Abstract: The present disclosure relates to technologies for a sensor network, machine-to-machine (M2M) communication, machine type communication (MTC), and an Internet of Things (IoT) network. The present disclosure may be used in intelligence services based on such technologies (smart homes, smart buildings, smart cities, smart cars or connected cars, healthcare, digital education, retail business, and security and safety-related services). Provided is a method of transmitting encrypted data for preventing identification of transmitting and receiving devices, from a first device to a second device, the method including: generating an encryption key for encrypting data; generating key identification information by using the generated encryption key and encrypting the data; and transmitting a data set including the encrypted data and the key identification information to the second device.

Abstract: Systems and methods are provided for detecting the likelihood that a transaction is fraudulent using user access pattern data and device fingerprint data. One embodiment of the invention discloses a method for determining the likelihood that a payment transaction is fraudulent. For example, a transaction analysis system can receive user access pattern data generated by a user client computer, receive a device fingerprint associated with the user client computer conducting a payment transaction, and determine, using the user access pattern data and the device fingerprint, a likelihood that the payment transaction is fraudulent.

Abstract: Embodiments of the present invention generally relate to a system and method for managing an incentive-based recycling program. More specifically, embodiments of the present invention relate to managing an incentive-based recycling program through administering a dynamic customer loyalty rewards program associated therewith.

Abstract: The present document describes systems and methods that authorize client resources such as computers, servers, computing appliances, and virtual machines to access online services provided by an online service provider. To authorize a client resource, a client submits a registration request on behalf of the client resource to an authorization service provided by the service provider. The authorization service returns an activation code to the client. The activation code may expire after an amount of time, or upon first use. The client provides the activation code to an agent running on the client resource. The agent establishes communication with the authorization service, and upon providing the activation code to the authorization service, receives an authorization token that can be used by the client resource to access online services in accordance with security roles or permissions specified with the registration request.

Abstract: A method is provided for automatically provisioning unique X.509 Certificates and Private Keys into Application Instances in a dynamic and elastic cloud environment. The method provides a means of creating a secure identity to be used for secure communications and resource allocation. Security of the provisioning is guaranteed by the fact that a trusted and hardened Orchestrator is launching the application instance and then directly provisioning the certificate and key. As an additional security measure, the certificates will have a limited time of validity, in order to decrease the impact of an incorrectly-issued certificate.

Abstract: Techniques for electronic signature process management are described. Some embodiments provide an electronic signature service (“ESS”) configured to manage electronic identity cards. In some embodiments, the ESS generates and manages an electronic identity card for a user, based on personal information of the user, activity information related to the user's actions with respect to the ESS, and/or social networking information related to the user. The electronic identity card of a signer may be associated with an electronic document signed via the ESS, so that users may obtain information about the signer of the document. The ESS may also generate a trust score for the user based on activity information related to the user's actions with respect to the ESS and/or other factors. The trust score may be used to recommend authentication mechanisms to use with respect to electronic signature transactions.

Abstract: Systems and methods for identify confirmation and transaction security are described. The system transmits to a client computing system an encrypted challenge generated using a public key of an asymmetric key pair and a first partially decrypted challenge generated by applying a first private key fragment of a private key of the asymmetric key pair to the encrypted challenge. The system receives a decrypted challenge generated by applying a second private key fragment of the private key to the encrypted challenge to generate a second partially decrypted challenge, applying a third private key fragment of the private key to the encrypted challenge to generate a third partially decrypted challenge, and combining the first partially decrypted challenge, the second partially decrypted challenge and the third partially decrypted challenge to generate the decrypted challenge. The system uses the decrypted challenge for verification.

Abstract: Methods, systems, and computer program products are provided for protecting data stored on a device based on user input patterns. The device may have one or more types of user interfaces. The user interacts with a user interface of the device according to a pattern. The interaction pattern is monitored, and compared to one or more stored acceptable user interface patterns associated with sensitive data. If the interaction pattern of the user does not match an acceptable user interface pattern, a data protection response assigned to the data is enacted.

Abstract: The present disclosure relates to a trustworthy data exchange between a first device and a second device. In some embodiments, a query is received from the second device. The query may comprise a question and an indication of a trusted authority that is to certify authenticity of information used to determine an answer to the query. In some embodiments, information related to the query is determined. In certain embodiments, credentials are received from a user for retrieving the information. In some embodiments, information related to the query is retrieved, using the credentials, from one or more data repositories storing data verified by the trusted authority. In certain embodiments, an answer to the query is determined based on the information. In come embodiments, the answer is provided to the second device. The answer may indicate that the answer is based upon information certified by the trusted authority.

Abstract: Systems and methods are described that enable trusted communications between two entities. In one implementation, a server for communicating with a device may include one or more processors configured to receive data and a device signature from the device. The device signature may be generated based on at least a first portion of the data. One or more processors may be further configured to transmit the data and the device signature to a second server and receive a second server signature from the second server. The second server signature may be generated based on at least a second portion of the data and transmitted to the server after the second server verified the device signature. Further, one or more processors may be configured to verify the second server signature and process the data.

Abstract: A method and a server for providing transaction keys for a transaction system includes transaction units which use pre-delivered transaction keys, and are provided by a key provisioning server and wherein the transaction key usage is checked by a transaction checking server. A transaction key is derived from a master key of a transaction unit, wherein a varying derivation parameter is used in the step of deriving. The step of deriving comprises a first sub step of deriving a key from the master key and a second sub step of deriving the transaction key from the derived key. The first sub step or the second sub step of deriving is performed dependent on a security level of the transaction unit.

Abstract: An application programming interface (API) authentication method using two API tokens which includes issuing a general API token and providing information required for a one-time API token to a user device; and in response to an API request from the user device, processing an API request according to a result of authentication based on the general API token and a one-time API token, which is generated using the information required for a one-time API token creation.

Abstract: Systems and methods to rotate security assets used for secure communication are described. The system retrieves security assets from a security asset repository, the security assets including a first version of the certificate and a second version of the certificate. Further, the system receives, over a network, a third certificate, at a client machine, the third certificate being received from the first remote server machine of the plurality of remote server machines. Further, the system identifies, at the client machine, whether a first remote server machine associated with the first subject name is trusted by identifying whether the third certificate matches any one of the first version of the certificate and the second version of the certificate. Finally, the system establishes a secure communication session with the first remote server machine based on identifying that the first remote server is trusted.

Abstract: Systems, methods, and non-transitory computer-readable storage media for a non-replayable communication system are disclosed. A first device associated with a first user may have a public identity key and a corresponding private identity. The first device may register the first user with an authenticator by posting the public identity key to the authenticator. The first device may perform a key exchange with a second device associated with a second user, whereby the public identity key and a public session key are transmitted to the second device. During a communication session, the second device may transmit to the first device messages encrypted with the public identity key and/or the public session key. The first device can decrypt the messages with the private identity key and the private session key. The session keys may expire during or upon completion of the communication session.

Abstract: A method is provided for safeguarding values of attributes of a data record that can be stored in a first relational database against unauthorized access, wherein a value of a foreign key attribute of the data record refers to a key for the first relation or for a second relation, and wherein the value of the foreign key attribute is stored in a mapping relation, the values of attributes of the data record that are not foreign key attributes are stored in the first relation, and the mapping relation is stored in a volatile data memory.

Abstract: A middleware system validation tool includes a retrieval engine, and a network component status engine. The retrieval engine retrieves a pre-change activity status before software is modified on a network component. The middleware system validation tool retrieves a post-change status after the software is modified and compares the pre-change status to the post-change status to determine whether the software modification was successful. The middleware system validation tool receives certification information from the network component that includes information for an SSL certificate to determine whether the SSL certificate is valid.

Abstract: Certain implementations include systems and methods for combined one-time-passcode (OTP) and knowledge-based-authentication (KBA) identity authentication.

Abstract: Provisioning of an electronic subscriber identity module (eSIM) to an embedded universal integrated circuit card (eUICC) is observed to acquire a captured payload. The captured payload is then used in replay test sessions. In a live test session, test equipment can be used to monitor the communication between an eSIM server and the eUICC in order to capture the payload transmitted from the eSIM server. In the live test session, the eUICC can be in a debug mode that persists an ability to generate the same keys. In the replay test sessions, the payload captured can be reused and the eUICC can regenerate the same keys to decrypt an encrypted eSIM in the payload. After an installation attempt, the eUICC can provide notifications to the test equipment. The eUICC can be stress-tested using methods described herein without consuming a large number of eSIMs from an eSIM server inventory.

Abstract: A communication port may exchange information with a user via a graphical user interface, and an application data store may contain information about executable applications, including input data and output data associated with each executable application. A merging platform may recognize that a user has selected, via the graphical user interface, a first executable application in the application data store. The merging platform may also recognize that the user has selected a second executable application in the application data store and receive an indication from the user that an application merging application is to be triggered. Responsive to this triggering, the merging application may merge behaviors of the first executable application and the second executable application, including functionality of the input and output data of each executable application, to create a merged application. The merging platform may then arrange to facilitate execution of the merged application.

Abstract: Methods, systems, and media for automatically authenticating a user account using multiple services are provided. In accordance with some embodiments of the disclosed subject matter, methods for authenticating a user using multiple services are provided, the methods comprising: receiving, from a client device, first credentials for a target service account; authenticating the target service account based on the first credentials; issuing a redirecting request that directs the client device to at least one vouching service in response to authenticating the target service account; receiving a vouching response indicating that the client device has authenticated a vouching service account with the at least one vouching service, wherein the vouching response includes a vouching token; and providing the client device with access to the target service account in response to determining that the vouching service account is associated with the target service account.

Abstract: Methods, systems, and devices that support determining whether media data has been altered are described. Captured media data may be segmented into one or more subsets, and cryptographic representations (e.g., hashes) based on the subsets may be written to an immutable ledger, possibly along with metadata and other related data. A block of a blockchain may be created for each entry in the immutable ledger. A set of media data may be validated, if a corresponding immutable ledger exists, based on segmenting the set of media data into one or more subsets in accordance with the segmenting upon capture, creating candidate cryptographic representations (e.g., hashes) based on the subsets, and comparing the candidate cryptographic representations with contents of the corresponding immutable ledger.

Abstract: Methods, systems, and devices that support determining whether media data has been altered are described. Captured media data may be segmented into one or more subsets, and cryptographic representations (e.g., hashes) based on the subsets may be written to an immutable ledger, possibly along with metadata and other related data. A block of a blockchain may be created for each entry in the immutable ledger. A set of media data may be validated, if a corresponding immutable ledger exists, based on segmenting the set of media data into one or more subsets in accordance with the segmenting upon capture, creating candidate cryptographic representations (e.g., hashes) based on the subsets, and comparing the candidate cryptographic representations with contents of the corresponding immutable ledger.

Abstract: This application discloses a physical unclonable function device including physical unclonable function units, each capable of generating an output. The physical unclonable function device can utilize transforms to derive bits from the outputs and utilize the derived bits to generate an identifier for the physical unclonable function device. An inspection configuration tool can sample multiple outputs from each of the physical unclonable function units, identify a transforms to perform on a future output for each of the physical unclonable function units based on a distribution of values corresponding to the sampled outputs. The inspection configuration tool can configure the physical unclonable function device to perform the transforms on the future outputs of the physical unclonable function units. Embodiments will be described below in greater detail.

Abstract: In one embodiment, a method includes detecting that a processor is attempting to boot a server using a network boot option over a first network. The method also includes receiving a network address, using the processor, from an integrated management module (IMM) connected to the processor via a local connection without using a dynamic host configuration protocol (DHCP) server on the first network. In another embodiment, a computer program product includes a computer readable program medium. The computer readable program medium includes program instructions configured to cause a processor in an IMM to intercept a network boot option initiated by a server over a first network and acquire a network address for the server without using a DHCP in the first network. The IMM is connected to the server via a local connection. Other methods, systems, and computer program products are described according to more embodiments.

Abstract: A system and method for facilitating authenticating a client application to enable communications with another server-side application running on a server in communication with the client application (client). An example embodiment involves providing an authenticator for the client to a shared library that is accessible to the client and server, and then registering the authenticator for the client at the server. After registration, the client sends a request message (addressed to a server-side application) and token to the server. The token is derived using the authenticator at the shared library. The server then uses the token to check that the authenticator associated with the received token is registered. The server then communicates with the shared library to authenticate the client by verifying that the received token identifies the client that has provided the authenticator to the shared library. Client identity is then set to enable communications with the server-side application.

Abstract: A method is provided for displaying confidential information, such as a cash-card secret code and/or a credit-card secret code. If the information transmitted to a service facility matches the information deposited there, the confidential information is displayed on a display device arranged on a user's head.

Abstract: A device operated by a user may store an object to which access is to be regulated, which may be achieved by encrypting the object with an encryption key and sending the key to a server having a key store. When a user of the device requests access to the object, the server may authenticate the user (e.g., according to a credential submitted by the user) and verify a trust identifier of the device (e.g., authorization to access the object through the device, and/or the integrity of the device), before sending to the device a ticket granting access to the key. The device may send the ticket to the server, receive the key from the server, decrypt the stored encrypted object, and provide the object to the user. This mechanism promotes rapid access upon request and efficient use of the server, and enables remote revocation of access.

Abstract: Systems and methods for data sharing and transaction processing for high security documents are disclosed. According to one embodiment, a method may include (1) at least one computer processor verifying that a sender of a document is authorized to send the document; (2) the at least one computer processor verifying that a receiver of the document is authorized to receive the document; (3) the at least one computer processor identifying at least one restriction to associate with the document; and (4) the at least one computer processor associating the at least one restriction with the document.

Abstract: Systems, methods, and computer-readable storage media are provided for an embedded, scalable, predictive tool capable of detecting in-field anomalies and trends in advance of productivity losses on single devices, device clusters, and/or multi-cluster architectures. In-field and in real-time, sets of barcode signal sequences associated with respective barcode symbols are collected in time series (that is, at successive time intervals). A quality index measure in computed for each of the barcode signal sequence sets such that each quality index measure is associated with a barcode symbol. Patterns among the sets are identified therefrom and compared to barcode symbol patterns that are known to be associated with particular trends or anomalies and appropriately classified as such.

Abstract: A node enables sharing data connectivity between a consumer device and a broker device, and receives from a first packet routing node a request for a consumer authorization certificate. The request includes a subscriber identity. Based on the subscriber identity authorizing the subscriber for sharing data connectivity; a consumer authorization certificate is generated using a private encryption key associated with the node. The consumer authorization certificate includes the subscriber identity of the subscriber. The consumer authorization certificate is returned to the first packet routing node. A request for a data connectivity service for the subscriber is received from a second packet routing node. The request includes a consumer agreement certificate and a broker identity. The consumer agreement certificate is signed using a private key associated with the subscriber and includes the subscriber identity. The consumer agreement certificate is valued.

Abstract: A customer can demonstrate control over an element, such as a domain, by receiving a certificate from a certificate authority. After receiving a request for a certificate for a certain domain name, the certificate authority uses a public key cryptography protocol to generate a request for information regarding the domain name. The request for information is submitted to a domain service which hosts that domain name, and the domain service will provide a response to the certificate authority which includes a public key and data for the domain name, with the data encrypted under an associated private key for the domain name. The certificate authority will issue a certificate specifying the domain name and utilizing the received public key, and the certificate is unable to be validated without access to the associated private key.

Abstract: A method of authenticating a digitally signed assertion using verified evaluators includes receiving, by a first processor coupled to a memory at least a first digitally signed assertion, identifying, by the first processor, at least a cryptographic evaluator communicatively coupled to the first processor, assigning, by the first processor, at least a confidence level to the at least a cryptographic evaluator; providing, by the first processor, the at least a first digitally signed assertion to the at least a cryptographic evaluator, receiving, by the first processor and from the at least a cryptographic evaluator, at least an appraisal of the at least a first digitally signed assertion, and authenticating, by the first processor, the at least a first digitally signed assertion as a function of the at least an appraisal and the at least a confidence level.

Abstract: A method of bootstrapping between endpoint client and server in a low power wireless network. The method includes the steps of initiating a bootstrap request from an endpoint client to the server with the bootstrap request including an endpoint client name in an identifier, determining a registry apparatus to be assigned to the endpoint client, accepting the bootstrap request at the server and in response to the bootstrap request providing a security object and an identifier to the endpoint client to identify the assigned registry apparatus.

Abstract: The techniques described herein facilitate scope-based certificate deployment for secure dedicated tenant access in multi-tenant, cloud-based content and collaboration environments. In some embodiments, a method is described that includes receiving an incoming authentication request from an access system, wherein the authentication request includes metadata, extracting the metadata from the authentication request, and processing the metadata to identify a tenant corresponding to the request. A tenant-specific certificate associated with the tenant is then accessed and provided to the access system for validation by a third-party certificate authority.

Abstract: A visitor authorization management method is provided. In the method, an authorization object identifier and an authorization operation information corresponding to the authorization object identifier are obtained. The authorization operation information according to the authorization object identifier is cached. A current latest authorization operation information corresponding to the authorization object identifier is retrieved from the cache. A reference time is determined based on an authorization time in the current latest authorization operation information. When a preset time period having the reference time as an end is reached, an authorization operation is performed according to the current latest authorization operation information and the authorization object identifier.

Abstract: The present invention is an platform and/or agnostic authentication method and system operable to authenticate users, data, documents, device and transactions. Embodiments of the present invention may be operable with any client system. The authentication method and system are operable to disburse unique portions of anonymous login related information amongst multiple devices. These devices and the disburse unique portions of anonymous login information are utilized by the solution to authenticate users, data, documents, device and transactions. Login-related information is not stored in any portion of the solution, users and devices are anonymously authenticated. The solution also permits a user to access secured portions of the client system through a semi-autonomous process and without having to reveal the user's key.

Abstract: A system may generate a seed one-time password (OTP). The system may also perform steps including transmitting the seed OTP to a user device, receiving a response OTP from the user device, and calculating an expected response OTP by applying a function to the seed OTP. The system may then compare the response OTP to the expected response OTP and send a result in response to comparing the response OTP to the expected response OTP.

Abstract: An authorized user obtains a packaging license that grants permission to use a particular recording device to generate multimedia content in accordance with specified license terms. The packaging license includes a content key that is used to encrypt the multimedia content at the point of capture on the recording device. The encrypted multimedia content can be transmitted via unsecure channels (for example, via electronic mail) to a networked content repository or an intended recipient. For playback, an authorized user obtains a playback license that grants permission to decrypt and playback the multimedia content using a particular playback device. An authorization server and a key management server are used to manage which users are entitled to receive a license, and to define the terms of the granted licenses. A record of the granted authorizations and licenses is maintained, thereby allowing access to a given content item to be audited.

Abstract: Concepts and technologies are disclosed herein for providing and using a connection management service. A connection management service can receive a connection request that requests a connection between a requestor and a distributed network. The connection management service can identify a connector to provide the connection between the requestor and the distributed network. The connection management service can provide, to the requestor, an object corresponding to the connector. The requestor can invoke the object to connect to the distributed network.

Abstract: An Identity Exchange that communicates and processes data exchanged between Identity Providers (IdP) and Relying Partys (RP) remains blinded from the attribute values of the data flowing through it. To make this happen each IdP and RP are issued anonymous certificates by a Certificate Authority, using which they perform key exchange with each other to exchange session keys, which are used subsequently to encrypt/decrypt all attribute values they exchange via the Identity Exchange.

Abstract: A system includes circuitry for performing hybrid blockchain rewrites by trusted parties. The hybrid blockchain may include blocks with multiple parts. In some cases, the blocks may include a core part and a tertiary part. The system may include conditions for validity preserving and/or non-tamper-evident rewrites to the parts of the block. The conditions to support rewrites to the core part may be more stringent than the corresponding conditions to support rewrites to the tertiary part. In some cases, the core part may be write-locked.

Abstract: Systems, devices methods and media are provided for selecting data received from or sent by a client device. In one example, a system is configured to initiate a user-configurable API data endpoint on the client device and issue a request for access to specified data residing on the client device. The specified data resides in a first user-designated storage area on the client device. In response to receiving an authorization by a user of the client device of the access request, the system communicates with the user-configurable API data endpoint on the client device to perform a data-pull of at least some of the requested specified data from a second user-designated data pull portion of data residing on the client device.

Abstract: A method of processing, at a web server, a long-polling between a client and a service server configured to provision a service to the client over a network includes: receiving, at the web server, a poll request from the client; transmitting, via the web server, the poll request to the service server; receiving, at the web server, a poll reply to the poll request from the service server; generating, at the web server, webpage data based on the data in the poll reply; and transmitting, via the web server, the webpage data to the client as the poll reply. The poll reply received at the web server includes data to be applied in association with the client.

Abstract: Techniques presented herein describe data loss prevention (DLP) methods for saving a file to a destination over a network via an application, such as a productivity application having such features. A DLP agent injects components to the productivity application intercept save operations initiated by a user. When the user initiates a save operation for a file, the components suspend the operation and store a current version of the file (including unsaved file data) in a temporary location accessible to the DLP agent on disk. The DLP agent evaluates the current version of the file and file destination based on network and security policies to determine whether to allow or block the save operation.

Abstract: There provided is a client device including a first change unit for changing authentication information from individual authentication information to common authentication information, which is authentication information commonly used by each client device, in a case where a transmission of first operation information is failed due to an authentication error, and a second transmission unit for transmitting second operation information to the server device by using the common authentication information changed by the first change unit.

Abstract: A computer system supports secondary authentication mechanism for authentication of a user, where the computer system may provide a variety of services including financial, scientific, academic, or governmental services. The computer system utilizes a multiphase distributed trust model in which the user is authenticated based on distributed trust of a set of randomly selected trusted contacts from a large set of trusted contacts initially chosen during an enrollment phase. During the authentication phase, a subset of contacts (affirmers) is selected from the contact list. The computer system then provides additional authentication information to each of the affirmers who subsequently share the information with the user. The user then provides this information from the computer system in order to complete the secondary authentication.

Abstract: Systems, methods, and software can be used to process certificate validation warnings. In some aspect, a connection to a Virtual Private Network (VPN) server is initiated at an electronic device. The VPN server is associated with a VPN profile. In response to initiating the connection, a certificate associated with the VPN server is received at the electronic device. A validation warning associated with the certificate is received. A fingerprint of the certificate is generated. A validation action is selected based on the validation warning, the fingerprint, and the VPN profile. The selected validation action is executed.

Abstract: A system may include a device having a program that includes a workflow system public key associated with a workflow system and programming instructions that allow the device to communicate with the workflow system over a communication network. The system may initialize a device by sending communications to the workflow system, receiving a response that includes information encrypted with a workflow system private key, and verifying the authenticity of the response by using the workflow system public key to decrypt the information in the response. The system may register the device for privacy treatment by the workflow system by generating a key pair that includes a client private key and a client public key, generating an encrypted client key by encrypting the client public key with the workflow system public key, including the encrypted client key in a privacy request, and sending the privacy request to the workflow system.

Abstract: Disclosed are various approaches for a secure communication session between applications installed on a client device. The secure communication session can be provided over an insecure operating system application programming interface (API). By exchanging session information and encryption data, communications over the insecure API can be secured.

Abstract: A method, system and device for allowing the secure collection of sensitive information is provided. The device includes a display, and a user interface capable of receiving at least one user-generated interrupt in response to a stimulus generated in response to content received by the device, wherein the action taken upon receiving the user-generated interrupt depends on a classification of the content, the classification identifying the content as trusted or not trusted. The method includes detecting a request for sensitive information in content, determining if an interrupt is generated, determining if the content is trusted, allowing the collection of the sensitive information if the interrupt is generated and the content is trusted, and performing an alternative action if the interrupt is generated and the content is not trusted. The method may include instructions stored on a computer readable medium.