rebuilding operations, the storage unit may instead return a zero information gain (ZIG) representation of the key slice.

Abstract: A self-adaptive security framework for a device is disclosed. A first security level for a device is set wherein the first security level comprises procedures that authenticate a user and allow the user to access the device. Input from sensors associated with the device may be received at a contextual sensing engine, wherein the input at least includes location data, and wherein at least a portion of the input is related to a physical setting where the device is located. A threat level for the device is determined in the physical setting via the contextual sensing engine based on analyzing the input. The first security level is altered to a second security level to provide an altered threat response for the device based on the threat level wherein the second security level has different procedures to authenticate the user compared to the first security level.

Abstract: Encrypted network traffic between a server device and an application program running on a client device is monitored by a network security device in an enterprise computer network. Metadata of the application program is sent to a cloud security system to generate a reputation of the application program. The encrypted network traffic is decrypted and inspected for conformance with security policies when the application program is determined to be a browser application. When the application program is determined to be a non-browser application, the reputation of the application program is determined and the encrypted network traffic is blocked when the application program has a bad reputation. In a bypass mode of operation, the encrypted network traffic is allowed to pass through without inspection when the application program is determined to be a non-browser application.

Abstract: A data warehouse storing databases for a plurality of users, including service providers hosting data for other users of the data warehouse may implement a data exchange. The data warehouse to verify identity of users and execute instructions with respect to databases of the data warehouse.

Abstract: The present disclosure provides a password management process and system. The updating of the password data in the process and system is performed based, at least in part, on the functional account data and corresponding scheduling data, said scheduling data representing criteria for updating the password of, at least, the particular functional account.

Abstract: A computer-implemented method includes: determining assets held by a remitter, the assets to be spent in a remittance transaction between the remitter and one or more payees, in which each asset corresponds to a respective asset identifier, a respective asset amount, and a respective asset commitment value; determining a remitter pseudo public key and a remitter pseudo private key; determining a cover party pseudo public key, in which the cover party pseudo public key is obtained based on asset commitment values of assets held by the cover party; and generating a linkable ring signature for the remittance transaction.

Abstract: A computer system supports secondary authentication mechanism for authentication of a user, where the computer system may provide a variety of services including financial, scientific, academic, or governmental services. The computer system utilizes a multiphase distributed trust model in which the user is authenticated based on distributed trust of a set of randomly selected trusted contacts from a large set of trusted contacts initially chosen during an enrollment phase. During the authentication phase, a subset of contacts (affirmers) is selected from the contact list. The computer system then provides additional authentication information to each of the affirmers who subsequently share the information with the user. The user then provides this information from the computer system in order to complete the secondary authentication.

Abstract: A system, apparatus, method, and machine readable medium are described for adaptively implementing an authentication policy. For example, one embodiment of a method comprises: detecting a user of a client attempting to perform a current interaction with a relying party; and responsively identifying a first interaction class for the current interaction based on variables associated with the current interaction and implementing a set of one or more authentication rules associated with the first interaction class.

Abstract: Secure management of computing code is provided herein. The computing code corresponds to computing programs including firmware and software that are stored in the memory of a computing device. When a processor attempts to read or execute computing code, a security controller measures that code and/or corresponding program, thereby generating a security measurement value. The security controller uses the security measurement value to manage access to the memory. The security measurement value can be analyzed together with integrity values of the computing programs, which are calculated while holding the reset of the processor. The integrity values indicate the validity or identity of the stored computing programs, and provide a reference point with which computing programs being read or executed can be compared. The security controller can manage access to memory based on the security measurement value by hiding or exposing portions of the memory to the processor.

Abstract: Some embodiments provide a method for providing public keys for encrypting data. The method receives (i) a first request from a first source for a public key associated with a particular user and (ii) a second request from a second source for the public key associated with the particular user. In response to the first request, the method distributes a first public key for the particular user to the first source. In response to the second request, the method distributes a second, different public key for the particular user to the second source. Data encrypted with the first public key and data encrypted with the second public key are decrypted by a device of the particular user with a same private key.

Abstract: Systems and methods are provided for object identifier translation using a key pairs platform in a virtualized or cloud-based computing system. A key pair refers to a pair of identifiers held by an entity. Each key pair includes at least one anonymized object identifier. Advantageously, the key pair system protects privacy and provides anonymity for objects by not disclosing the identity of the objects or the underlying data associated with the objects.

Abstract: Systems and methods of secure analytics using an encrypted analytics matrix are disclosed herein. An example method includes encoding an analytic parameter set using a homomorphic encryption scheme as a homomorphic analytic matrix; transmitting a processing set to a server system, the processing set including at least the homomorphic analytic matrix and a keyed hashing function; and receiving a homomorphic encrypted result from the server system, the server system having utilized the homomorphic encryption scheme and the keyed hashing function to evaluate the homomorphic analytic matrix over a datasource.

Abstract: A user terminal using cloud service, an integrated security management server for the user terminal, and an integrated security management method for the user terminal. The integrated security management method includes receiving, by an integrated security management server, authentication information from at least one user terminal that use a cloud service, authenticating, by the integrated security management server, the user terminal using the authentication information, transmitting, by the integrated security management server, task information to the user terminal so as to control the user terminal, receiving, by the integrated security management server, at least one of a result of processing the task information and state information from the user terminal that verifies the task information, and managing, by the integrated security management server, a state of the user terminal based on at least one of the result of processing and the state information.

Abstract: A unique pre-shared key plug-in is installed on a Chromebook device. Identification data associated with the Chromebook device is received, from the unique pre-shared key plug-in through a Chromebook client management system API. A unique pre-shared key is assigned to the Chromebook device using the identification data. The unique pre-shared key is sent to the Chromebook device. The Chromebook device is configured to seamlessly authenticate for a wireless network using the unique pre-shared key.

Abstract: Some embodiments provide non-transitory machine-readable medium that stores a program which when executed by at least one processing unit of a device synchronizes a set of keychains stored on the device with a set of other devices. The device and the set of other devices are communicatively coupled to one another through a peer-to-peer (P2P) network. The program receives a modification to a keychain in the set of keychains stored on the device. The program generates an update request for each device in the set of other devices in order to synchronize the set of keychains stored on device with the set of other devices. The program transmits through the P2P network the set of update requests to the set of other devices over a set of separate, secure communication channels.

Abstract: A service request and a credential are sent from a customer environment to a service provider. The service provider maintains information, such as a credential whitelist, that identifies which credentials may be used with each customer environment. The service provider identifies the particular customer environment from which the service request was submitted using the IP address of the requester (or other environment-identifying information), and retrieves information that restricts the use of the credentials. A request may be approved or rejected based on the presence of the associated credential in a whitelist notwithstanding whether the credential otherwise authorizes the service request. In some examples, the system is used to limit data exfiltration from a customer environment.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media for program execution and data proof scheme to prove that sub-logic code that was expected to be executed within a TEE was indeed executed, and that the resulting data is trustworthy. In some implementations, each sub-logic code of a plurality of sub-logic code is registered, and stored within the TEE, and a key pair (private key, public key) corresponding to the sub-logic code is generated. The client receives and stores the public key, sends requests to the TEE with an identifier of the sub-logic that is to be executed. The sub-logic code corresponding to the identifier is executed within the TEE, which signs the result using a digital signature that is generated using the private key of the sub-logic code. The client verifies the result based on the digital signature and the public key of the sub-logic code.

Abstract: In an aspect of the disclosure, a method, a computer-readable medium, and an apparatus are provided. The apparatus may be a service processor. The service processor sends to a DHCP server a request-to-acquire for acquiring an IP address. The service processor then receives a response from the DHCP server. The response includes a first user name. The service processor further configures a user account in association with the first user name on the service processor. The user account allows access to the service processor.

Abstract: Methods and systems for performing an authenticated boot; performing a continuous data protection; performing automatic protection and optionally a consolidation; and performing other defenses and protection of a protected computing device (such as a computer system) are provided. The aspects include integrating security mechanisms (which may include a “call home” function, role and rule-based policies, validating technologies, encryption and decryption technologies, data compression technologies, protected and segmented boot technologies, and virtualization technologies. Booting and operating (either fully or in a restricted manner) are permitted only under a control of a specified role-set, rule-set, and/or a controlling supervisory process or server system(s). The methods and systems make advantageous use of hypervisors and other virtual machine monitors or managers.

Abstract: In an end user application running on a computer, for collaborative modification of shared electronic documents, a graphical user interface is provided that facilitates identifying other users to collaborate with and for storing an electronic document in shared storage. This graphical user interface includes a graphical element that conveys information about shared status of the currently accessed electronic document to the end user. Through input devices of the end user computer, an end user can manipulate this graphical element. Certain manipulations of this graphical element instruct the end user computer to determine if the electronic document can be shared. If the document can be shared, the graphical user interface prompts the user for additional users with whom the document is to be shared and then stores the document in shared storage. A graphical user interface that allows an electronic document to be quickly shared improves user efficiency and productivity in collaborative authoring.

Abstract: A data communication device includes a first communicator that receives encrypted data; a second communicator that transmits the encrypted data; an identification information acquisition unit that, when the first communicator has received information for encryption that is used for establishing encrypted communications including encrypted part and plaintext part where the plaintext part includes identification information of a transmission source of the encrypted data, acquires the identification information from the information for encryption; and a configurator that sets data transmission of the second communicator, based on the identification information.

Abstract: Apparatuses, system, methods, and computer program products are presented for presenting content based on transaction data. A selection module selects a user for an offer in response to the user's financial transaction data satisfying a transaction metric associated with the offer. A location module determines a target location for an offer based on a user's financial transaction data. A location module monitors location data from one or more sensors for a user relative to a target location. An offer module dynamically provides an offer to a user in response to monitored location data from one or more sensors satisfying a target location.

Abstract: In one example, an apparatus such as an authorization server and method for secure communication between constrained devices issues cryptographic communication rights among a plurality of constrained devices. Each of the plurality of constrained devices comprises no more than one cryptographic algorithm code module per cryptographic function. The method includes receiving a cryptographic communication rights request associated with at least a first of the plurality of constrained devices in response to a cryptographic algorithm update request, and includes providing a response including an identification of a subset of the plurality of constrained devices that have cryptographic communication rights with the identified first of the plurality of constrained devices. A software update server then updates the cryptographic code modules in the sub-set of the plurality of constrained devices.

Abstract: A method and system for managing requests from a customer system domain, the requests for access to an application executed by a web service in a cloud computing environment. In one embodiment, an access management system includes an authentication layer and an authorization layer. The authentication layer includes a proxy web service to receive a request for access to an application according to a membership-based authentication protocol and generate an object to be passed to an interface of the web-based execution platform. A second object is generated including user identity and membership information. The second object is configured with a protocol that enables processing by the web-based execution platform. The web-based execution platform receives the second object, extracts the authentication information in the second protocol, and translates the authentication information of the second object back into the first object as in the original request.

Abstract: An on-boarding management entity may be implemented to manage interconnectivity among various enterprise entities and various subscription managers. A subscription manager identifier associated with each of the subscription managers may be used to map different enterprise entities to specific or range of subscription managers. In the event of additions or replacements of subscription managers, a business logic may be employed via a rules engine in order to internally map a subscription manager identifier of the desired subscription manager to the respective subscription manager. The business logic can also be employed to map and relay callbacks and notifications received from the subscription managers to respective enterprise entities.

Abstract: Generating PKI credentials for authenticating a networking appliance attempting to attach to a network includes: receiving a certificate signing request (CSR) from the networking appliance, wherein the CSR comprises credential data associated with an identity of the networking appliance; generating an appliance certificate based on the credential data and a certificate authority (CA) certificate associated with the computer; and returning the appliance certificate to the networking appliance.

Abstract: A method is provided for authenticating a user's communications terminal with an authentication server connected to a gateway terminal by using a communications network. The method includes: obtaining a piece of data representing an identity of the user from the gateway terminal; configuring, by the authentication server, a data transmission link between the authentication server and the terminal, using a predefined data transmission interface of the gateway terminal and as a function of the piece of data representing the identity of the user; transmitting, by the authentication server, to the terminal, a piece of encrypted data for checking authentication, using the data transmission link; receiving, by the authentication user, coming from the terminal, a piece of encrypted data for counter-checking authentication; issuing an assertion of authentication of the user when the piece of data for the counter-checking of authentication corresponds to the piece of data for checking authentication.

Abstract: In order to leverage an enterprise-hosted network (EHN) associated with an entity, a communication technique may dynamically customize an application on a portable electronic device. In particular, the portable electronic device may discover and then may connect to the EHN using a quarantine zone that restricts access to the EHN. After providing valid credentials to establish a level of trust with the EHN, the portable electronic device may receive a request for authentication and authorization information. In response to the request, the portable electronic device may provide a credential to the EHN. Next, the portable electronic device may receive provisioning information that customizes the application on the portable electronic device to a venue associated with the entity. The provisioning information may include a connection setting associated with the application on the portable electronic device, which allows the portable electronic device to connect to the EHN outside of the quarantine zone.

Abstract: A firewall monitors network activity and stores information about that network activity in a network activity log. The network activity is analyzed to identify a potential threat. The potential threat is further analyzed to identify other potential threats that are related to the potential threat, and are likely to pose a future risk to a protected network. A block list is updated to include the potential threat and the other potential threats to protect the protected network from the potential threat and the other potential threats.

Abstract: An example operation may include one or more of storing a unique identification code encapsulating encoded information about a trusted group of member devices within a decentralized network, the unique identification code being generated by the trusted group of member devices, decoding the stored unique identification code to generate decoded information which verifies that the user device is a member device of the trusted group of member devices and provides contact information for other member devices of the trusted group of member devices, and establishing a communication session with the trusted group of member devices based on the contact information obtained by decoding the unique identification code.

Abstract: A system for auditing authorized key files associated with secure shell (SSH) servers is disclosed. In an example, the system may include a purpose-built SSH audit server. The SSH audit server may be configured to receive an authorized key file and a list of users. The SSH audit sever may generate and provide unique registration codes for each of the users in the list. The SSH audit server may associate particular users with particular public keys as each of the users accesses the SSH audit server using a public key and inputs a registration code.

Abstract: A device, method or server having memory configured to store cryptographic material required to execute one or more device functions. A communications interface for communicating over a network. Logic configured to receive from the server over the communications interface the cryptographic material required to execute the one or more device functions. The device is configured to delete the cryptographic material from the memory.

Abstract: Automated provisioning of hosts on a network with reasonable levels of security is described in this application. A certificate management service (CMS) on a host, one or more trusted agents, and a public key infrastructure are utilized in a secure framework to establish host identity. Once host identity is established, signed encryption certificates may be exchanged and secure communication may take place.

Abstract: Disclosed are various embodiments for controlling access to data on a network. Upon receiving a request comprising a device identifier and at least one user credential to access a remote resource, the request may be authenticated according to at least one compliance policy. If the request is authenticated, a resource credential associated with the remote resource may be provided.

Abstract: Method for retrieving data entered during a server connection, the server having access to a memory including a generated hashed word of a first input data, which corresponds to the data modified by a processing function, the capacity of the hashed word being lower than a predefined capacity, a generated security key of a second input data, which corresponds to the data modified by a processing function, the capacity of the security key being equal to the difference between the predefined capacity and the hashed word capacity, the security key not being stored, method wherein: —after a request to retrieve the data, the hashed word and the security key are concatenated in order to reach the predefined capacity, and —an inverse hash function, using an algebraic solving of the hash function, is applied to the concatenation of the hashed word and security key, to retrieve the data.

Abstract: In order to enable a dynamic handshake procedure, a device may be configured with a list of handshake contributors. Contributors with connection handshake properties may be added to the contributor list. To perform handshake, the contributor list is processed to extract the connection handshake properties of each contributor to the handshake. Handlers for handling the connection handshake properties may also be dynamically added and invoked when a handshake is received.