By Certificate Patents (Class 713/156)
  • Patent number: 10685122
    Abstract: A computer-implemented method for protecting a kernel for secure boot of an operating system includes preparing a kernel component with a signature for a secure boot. A processing unit modifies a machine owner key (MOK) file to include a trusted certificate. The MOK is separate from the kernel file. The processing unit validates the kernel component using a modified Grub file, a modified Shim file, and the MOK, and executes a secure boot using the validated kernel component. The kernel is unchanged by the secure boot process. The kernel component that is protected may be either a program executable (PE) file or a non-PE file.
    Type: Grant
    Filed: November 14, 2017
    Date of Patent: June 16, 2020
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Pu Liu, Timothy V. Bolan, Patrick J. Callaghan
  • Patent number: 10686779
    Abstract: Disclosed is a computer-implemented method for establishing a secure connection between two electronic computing devices which are located in a network environment, the two electronic computing devices being a first computing device offering the connection and a second computing device designated to accept the connection, the method comprising executing, by at least one processor of at least one computer, a connection-establishing application for exchanging an information packet between the first computing device and the second computing device comprising a secret usable for establishing the connection, and evaluating a response from the second computing device for establishing the secure connection.
    Type: Grant
    Filed: January 29, 2018
    Date of Patent: June 16, 2020
    Assignee: BEAME.IO LTD.
    Inventors: Zeev Glozman, Markus Neff
  • Patent number: 10679036
    Abstract: An electronic apparatus includes an authenticator configured to identify registered finger information that coincides with detected finger information by matching the detected finger information with the plurality of registered finger information in a predetermined order, an executor configured to execute a function corresponding to the registered finger information identified by the authenticator, a user identifier configured to identify the actual user among the plurality of registered users by acquiring user identification information representing the actual user or by performing a determination process configured to determine the actual user, and a controller configured to change the predetermined order according to the actual user identified by the user identifier.
    Type: Grant
    Filed: July 6, 2017
    Date of Patent: June 9, 2020
    Assignee: CANON KABUSHIKI KAISHA
    Inventor: Toshimune Nagano
  • Patent number: 10671320
    Abstract: A clustered storage system in one embodiment comprises a plurality of nodes, with each of at least a subset of the nodes comprising a set of processing modules configured to communicate over one or more networks with corresponding sets of processing modules on other ones of the nodes. In conjunction with a failure of a first instance of a process running on a given one of the nodes and a subsequent restart of a second instance of the process, at least one of the processing modules is to identify at least one transfer buffer command of the first instance of the process, to identify a plurality of logically ordered commands of the first instance of the process, and to provide distinct treatment of the transfer buffer command relative to treatment of the logically ordered commands in a manner that ensures that the restart of the second instance of the process is not delayed to await completion of the transfer buffer command or the logically ordered commands.
    Type: Grant
    Filed: July 24, 2018
    Date of Patent: June 2, 2020
    Assignee: EMC IP Holding Company LLC
    Inventors: Hillel Costeff, Lior Kamran, Zvi Schneider, Anton Kucherov
  • Patent number: 10671733
    Abstract: A blockchain of transactions may be referenced for various purposes and may be later accessed by interested parties for ledger verification or information retrieval. One example method of operation may include one or more of receiving an access request from a requesting device for access to an encryption key associated with a user device, broadcasting the request to peer nodes for approval or disapproval, storing a transaction to a blockchain indicating the approval or disapproval of the request for access to the encryption key, and providing access to the encryption key when the approval is indicated.
    Type: Grant
    Filed: May 19, 2017
    Date of Patent: June 2, 2020
    Assignee: International Business Machines Corporation
    Inventors: Ronald B. Baker, Ravid Sagy
  • Patent number: 10666446
    Abstract: In an embodiment, a computer-implemented method comprises, receiving, at a first server, a plurality of certificates and an inventory list and storing the plurality of certificates and the inventory list in a blockchain; receiving, at a second server associated with the blockchain, a validation request from a device and validating the device; in response to validating the device, receiving, at the second server, a certificate request from the device and verifying the certificate request against the inventory list stored in the blockchain; and in response to verifying the certificate request, enrolling the device by sending a certificate from the plurality of certificates stored in the blockchain to the device.
    Type: Grant
    Filed: November 15, 2017
    Date of Patent: May 26, 2020
    Assignee: Xage Security, Inc.
    Inventors: Susanto Junaidi Irwan, Ganesh B. Jampani, Andy Sugiarto, Jeffrey Charles Venable, Sr., Roman Arutyunov
  • Patent number: 10666637
    Abstract: A certificate manager for a multi-tenant environment can be authorized to automatically renew a certificate for a customer of the environment. Prior to the end of the validity period of the certificate, the certificate manager can obtain a new certificate on behalf of the customer and notify the customer that the certificate is ready to be deployed. The certificate will not be deployed until the customer releases the hold on the certificate. If no such instruction is received, notifications can be sent to the customer about the upcoming end of the validity period, and those notifications can be sent with increasing frequency. If no notification is received before the validity period is to expire, the certificate manager can automatically deploy the certificate to ensure that a valid certificate remains in place for the customer on the associated resource(s).
    Type: Grant
    Filed: December 14, 2015
    Date of Patent: May 26, 2020
    Assignee: AMAZON TECHNOLOGIES, INC.
    Inventors: Todd Lawrence Cignetti, Preston Elder
  • Patent number: 10664573
    Abstract: Apparatuses, methods and storage media associated with managing a computing platform in view of an expiration date are described herein. In embodiments, an apparatus may include a computing platform that includes one or more processors to execute applications; and a trusted execution environment that includes a tamper-proof storage to store an expiration date of the computing platform, and a firmware module to be operated in a secure system management mode to regulate operation of the computing platform in view of at least whether a current date is earlier than the expiration date. Other embodiments may be described or claimed.
    Type: Grant
    Filed: June 17, 2015
    Date of Patent: May 26, 2020
    Assignee: Intel Corporation
    Inventors: Jiewen Yao, Vincent J. Zimmer, Rajesh Poornachandran
  • Patent number: 10666641
    Abstract: A mechanism for providing secure feature and key management in integrated circuits is described. An example method includes receiving, by a root authority system, data identifying a command that affects operation of an integrated circuit, singing, by the root authority system, the command using a root authority key to create a root signed block (RSB), and providing the RSB to a security manager of the integrated circuit.
    Type: Grant
    Filed: September 21, 2018
    Date of Patent: May 26, 2020
    Assignee: CRYPTOGRAPHY RESEARCH, INC.
    Inventors: Paul Carl Kocher, Benjamin Che-Ming Jun, Andrew John Leiserson
  • Patent number: 10664198
    Abstract: Provided are a computer program product, system, and method for sharing alias addresses among logical devices for a control unit managing access by hosts to logical devices configured with capacity from attached physical devices. An alias management group of logical devices and alias addresses assigned to the logical devices is configured. A plurality of requests to establish an association of the host with a logical device and the alias addresses assigned to the logical devices in the alias management group are received from a host. Acknowledgment is made to the host that the association is established in response to determining that the host is assigned the logical devices and alias addresses of the logical devices in the alias management group. The host can use one available alias address assigned to any one of the logical devices to access any one of the logical devices indicated in the association.
    Type: Grant
    Filed: June 19, 2019
    Date of Patent: May 26, 2020
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Susan K. Candelaria, Scott B. Compton, Matthew R. Craig, Clint A. Hardy, Matthew J. Kalos, Dale F. Riedy, Richard A. Ripberger, Harry M. Yudenfriend
  • Patent number: 10664599
    Abstract: A computer-implemented method for protecting a kernel for secure boot of an operating system includes preparing a kernel component with a signature for a secure boot. A processing unit modifies a machine owner key (MOK) file to include a trusted certificate. The MOK is separate from the kernel file. The processing unit validates the kernel component using a modified Grub file, a modified Shim file, and the MOK, and executes a secure boot using the validated kernel component. The kernel is unchanged by the secure boot process. The kernel component that is protected may be either a program executable (PE) file or a non-PE file.
    Type: Grant
    Filed: May 1, 2017
    Date of Patent: May 26, 2020
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Pu Liu, Timothy V. Bolan, Patrick J. Callaghan
  • Patent number: 10652226
    Abstract: The various embodiments described herein include methods, devices, and systems for providing secure access to network resources. In one aspect, a method is performed at a trust broker system. The method includes: (1) receiving, from a client system, a request to access network applications and resources hosted by a server system; (2) identifying a domain providing the requested network applications and resources; (3) determining whether the client system is authorized to access the domain; (4) identifying a particular server containing the domain; (5) identifying a proxy server assigned to the particular server; and (6) in accordance with a determination that the client system is authorized to access the domain: (a) transmitting an identification value for the client system to the identified proxy server; and (b) after transmitting the identification value to the identified proxy server, transmitting, to the client system, contact information for connecting to the identified proxy server.
    Type: Grant
    Filed: March 10, 2017
    Date of Patent: May 12, 2020
    Assignee: Verizon Patent and Licensing Inc.
    Inventors: Junaid Islam, Brent Bilger, Ted Schroeder
  • Patent number: 10642969
    Abstract: In one embodiment, a security provisioning service automatically establishes trust in a device. Upon receiving a provisioning request, a security provisioning service identifies a verification item that is associated with the provisioning request. The security provisioning service performs one or more verification operations based on the provisioning request to determine whether the provisioning request is authorized. If the provisioning request is authorized, then the provisioning service establishes a verifiable identification for the device that is assured by the secure provisioning service and then executes the provisioning request. By automatically performing the verification operations to establish trust in the device, the provisioning service eliminates manual identification assurance operations that are performed as part of a conventional security provisioning process.
    Type: Grant
    Filed: September 5, 2018
    Date of Patent: May 5, 2020
    Assignee: VERISIGN, INC.
    Inventors: Stephen D. James, Andrew Fregly, Andrew Cathrow
  • Patent number: 10645074
    Abstract: A method for monitoring access of users to Internet SaaS applications includes the CISO (company Internet security office) in the configuration and operation of the method, instead of relying only on whatever security the SaaS application implements. Certificates, not accessible to users, are pushed to a user's client. When an access request is received from a client by an application, a gateway requests from the client the certificate. After a notification and approval process with the user, a received certificate is verified, user access to the application is allowed or denied, and the CISO notified of the attempted access.
    Type: Grant
    Filed: March 28, 2017
    Date of Patent: May 5, 2020
    Assignee: CHECK POINT SOFTWARE TECHNOLOGIES LTD.
    Inventors: Alon Boxiner, Liad Mizrachi, Oded Vanunu, Roman Zaikin, Yoav Shay Daniely
  • Patent number: 10637663
    Abstract: A group structure preserving signature system that can be applied to groups based on symmetric bilinear mapping, that reduces the signature length, and that enables efficient computation of verification equations is provided. At least, information indicating p, G1, G2, GT, e, g1, and g2, information needed to obtain e(hu, hv), and data that includes gs, hs, gt, ht, {g1, h1}, . . . , {gK, hK} are held as a public key vk, and data that includes vk, ?s, ?s, ?t, ?t, ?u, ?v, {?1, ?1}, . . . , {?K, ?K} are held as a secret key sk. A signature device selects ? and ? at random from integers between 0 and p?1, both inclusive, obtains w, s, t, and r, and generates, as a signature ?, data that includes w, s, t, and r. A verification device verifies the signature ? by using two verification equations.
    Type: Grant
    Filed: January 18, 2013
    Date of Patent: April 28, 2020
    Assignee: NIPPON TELEGRAPH AND TELEPHONE CORPORATION
    Inventor: Masayuki Abe
  • Patent number: 10637966
    Abstract: The disclosed technology is generally directed to device certification in an IoT environment. For example, such technology is usable in managing relationships between IoT devices and an IoT Hub. In one example of the technology, an IoT Hub receives a registration request. Next, the IoT Hub sends a registration verification to the IoT device. Next, the IoT Hub receives a ping from the IoT device. Next, the IoT Hub sends a response to the ping to the IoT device. Next, the IoT Hub receives verification of a validation of a log file output by a device based on running a plurality of unit tests on a device with a software development kit. Next, the IoT Hub automatically sends code to the IoT device.
    Type: Grant
    Filed: March 21, 2019
    Date of Patent: April 28, 2020
    Assignee: Microsoft Technology Licensing, LLC
    Inventors: Hector Garcia Tellado, Dan Calin Cristoloveanu, Samuel John George
  • Patent number: 10630784
    Abstract: Facilitation of secure network traffic over an application session by an application delivery controller is provided herein. A method for secure network traffic transmission over an application session may include receiving, from a client device, a SYN data packet intended for an application server. The method may continue with determining, based on the SYN data packet, that the client device is a trusted source. The method may further include transmitting, based on the determination that the client device is the trusted source, a SYN/ACK packet to the client device. The SYN/ACK packet may include information for the client device to authenticate the client device to the application server directly as the trusted source.
    Type: Grant
    Filed: July 3, 2018
    Date of Patent: April 21, 2020
    Assignee: A10 Networks, Inc.
    Inventors: Rajkumar Jalan, Gurudeep Kamat
  • Patent number: 10630489
    Abstract: An apparatus and a method for managing user identity, the method comprising: establishing a connection secured with Transport Layer Security (TLS) from a client device to an IRP server; authenticating, at the IRP server, user login via the client device, with Strong Client Authentication (SCA) or Username/Password Authentication (UPA); upon request from the client device, registering or retrieving at the IRP server user identity information comprising user information, and an Internet Protocol (IP) address of the client device; upon request from the client device, registering or retrieving at the IRP server one or more digital certificate; sending from the client device to the IRP server a Certificate Signing Request (CSR) via the secured connection; upon request from the client device, returning a signed digital certificate from the IRP server to the client device; sending a PKCS #12 package from the client device to the IRP server; and upon request from the client device, returning a PKCS #12 package from t
    Type: Grant
    Filed: January 15, 2016
    Date of Patent: April 21, 2020
    Assignee: SIXSCAPE COMMUNICATIONS PTE LTD.
    Inventor: Lawrence Hughes
  • Patent number: 10621319
    Abstract: Utilizing multimedia content in a digital signature to facilitate authentication. A message requester public key is received from a message requester. A digital certificate is generated containing the message requester public key. Multimedia content identifying the message requester is retrieved. Multimedia content is inserted into the digital certificate. A message digest is generated from the digital certificate including the multimedia content. The message digest and included multimedia content is encrypted with a certificate authority private key to generate a digital signature. A certificate authority public key is retrieved. The digital certificate including the digital signature and certificate authority public key is transmitted to a message owner.
    Type: Grant
    Filed: November 13, 2017
    Date of Patent: April 14, 2020
    Assignee: International Business Machines Corporation
    Inventors: Rinkesh I. Bansal, Sanjay B. Panchal, Chintan Thaker, Vinod A. Valecha
  • Patent number: 10616196
    Abstract: User authentication techniques are provided for multiple authentication sources and for non-binary authentication decisions. An authentication request is received from an application server to authenticate a user for access to a protected resource. Pre-flow rules and the authentication request are evaluated to dynamically determine a plurality of authentication servers to invoke for the authentication request and an order for the invocation. A first authentication server is contacted to obtain a first authentication result for the user. In-flow rules and the first authentication result are evaluated to determine if additional authentication of the user should be performed. A second authentication server is contacted based on the determined invocation order and/or a result of the in-flow rules to obtain a second authentication result for the user. Decision rules and the first and second authentication results are evaluated to determine an authentication decision.
    Type: Grant
    Filed: September 24, 2015
    Date of Patent: April 7, 2020
    Assignee: EMC IP Holding Company LLC
    Inventors: Anton Khitrenovich, Oleg Freylafert
  • Patent number: 10616189
    Abstract: A non-transitory computer-readable storage medium comprising instructions stored thereon. When executed by at least one processor, the instructions may be configured to cause a computing system to at least receive a message, the message including a header, an encrypted symmetric key, and an encrypted body, decrypt the encrypted symmetric key using a private key to generate a decrypted symmetric key, decrypt the encrypted body using the decrypted symmetric key to generate a decrypted body, and store the header, the decrypted symmetric key, and the decrypted body in long-term storage.
    Type: Grant
    Filed: June 29, 2018
    Date of Patent: April 7, 2020
    Assignee: GOOGLE LLC
    Inventors: Laetitia Baudoin, Brian Goodman
  • Patent number: 10609056
    Abstract: Embodiments include methods, systems and computer program products method for online presence interaction using a behavioral certificate. The computer-implemented method includes monitoring, using a processor, one or more online presence interactions by one or more users. The processor determines whether a behavioral certificate exist for the online presence. The processor cross-references one or more authorized inputs, outputs or actions for the online presence based at least in part on an existence of a behavioral certificate for the online presence. The processor transmits the behavioral certificate, wherein the behavioral certificate advises the one or more users how to interact with the online presence.
    Type: Grant
    Filed: May 26, 2017
    Date of Patent: March 31, 2020
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Al Chakra, Liam Harpur, Sumit Patel, John Rice
  • Patent number: 10601978
    Abstract: A secure component of a telecommunication device is described herein. The secure component is configured to determine that a threshold amount of time has passed since reception of a heartbeat communication from a remote telecommunication server. In response to determining that the threshold amount of time has passed, the secure component performs at least one of preventing access to one or more services of the telecommunication device or deleting user data from the telecommunication device.
    Type: Grant
    Filed: June 4, 2014
    Date of Patent: March 24, 2020
    Assignee: T-Mobile USA, Inc.
    Inventors: Michael Mosher, Ahmad Arash Obaidi, Eric W. Yocam
  • Patent number: 10601812
    Abstract: A system and method for transmitting user credentials to another device. According to some embodiments, a method is described of receiving into a first portable electronic device a set of credentials from a user, the set of credentials to include a WLAN SSID and a network key, the set of credentials to allow the first device to connect to the WLAN. The set of credentials is used to connect the first device to the WLAN. The first device creates a message for wireless transmission, the message includes the set of credentials for accessing the WLAN and is adapted to be delivered to a second device. Finally, the first device transmits the message over the air, wherein the message is addressed to the second device. The second device receives the message and uses the credentials in the message to connect to the WLAN. Other embodiments are also described.
    Type: Grant
    Filed: May 30, 2017
    Date of Patent: March 24, 2020
    Assignee: ADVANCED MESSAGING TECHNOLOGIES, INC.
    Inventor: Adam Zucker
  • Patent number: 10592129
    Abstract: Provided are a computer program product, system, and method for sharing alias addresses among logical devices by a host accessing logical devices provisioned with a capacity from physical devices managed by a control unit. The host establishes with the control unit an association of logical devices and alias addresses assigned to the logical devices, wherein the alias addresses are associated with an alias management group. Alias address pool information is generated indicating each of the logical devices and their assigned alias addresses indicated in the association. The host uses from the alias address pool information any one of the alias addresses in the alias address pool information to access any of the logical devices associated with the same alias management group as the alias address.
    Type: Grant
    Filed: June 7, 2016
    Date of Patent: March 17, 2020
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Susan K. Candelaria, Scott B. Compton, Matthew R. Craig, Clint A. Hardy, Matthew J. Kalos, Dale F. Riedy, Richard A. Ripberger, Harry M. Yudenfriend
  • Patent number: 10587607
    Abstract: There is provided an information processing apparatus including a memory that retains a first secret key corresponding to a first public key, and a processor that requests a change of a usage state of a second public key registered by a second apparatus in a first apparatus that retains a public key corresponding to a secret key from the first apparatus according to authentication using the first public key associated with the second public key and the first secret key.
    Type: Grant
    Filed: September 11, 2014
    Date of Patent: March 10, 2020
    Assignee: SONY CORPORATION
    Inventors: Yu Tanaka, Taizo Shirai, Yohei Kawamoto, Koichi Sakumoto
  • Patent number: 10586027
    Abstract: A method for sharing a cross-platform account resource is described. An authentication request carrying a user name, a password, and an ID of an APP resource server is transmitted to an account management server, based on a register account on the account management server; an authentication ticket corresponding to the APP resource server is received from the account managements server, and the authentication ticket is stored, in which the authentication ticket carries a user ID, an authorization key and a refresh key; a resource request is transmitted to the APP resource server, based on the user ID and the authorization key in the authentication ticket; an APP resource is received from the APP resource server, after the APP resource server requests the account management server to verify the authentication ticket by using the user ID and the authorization key.
    Type: Grant
    Filed: August 8, 2017
    Date of Patent: March 10, 2020
    Assignee: TENCENT TECHNOLOGY (SHENZHEN) COMPANY LIMITED
    Inventors: Hongfei Zhou, Jia Li
  • Patent number: 10587603
    Abstract: Method for enabling zero sign-on (ZSO) through a standard web browser. The device running the browser is first enrolled with a web service using an installed enrollment agent on the device which authenticates a user of the device. After authentication, the enrollment agent stores a device profile that includes a user certificate for the user and an authority certificate issued by said web service. The device profile is stored at a device location accessible by each of the web browsers used by said device. The enrollment agent configures each of the web browsers on the device to respond correctly to ZSO certificate challenges from the web service. Once enrolled, the device's web browsers can respond correctly to a ZSO Uniform Resource Locator (URL) certificate challenge received from the web service. After a successful response to the challenge, the browser is granted a secure socket layer (SSL) connection.
    Type: Grant
    Filed: August 18, 2016
    Date of Patent: March 10, 2020
    Assignee: IDAPTIVE, LLC
    Inventors: Anil Lingamallu, Nate Yocom, Paul Moore, Fei Chen
  • Patent number: 10588005
    Abstract: A collection of wearable communicating devices generates signals that may be detected and analyzed to produce a fingerprint of the collection of wearable devices. An analysis unit may recognize patterns or other information in detected signals and generate a fingerprint of a body area network corresponding to the collection of wearable devices. The fingerprint may be fuzzy fingerprint, matchable with a fingerprint of a similar, but not necessarily identical, collection of wearable devices that has been previously generated or obtained. The fingerprint may be used for tracking or other purposes. Some embodiments may allow the generation of additional signals that modify the fingerprint.
    Type: Grant
    Filed: September 26, 2014
    Date of Patent: March 10, 2020
    Assignee: McAfee, LLC
    Inventors: Igor Muttik, Martin Stecher
  • Patent number: 10587582
    Abstract: Disclosed are various approaches for implementing certificate pinning in a tunnel client on a client device. A tunnel client receives a connection request from an application executed by the client device to connect to a remote server. The tunnel client determines that the remote server corresponds to a known pinned host and then determines whether the remote server presents a certificate matching a pinned certificate for the known pinned host. If the presented certificate matches the pinned certificate, the tunnel client allows a connection to be established between the application and the remote server through a network tunnel between the tunnel client and a tunnel server.
    Type: Grant
    Filed: May 15, 2017
    Date of Patent: March 10, 2020
    Assignee: VMWARE, INC
    Inventor: Jonathon Deriso
  • Patent number: 10581847
    Abstract: A blockchain is used to track chain of custody associated with devices and user entities associated with those devices. In an embodiment, an identity engine traverses a blockchain to determine one or more transactions associated with a device and, in some cases, one or more users of that device. Based at least in part on the content of an authentication or provisioning request and that of the chain of custody, the identity engine provisions the device for a given user.
    Type: Grant
    Filed: September 27, 2016
    Date of Patent: March 3, 2020
    Assignee: Amazon Technologies, Inc.
    Inventors: Nicholas Sun, Damian Finol Correa, Yunlong Liu
  • Patent number: 10581619
    Abstract: A certificate management method, a device, and a system relate to the communications field and for certificate management are used to resolve a problem that communication security of a virtual network system is degraded because after a virtualized network function (VNF) instance is terminated in the virtual network system, a private key corresponding to a certificate of the VNF instance may be illegally obtained by an attacker to forge an identity of the VNF instance. A specific solution includes obtaining, by a first device, a certificate identifier of a first instance, and updating certificate status information of the first instance to a revocation state according to the certificate identifier of the first instance, or sending, by the first device, a first request message to a second device, where the first request message requests to revoke a certificate of the first instance.
    Type: Grant
    Filed: August 9, 2017
    Date of Patent: March 3, 2020
    Assignee: HUAWEI TECHNOLOGIES CO., LTD.
    Inventors: Chengyan Feng, Jiangsheng Wang
  • Patent number: 10574645
    Abstract: A per-resource user authority management unit that manages user authorities per resource, a user authority refinement unit that refines authorities linked to a user by the per-resource user authorities, and an authority verification unit that determines whether execution of processing with respect to a resource is permitted by using an authority that has been refined by the user authority refinement unit are provided.
    Type: Grant
    Filed: November 16, 2017
    Date of Patent: February 25, 2020
    Assignee: Canon Kabushiki Kaisha
    Inventor: Yu Tamura
  • Patent number: 10567370
    Abstract: A protocol for issuing and controlling digital certificates is described in which an identity management system is used to identify a user requesting a digital certificate and is also used to issue the digital certificate itself. Accordingly, an IDM-based PKI system is provided.
    Type: Grant
    Filed: April 20, 2018
    Date of Patent: February 18, 2020
    Assignee: NOKIA SOLUTIONS AND NETWORKS OY
    Inventors: Robert Seidl, Norbert Goetze, Markus Bauer-Hermann
  • Patent number: 10567404
    Abstract: Aspects of the present disclosure relate to computer system security. A machine accesses a set of records corresponding to a set of users having access to a computer system. The machine stores, for each user in the set of users, a baseline profile representing baseline activity of the user with respect to a set of data sources of the computer system. The machine monitors activity of the set of users with respect to the set of data sources. The machine determines, based on monitoring the activity of the set of users, that a user action of a specified user, with respect to one or more data sources from the set of data sources, is anomalous relative to the baseline profile of the specified user. The machine provides a digital transmission representing the anomalous user action.
    Type: Grant
    Filed: March 20, 2019
    Date of Patent: February 18, 2020
    Assignee: Palantir Technologies Inc.
    Inventors: Nomi Becker, Isaac Smitley
  • Patent number: 10560274
    Abstract: Methods and systems are provided for demonstrating authorization to access a resource to a verifier computer controlling access to the resource. The method comprises, at a user computer, storing an attribute credential certifying a set of attributes; and communicating with a revocation authority computer to obtain an auxiliary credential, bound to the attribute credential, certifying a validity status for each attribute in the attribute credential. The method further comprises, at the user computer, communicating with the verifier computer to prove possession of the attribute credential and the auxiliary credential such that the verifier computer can determine whether at least one attribute in the attribute credential, certified as valid by the auxiliary credential, satisfies an access condition for the resource.
    Type: Grant
    Filed: June 9, 2016
    Date of Patent: February 11, 2020
    Assignee: International Business Machines Corporation
    Inventors: Jan Camenisch, Daniel Kovacs, Kai Samelin, Dieter M. Sommer
  • Patent number: 10554420
    Abstract: A method and apparatus for establishing a wireless connection. A digital certificate having a second name is obtained by a processor unit in response to receiving a selection of a network using a first name broadcast by a wireless access point. A determination is made by the processor unit as to whether the digital certificate is valid. A determination is made by the processor unit as to whether the second name in the digital certificate matches the first name broadcast by the wireless access point. The processor unit establishes the wireless connection to the wireless access point in response to the digital certificate being valid and the second name in the digital certificate matching the first name broadcast by the wireless access point.
    Type: Grant
    Filed: January 22, 2018
    Date of Patent: February 4, 2020
    Assignee: International Business Machines Corporation
    Inventors: Thomas J. Cross, David B. Dewey, Takehiro Takahashi
  • Patent number: 10536271
    Abstract: Systems and methods are disclosed for generating one or more hardware reference keys (HRK) on a computing device, and for attesting to the validity of the hardware reference keys. An initial hardware reference key can be a silicon attestation key (SIK) generated during manufacture of a computing system, such as a system-on-a-chip. The SIK can comprise an asymmetric key pair based at least in part on an identifier of the processing system type and a unique identifier of the processing system. The SIK can be signed by the computing system and stored thereon. The SIK can be used to generate further HRKs on the computing device that can attest to the processing system type of the computing device and an operating system version that was running when the HRK was generated. The computing device can generate an HRK attestation (HRKA) for each HRK generated on the computing system.
    Type: Grant
    Filed: February 16, 2017
    Date of Patent: January 14, 2020
    Assignee: Apple Inc.
    Inventors: Thomas P. Mensch, Conrad Sauerwald, Jerrold V. Hauck, Timothy R. Paaske, Zhimin Chen, Andrew R. Whalley
  • Patent number: 10530797
    Abstract: Embodiments include methods, systems and computer program products method for online presence interaction using a behavioral certificate. The computer-implemented method includes monitoring, using a processor, one or more online presence interactions by one or more users. The processor determines whether a behavioral certificate exist for the online presence. The processor cross-references one or more authorized inputs, outputs or actions for the online presence based at least in part on an existence of a behavioral certificate for the online presence. The processor transmits the behavioral certificate, wherein the behavioral certificate advises the one or more users how to interact with the online presence.
    Type: Grant
    Filed: November 13, 2017
    Date of Patent: January 7, 2020
    Assignee: INTERNATIONAL BUSINESS MACHINES CORPORATION
    Inventors: Al Chakra, Liam Harpur, Sumit Patel, John Rice
  • Patent number: 10530587
    Abstract: A system and method for efficient certificate authentication management and distribution of large, web scale authentication information. The method includes receiving at a server, security certificate information, said security certificate including a unique certificate identifier. A structured data source, such as an XML file or database is encoded with a unique record for each possible security certificate using the record ID as the security certificate ID. Each unique record includes a record of four bits or less. Owing to the small size of the data source, large amounts of security certificates may be managed and distributed efficiently over a network to one of more private gateways allowing for large scale certificate authentication.
    Type: Grant
    Filed: June 30, 2016
    Date of Patent: January 7, 2020
    Assignee: OpenVPN Technologies, Inc.
    Inventors: Francis Dinha, James Yonan
  • Patent number: 10530581
    Abstract: A method may include obtaining a common reference string. The method may further include obtaining a first public key for a first party and a second public key for a second party. The method may also include obtaining a first encrypted message, the first encrypted message encrypted using the first public key. The method may further include obtaining a second encrypted message, the second encrypted message encrypted using the second public key. The method may also include obtaining a proof. The method may further include verifying, using the proof, the common reference string, the first public key, and the second public key, that a decryption of the first encrypted message and a decryption of the second encrypted message are equivalent without decrypting the first encrypted message and without decrypting the second encrypted message.
    Type: Grant
    Filed: September 8, 2017
    Date of Patent: January 7, 2020
    Assignee: FUJITSU LIMITED
    Inventors: Avradip Mandal, Arnab Roy, Hart Montgomery
  • Patent number: 10516543
    Abstract: A first entity and a second entity establish a protected authenticated communication channel using an implicit certificate issued by a certificate authority. In some examples, the implicit certificate is generated based at least in part on the ring learning with errors (“RLWE”) problem. Using the implicit certificate, the first entity and the second entity exchange information that enables the entities to negotiate a shared secret. The shared secret may be used to establish a cryptographically protected communication channel. Successful use of the shared secret authenticates the identity of the first entity and the second entity.
    Type: Grant
    Filed: May 8, 2017
    Date of Patent: December 24, 2019
    Assignee: Amazon Technologies, Inc.
    Inventors: Matthew John Campagna, Marguerite Marie Nathalie Delcourt
  • Patent number: 10505916
    Abstract: Techniques are described for using two tokens to request access to a secure server. The tokens allow the server to verify, without an external call, that the requesting device is one identified in the request and that the requesting device is authorized by a trusted identity provider. A first token is an authentication token issued by the trusted identity provider and including a client device public key. The second token is a proof-of-possession token that is signed by a client device using a client device private key corresponding to the client device public key. The server obtains the client device public key from the authentication token, and then uses the client device public key to validate the proof-of-possession token. The authentication token can be re-used by a server creating its own proof-of-possession token for presentation to a second server to access a secure service on the second server.
    Type: Grant
    Filed: October 19, 2017
    Date of Patent: December 10, 2019
    Assignee: T-Mobile USA, Inc.
    Inventors: Michael Engan, Douglas McDorman, Senthil Kumar Mulluppadi Velusamy, Komethagan Subramaniam
  • Patent number: 10503881
    Abstract: Systems for secure provisioning and management of computerized devices. The system may include a distributor appliance that is communicatively connected to the computerized device, and that is operable to receive a digital asset and to load the digital asset into the computerized device. It may also include a digital asset management system that is connected via a first secure communication channel to the distributor appliance, and that is operable to generate and conditionally transmit the digital asset to the distributor appliance; and a provisioning controller that is connected via a second secure communication channel to the distributor appliance and is connected via a third secure communication channel to the digital asset management system, and that is operable to direct the digital asset management system to transmit the digital asset to the distributor appliance. The computerized device is not fully functional before the digital asset is loaded into it.
    Type: Grant
    Filed: November 14, 2017
    Date of Patent: December 10, 2019
    Assignee: INTEGRITY SECURITY SERVICES LLC
    Inventors: William L. Lattin, David R. Sequino, Alan T. Meyer, Gregory A. Powell
  • Patent number: 10498536
    Abstract: A public key embedded in a scoped application can be used to permit a trusted application to access a scoped application. The scoped application can receive a request for access to an interface of the scoped application from the trusted application. The request can include a signed identifier that is signed using a private key corresponding to the public key. The signed identifier can be authenticated using the public key. The scoped application can also verify that the signed identifier matches an identifier of the trusted application. Responsive to the authentication and verification, the trusted application may be permitted to have access to the interface of the scoped application. The private key and the public key are generated at a customer service instance operated by a computing provider. The private key is not shared outside of the customer service instance.
    Type: Grant
    Filed: April 20, 2017
    Date of Patent: December 3, 2019
    Assignee: ServiceNow, Inc.
    Inventors: Clifton Santford Bate, Christopher J. Nanda, Gregory A. Krasnow
  • Patent number: 10498722
    Abstract: Methods, apparatus, systems and articles of manufacture to issue digital certificates are disclosed. An example apparatus includes a certificate issuer to communicate, from a first entity, a digital certificate to be signed with a request for identifiers, and a value receiver to receive, at the first entity, a first value uniquely identifying a second value from a second entity and, after a period for accepting identifiers has ended, receiving, at the first entity, the second value from the second entity, the certificate issuer to combine, at the first entity, the second value and a third value to generate a certificate identifier for the digital certificate and to issue the digital certificate with the certificate identifier.
    Type: Grant
    Filed: February 27, 2017
    Date of Patent: December 3, 2019
    Assignee: Trustwave Holdings Inc.
    Inventor: Timothy John Hollebeek
  • Patent number: 10484373
    Abstract: A biometric certification request authentication (BCRA) computing device is provided for authenticating a requestor undergoing a certificate signing request process. The BCRA computing device is communicatively coupled to a memory device.
    Type: Grant
    Filed: April 11, 2017
    Date of Patent: November 19, 2019
    Assignee: Mastercard International Incorporated
    Inventor: Manoneet Kohli
  • Patent number: 10484185
    Abstract: One embodiment described herein provides a system and method for secure attestation. During operation, a Trusted Platform Module (TPM) of a trusted platform receives a request for an attestation key from an application module configured to run an application on the trusted platform. The request comprises a first nonce generated by the application module. The TPM computes an attestation public/private key pair based on the first nonce and a second nonce, which is generated by the TPM, computes TPM identity information based on a unique identifier of the TPM and attestation key, and transmits a public key of the attestation public/private key pair and the TPM identity information to the application module, thereby enabling the application module to verify the public key of the attestation public/private key pair based on the TPM identity information.
    Type: Grant
    Filed: November 13, 2018
    Date of Patent: November 19, 2019
    Assignee: Alibaba Group Holding Limited
    Inventor: Yingfang Fu
  • Patent number: 10475091
    Abstract: According to one embodiment of the present disclosure, a virtualized communication device dynamic provisioning system includes a computer-based set of instructions that are executed to generate a user interface for receiving selection of one or more virtualized communication devices. The instructions may then receive provisioning information associated with the selected virtualized communication devices from the user interface, and provision the virtualized communication devices in accordance with the received provisioning information to prepare and equip the virtualized communication devices according to the financial transaction.
    Type: Grant
    Filed: January 27, 2017
    Date of Patent: November 12, 2019
    Assignee: Level 3 Communications, LLC
    Inventor: Michael E. Feldpusch
  • Patent number: 10476679
    Abstract: An example system for securely provisioning computerized devices of a plurality of tenants includes a Security Credential Management System (SCMS) host that is communicatively connected to the devices and is operable to receive provisioning requests from computerized devices needing certificates. Each provisioning request indicates a tenant identifier (ID) uniquely identifying a tenant of the plurality of tenants. The system also includes a virtual registration authority communicatively connected to the SCMS host and operable to transmit requests to SCMS backend components.
    Type: Grant
    Filed: November 14, 2018
    Date of Patent: November 12, 2019
    Assignee: INTEGRITY SECURITY SERVICES, INC.
    Inventors: Daniel R. Fynaardt, William L. Lattin, Gregory Powell