Abstract: Embodiments relate to systems for generating identity records (e.g., authentication certificates) at a server for validating broadcast messages. The server may receive a request to generate an identity record, where the request may include a public key of a named entity device that is configured to broadcast messages. The server may generate the identity record using the private key of the server and transmit the generated certificate to a namespace server for storage. A policy consuming device configured to receive a broadcast message, which may be signed using the private key of the named entity device, subsequently accesses the namespace server for the identity record including the public key of the named entity device. The policy consuming device validates the authentication certificate using the server's public key and validates the broadcast message using the named entity device's public key.

Abstract: Embodiments described herein provide systems and methods to prevent, or provide a countermeasure, to a co-existence attack, for example, that may occur in a Security Credential Management System (SCMS) where both regular butterfly key (RBK) protocol and unified butterfly key (UBK) protocol are supported. Embodiments described herein provide, support, employ, or implement hardware acceleration for a Hardware Security Module (HSM), for example, for cryptographic operations (e.g., block ciphers, digital signature schemes, and key exchange protocols).

Abstract: A computer that provides a secure, virtual personalized network (SVPN) with one or more preconfigured digital wallets for a first user in the SVPN is described. Notably, the computer may execute a virtual machine that provides a container for the SVPN of the first user, and the first electronic device associated with the first user may execute an instance of an application that facilitates secure communication in the SVPN and/or conducting of one or more distributed secure transactions (such as a transaction associated with a cryptocurrency or a non-fungible token or NFT) via the SVPN. Moreover, the virtual machine may provide a container for the SVPN of the first user. This container may include the one or more preconfigured digital wallets associated with the first user, where a given preconfigured digital wallet includes cryptographic keys and a distributed ledger for use in conducting the one or more distributed secure transactions.

Abstract: Controlling and provisioning a robot of a virtual machine (VM) includes transmitting a connection request between a first service installed in a virtual machine and a second service. The robot is associated with at least one process running on the virtual machine. The virtual machine is authenticated based on a token associated with the second service and the virtual machine. A connection is established between the first service and the second service. A command is transmitted associated with the controlling of the robot from the second service to the first service based on the authentication of the virtual machine. The command is associated with a corresponding command identifier for identifying a type of the command. The command is then executed for controlling the robot.

Abstract: Methods and systems for enabling initialization of a device by a secondary user are described. A request is received, from a first device, to initialize the first device with an online account. A notification is transmitted to one or more administrative user devices associated with at least one administrative user associated with the online account, seeking approval of the request to initialize the first device. A response is received from at least one of the one or more administrative user devices, indicating approval to initialize the first device. A credential is transmitted to enable initialization of the first device with the online account.

Abstract: A system and method for provisioning confidential data such as unique credentials is described. The technique initializes a whitebox cryptographic software module to a particular PKI client to soft-lock whitebox cryptographic operations to the particular PKI client and uniquely encrypting the credentials with a node-locking key (NLK) derivable from a digital certificate.

Abstract: Disclosed are methods, systems, and devices for facilitating secure and private communications, via a website or application of a third-party computing system (TPCS), between a user device and a service provider computing system (SPCS). The communications may be conducted via a frame in a website served by the TPCS. The TPCS may serve a website that incorporates a customizable SDK component provided by the SPCS. The communications allow the user to, for example, open a new account. The SDK component may be initialized via a script from the SPCS, and authenticated via a session token obtained from the SPCS via the TPCS. The SDK component may provide user information, input into the frame, to the SPCS via API calls to the SPCS. The user does not navigate away from the website while securely engaging the SPCS. The third-party/partner need not develop its own user interface, security protocols, etc.

Abstract: Systems, apparatuses, methods, and computer-readable media for implementing confidential computing of one or more computing systems and/or devices using component authentication and data encryption with integrity and anti-replay mechanisms are disclosed. In some examples, the systems, apparatuses, methods, and computer-readable media described herein can perform various techniques, including one or more secure boot processes, component and data authentication, and data encryption with integrity and anti-replay, among other secure techniques. One implementation may include executing secure boot process based on authentication of a device identifier stored in a secure physical object of a processing device. Another implementation may include encrypting and storing a counter value corresponding to a cache line and generating an integrity tag value replacing error correction code bits associated with the cache line with the generated cache line tag value.

Abstract: Disclosed are methods, systems, and devices for facilitating secure and private communications, via a website or application of a third-party computing system (TPCS), between a user device and a service provider computing system (SPCS). The communications may be conducted via a frame in a website served by the TPCS. The TPCS may serve a website that incorporates a customizable SDK component provided by the SPCS. The communications allow the user to, for example, open a new account. The SDK component may be initialized via a script from the SPCS, and authenticated via a session token obtained from the SPCS via the TPCS. The SDK component may provide user information, input into the frame, to the SPCS via API calls to the SPCS. The user does not navigate away from the website while securely engaging the SPCS. The third-party/partner need not develop its own user interface, security protocols, etc.

Abstract: Disclosed are methods, systems, and devices for facilitating secure and private communications, via a website or application of a third-party computing system (TPCS), between a user device and a service provider computing system (SPCS). The communications may be conducted via a frame in a website served by the TPCS. The TPCS may serve a website that incorporates a customizable SDK component provided by the SPCS. The communications allow the user to, for example, open a new account. The SDK component may be initialized via a script from the SPCS, and authenticated via a session token obtained from the SPCS via the TPCS. The SDK component may provide user information, input into the frame, to the SPCS via API calls to the SPCS. The user does not navigate away from the website while securely engaging the SPCS. The third-party/partner need not develop its own user interface, security protocols, etc.

Abstract: A copy protection method for an electronic system has one or more electronic units and one or more component which interacts with the electronic unit, in which or more one public-key infrastructure having one or more certification authority is used. The certification authority issues a first certificate for the electronic unit and a second certificate for the component, based on an identification feature of the electronic unit and of the component, respectively. To check authenticity of the component by means of the electronic unit, the respective certificates are mutually checked. The first certificate is premade and loaded onto the electronic unit when producing and/or configuring the electronic unit, and/or the second certificate is premade and loaded onto the component when producing and/or configuring the component.

Abstract: Systems and methods are disclosed for detecting nonlegitimate communications in a hybrid cloud system. An example method comprises receiving a request from a service on a public cloud platform, calculating a unique signature for the service, and verifying the calculated unique signature against a local signature table on the public cloud platform. If the calculated unique signature is verified, then the calculated unique signature is sent to a security signature service on a private cloud platform. If the calculated unique signature is also verified against a global signature table on the private cloud platform, then a response to the request is received from the security signature service.

Abstract: A system for micro-segmented networking is provided. A system controller is programmed to a) store a plurality of micro-segmented network accounts and a plurality of subscriber accounts, b) receive a request from a user device to activate a first micro-segmented network associated with a first subscriber account, c) authenticate the first subscriber account based on the subscriber information, d) activate the first micro-segmented network, including a plurality of device slots for a plurality of devices, e) transmit, to the user device, first device slot authentication information for a first device slot of the plurality of device slots; f) receive, from a first device connecting to the wireless network, the first device slot authentication information; g) authenticate the first device slot authentication information; and h) in response to authenticating the first device slot authentication information, connect the first device to the first micro-segmented network.

Abstract: A device comprises a receive device which is designed to receive a data packet from a communication partner. The device comprises a data processing device which is configured to process the data packet in order to obtain a secret (e.g. predetermined) value. The device further comprises a transmit device which is designed to transmit a transmit message comprising information based on the secret value to the communication partner. The device further comprises an authentication device which is designed to receive a challenge message and to use the secret value to create a response message. The transmit device is designed to create the transmit message in such a way that it comprises the response message.

Abstract: SSL is improved with stronger defense against an attack from a third party, in particular, an MITMA. A client and a server each have the function of generating the same solution under the same conditions. The client generates a first solution (S1002) and transmits the solution to the server (S1003). When receiving the solution, the server generates a solution (S2002) and authenticates the client if the solution agrees with the solution received from the client (S2003). The server generates a new solution (S2004), encrypts a server certificate and an SSL certificate (S2005) by using the solution, and then transmits the certificates to the client (S2006). The client generates a new solution (S1005) and decrypts the server certificate and the SSL certificate by using the solution (S1006). The subsequent processing is identical to that of current SSL communications.

Abstract: The present disclosure is directed to systems, methods, and non-transitory computer-readable media including sending, by a relying party computing system to a subscriber computing system, an Object Identifier (OID) of a relying party associated with the relying party computing system, receiving, by the relying party computing system from the subscriber computing system, a certificate of a subscriber associated with the subscriber computing system, the certificate includes a public key of the subscriber, determining, by the relying party computing system, whether the certificate includes the OID of the relying party, and in response to determining that the certificate includes the OID of the relying party, using by the relying party computing system the public key in the certificate of the subscriber.

Abstract: A trusted graph data node classification method includes: (1) inputting a topological graph and node features, and calculating a discrete Ricci curvature of the discrete topological graph; (2) preprocessing the curvature and the node features; (3) mapping the curvature, reconstructing original features, and performing a semi-supervised training on graph data containing adversarial examples; and (4) performing a classification on unlabeled nodes. The new method uses a discrete curvature to extract topological information, and uses a residual network to reconstruct node feature vectors without knowing the technical details of the adversarial examples, and without using a large number of adversarial examples for adversarial training. Hence, the system effectively defends against attacks from adversarial examples on the graph data, outperforms the existing mainstream models in terms of accuracy when used in data without adversarial examples, and is thus a trusted node classification system.

Abstract: Systems and methods for generating certified images and incident reports are disclosed. An image capture device can be used to capture an image and integrate metadata from camera sensors as well as other ancillary device sensors into the image. The image and its metadata can then be certified upon a check that the image and its metadata are authentic and unaltered. The image and its metadata can then be included in or as a part of an incident or other report describing an incident or event such as an accident or a crime. The image and/or incident report may be maintained at a cloud-based server for viewing, authorized editing, and subsequent distribution.

Abstract: Systems, methods, and computer-readable media for managing digital certificates and other security credentials. A routing and management server is communicatively connected to a certificate user device and to a plurality of certificate generators. The server performs operations that may include: optionally registering the certificate user device; receiving a request for one or more digital certificates from the certificate user device; analyzing the request to determine an appropriate certificate generator, from among the plurality of certificate generators, for producing the one or more digital certificates; optionally translating the request into a format required by the appropriate certificate generator; transmitting the request to the appropriate certificate generator; receiving the one or more digital certificates from the appropriate certificate generator; and providing the one or more digital certificates to the certificate user device.

Abstract: Various embodiments set forth a method comprising receiving, at a server node from a client node, a client compression dictionary that includes one or more first mappings between one or more first index values and one or more data entries included in a certificate cache of the client node; identifying, in response to receiving the client compression dictionary and based on the client compression dictionary, one or more certificates that should be transmitted to the client node; and transmitting, from the server node to the client node, the one or more identified certificates.

Abstract: A method for data security implemented as an application on a device includes generating a request for one or more secret shares needed to reconstruct a key. The device stores a first secret share in its memory. The method also includes signing the request with a certificate that identifies the request as valid without identifying the device, and sending the request, signed with the certificate, to at least one other device. The method further includes receiving, from the at least one other device, the one or more secret shares, determining whether the one or more secret shares received from the at least one other device is sufficient to reconstruct the key, and reconstructing the key using the first secret share and the one or more secret shares upon determining that the one or more secret shares are sufficient to reconstruct the key.

Abstract: Disclosed are various examples for transferring device identifying information during authentication. An enrollment request is received from a management component executed by a client device. A management service generates a unique device identifier for the client device and embeds it within a certificate to generate a device-identifying certificate. The management service instructs a certificate authority service to generate a public key that includes the unique device identifier and a private key for the client device, and provides the device-identifying certificate and the private key to the client device.

Abstract: Aspects of secure inter-application data communications are described. In one example, a first application executing on a computing device obtains an identity certificate. The identity certificate can include a unique identifier of the computing device and a public key of the first application. To obtain the public keys of other applications executing on the computing device, the first application can query a management computing environment using the identity certificate. Once the computing device is authenticated by the management computing environment, the management computing environment can store the public key of the first application and return any public keys of other applications executing on the computing device. Once the public keys have been exchanged between the applications, the applications can encrypt and sign data packages for secure data communications between each other.

Abstract: An encryption/decryption method is disclosed, where the input data string is described in term of consecutive groups of alternating same type bits, where one of these groups of same type bits is defined as a preferred group with the other groups having either lower or higher number of same type bits, where the data string is partitioned into variable length processing strings where the variable length is determined by the occurrence of the preferred group or of a determined number of bits consisting of groups of lower number of same type bits, where these variable length processing strings are encrypted function of the configuration and content of each processing string only, where consecutive processing strings are additionally encrypted based on their content only, where further encryption is performed from permutations of select partitions of groups of processing strings only as well as from permutations of select partitions of consecutive processing strings, where all said encryption means creating a tota

Abstract: A method and system for linking a physical artifact to a non-fungible token (NFT) with a digital certificate and/or a digital certificate of authenticity (COA) are disclosed herein. The method and system use multiple attestations along with digital ledger technology to provide a digital certificate of authenticity for an object such as a work of art, collectible, or a non-fungible token (NFT) when the NFT is minted. An extended physical backed token (EPBT) is also generated for the physical artifact.

Abstract: An example operation may include one or more of receiving a request for storage at a blockchain network, attaching, via a blockchain node, a verifiable credential created by a self-sovereign identity (SSI) network to a blockchain transaction associated with the request, where the verifiable credential includes a claim of the blockchain node and a proof of the SSI network that created the verifiable credential, transmitting the blockchain transaction and the attached verifiable credential to one or more other blockchain nodes, and storing the blockchain transaction and the attached verifiable credential via a data block on the blockchain.

Abstract: An electronic device and a method for performing a peer to peer (P2P) service in the electronic device are provided.

Abstract: Technology is shown for verifying a leaf certificate in a PM chain of trust involving receiving a leaf certificate signed by an intermediate certificate embedded in the leaf certificate. The intermediate certificate is extracted from the received leaf certificate and its public key used to calculate a signature for the received leaf certificate. The calculated signature is compared to a signature included in the received leaf certificate. The received leaf certificate is verified when the calculated signature matches the signature included in the received leaf certificate. The intermediate certificate can be included as a X.509 property of the leaf certificate.

Abstract: An electronic device is provided. The electronic device includes a touchscreen display; first communication circuitry to establish a short-range communication connection; second communication circuitry to establish a cellular communication connection; and a processor.

Abstract: According to another embodiment, a method for invoicing and payments in an integrated supplier network may include: (1) receiving, at a supplier interface for a payments computer program, an invoice from a supplier; (2) receiving, at a buyer interface for the payments computer program, a payment allocation for the invoice, wherein the payment allocation may be associated with a supplier attestation for the supplier; (3) transferring, by the payments computer program, funds for the payment allocation to a liquidity pool, wherein the funds are commingled with other funds in the liquidity pool; (4) receiving, at the supplier interface, the supplier attestation, and a request to withdraw at least a portion of the funds for the payment allocation; and (5) retrieving, by the payments computer program, the portion of the payment allocation to a supplier account with the integrated supplier network.

Abstract: There is provided mechanisms for provisioning of an application level identity from an ID backend server to a communication device. The provisioning of the application level identity is protected using TLS-, DTLS-, or OSCORE-based secure communication. The communication device comprises an identity module configured for interaction according to GSMA RSP based remote subscription profile download. The methods are performed by the communication device and the ID backend server.

Abstract: This disclosure describes systems and methods using blockchain for in-vehicle health and wellness tracking. An example method may include receiving a request for a vehicle from a mobile device of a user. The example method may also include receiving, from a pathogen detector device within a first vehicle, an indication that a number of pathogens within the first vehicle is less than a threshold amount. The example method may also include assigning the first vehicle to the user based on the indication that the number of pathogens within the first vehicle is less than a threshold amount.

Abstract: An apparatus and methods are disclosed for monitoring the operation of an electrical power-transfer system and detecting and handling hazardous and undesirable system states. In accordance with one embodiment, an electrical signal is injected into the electrical power-transfer system. During or after the injection of the electrical signal, an electrical property between a first sensor and a second sensor are measured to obtain a measurement. The electrical power-transfer system is determined to be in a hazardous state based on the measurement, and in response to the determination one or more actions are performed to correct the hazardous state.

Abstract: Disclosed is a method and apparatus for verifying socket connections. The method includes receiving a socket connection request and determining a process executable that initiated the socket connection request. The method further includes determining, by a processing device, whether verification data associated with the process executable corresponds to expected verification data of the process executable. Finally, the method includes in response to the verification data corresponding to the expected verification data, permitting a socket connection corresponding to the socket connection request.

Abstract: Systems and methods are provided that may be implemented to orchestrate trusted enrollment of an endpoint client information handling system by deploying a signed payload of an enrollment package to the endpoint client system, and by using a client software agent executing on the endpoint client system to first verify the distribution chain and/or signature of the deployed enrollment package before proceeding to use other information contained in the enrollment package to contact a registration server to enroll the endpoint client system.

Abstract: A method includes encrypting a first message that contains a first public key of a first peer, by using a second public key of a second peer; and decrypting a second message sent from the second peer by using a first private key paired with the first public key. The second message may be encrypted at the second peer by using the first public key, and may contain an encrypted data encrypted by the second peer using the second public key and hashed by using a secret key of the first peer. The first public key, the second public key, the first private key and the secret key may be physically unclonable function (PUF)-based keys.

Abstract: Various embodiments of the present disclosure include a scalable distributed computing and network system that is configured to install, update or revoke certificates in a multitude of passive devices in many isolated networks. Various embodiments may include a processor in a computing device associating a certificate profile with one or more passive devices in a plurality of passive devices in one or more isolated networks, generating a certificate signing request (CSR) message for each of the associated passive devices, sending the generated CSR messages to a certificate authority, receiving digital certificates from the certificate authority, and sending the received digital certificates to their respective associated passive devices.

Abstract: Systems and methods are directed to improvements for secure communications between client systems and a vehicle integration platform associated with a service provider entity. In one example, a communication infrastructure is provided which includes a vehicle integration platform that includes a plurality of application programming interfaces configured to facilitate communication among clients. The communication infrastructure includes a security integration system which is configured to receive and validate a client certificate forwarded to the vehicle integration platform from a client and determine an identity of the client and an origin of a request associated with the client certificate.

Abstract: Described herein is a method and network-security monitoring platform, also identified as Security Network Monitoring Platform (SNMP), for detecting anomalies in SSL and/or TLS communications set up in a communications network. The SNMP analyses data packets (DP) for detecting anomalous SSL and/or TLS handshake procedures in a monitoring interval, wherein each SSL and/or TLS handshake procedure comprises a first message sent by a respective client to a respective server for starting the respective SSL or TLS communication, and a corresponding second message sent by the respective server to the respective client. Next, the SNMP determines for each handshake procedure a first signature as a function of the data sent with the first message and a second signature as a function of the data of one or more certificates of the chain of certificates (CERT) sent with the second message. The SNMP then analyses the first and the second signatures to determine the respective popularity values.

Abstract: Examples herein describe systems and methods for application-specific compliance enforcement. An example method can include receiving, at a user device, profiles containing application-specific restrictions. When a first application is opened, a management agent compares the corresponding application-specific restrictions with current device settings. This can be done with a checksum comparison where the checksums are created based on a hash with an application- or profile-specific identifier. If they differ, the management agent stores the current device settings and prompts for, or automatically changes, the device settings to new compliant values before allowing the first application to operate in the foreground of the user device screen. If the first application is closed or minimized, the stored device settings can be restored. The management agent can compare those against application-specific restrictions of the second application before allowing the second application to run in the foreground.

Abstract: In variants, a fleet management method can include determining information about a device S100; sending information to a device S200, and operating the device according to the information S300 (e.g., example shown in FIG. 1). The fleet management system can function to scalably manage the operation and permissioning of one or more fleets of devices.

Abstract: At least one processor cause an information processing apparatus to act as the following units. A first installation unit installs a first application. A second installation unit installs a second application for activating the first application. An acquisition unit acquires identification information unique to the first application installed by the first installation unit. An acceptance unit accepts a request for activation of the first application which uses a deep link. A first determination unit, in a case where the acceptance unit accepts a request for activation, determines whether or not to activate, by the second application, the first application by using the identification information acquired by the acquisition unit. An activation unit activates, by the second application, the first application based on a result of the determination by the first determination unit.

Abstract: In some aspects, methods and systems for a digital trust architecture are provided. In some aspects, the architecture includes a user account provisioning process. The provisioning process may make use of in person verifications of some personal information to ensure authenticity of the user information. Once the authenticity of user information is established, an account may be created. The user account may include a user email account, with integrated access to digital certificates linked to the user account. Account creation may also automatically publish the new user's public key in a publicly accessible directory, enabling encrypted email information to be easily sent to the new user.

Abstract: An apparatus operating as a certificate authority (CA) is described. The apparatus can perform operations including receiving, from a plurality of requesting devices, a request to join a group. The request can include identification information for the group and attestation evidence for the plurality of requesting devices. Responsive to receiving the request, the apparatus can provide a group certificate for the group to the plurality of requesting devices.

Abstract: Controlling and provisioning a robot of a virtual machine (VM) includes transmitting a connection request between a first service installed in a virtual machine and a second service. The robot is associated with at least one process running on the virtual machine. The virtual machine is authenticated based on a token associated with the second service and the virtual machine. A connection is established between the first service and the second service. A command is transmitted associated with the controlling of the robot from the second service to the first service based on the authentication of the virtual machine. The command is associated with a corresponding command identifier for identifying a type of the command. The command is then executed for controlling the robot.

Abstract: A system and method for signing and authenticating electronic documents using public key cryptography applied by one or more server computer clusters operated in a trustworthy manner, which may act in cooperation with trusted components controlled and operated by the signer. The system employs a presentation authority for presenting an unsigned copy of an electronic document to a signing party and a signature authority for controlling a process for affixing an electronic signature to the unsigned document to create a signed electronic document. The system provides an applet for a signing party's computer that communicates with the signature authority.

Abstract: An embodiment includes a method of client-server trust management. The method includes receiving, at a client device, a public key of a system server and locally seeding the public key in a secure storage at the client device. The method includes receiving a certificate list signed by a private key of the system server and verifying a source of the certificate list using the seeded public key. The method includes initiating a handshake process with a second device during which a digital device certificate of the second device is received. The method includes halting the handshake process and validating the second device by matching the digital device certificate with a certificate included on the verified certificate list. Based on the validation, the method includes managing a communication session with the second device to enable or prevent data transfer between the client device and the second device.

Abstract: Methods and apparatus to enable a distinction between “new” and “used” digital content and to enable a market in used digital content files between mobile phone terminals and an electronic store, securely, by means of a wireless telephony network and a server complex to handle contents right management, transaction reporting, inventory, content delivery, payment, and billing. A server receives a signal generated by a wireless user device that was sent over a wireless telephony network. The signal indicates an election for returning at least one previously purchased digital content item. The server deletes user rights for the at least one digital content item identified by the received signal and sends information to the user device that generated the signal. Access to the associated digital content item at the user device is removed according to the sent information.

Abstract: Methods and network interface devices for establishing a secure and authenticated network connection are provided. The method comprises: receiving, from a requesting entity, a destination IP address and a first certificate that is used to establish a secure network connection, wherein the first certificate comprises a first security attribute that is associated with a source destination IP address; identifying, with aid of one or more processors, a stored second security attribute associated with the destination IP address; and determining, with aid of the one or more processors, a policy action based at least in part on the first security attribute and the second security attribute.

Abstract: An on-boarding server is configured to receive a data set and a manufacturer identifier from a communications device, validate an identity of an entity from the data set, and locate a first terminal cryptographic key associated with the manufacturer identifier in a terminal database. The on-boarding server is configured to confirm, using the located first terminal cryptographic key, that the manufacturer identifier received from the communications device was signed with a second terminal cryptographic key. The located first terminal cryptographic key and the second terminal cryptographic key are an asymmetric cryptographic key pair. The on-boarding server is configured to determine an acquirer server from the data set, and authorize the entity to effect electronic payments by providing the communications device with a merchant identifier and transmitting the merchant identifier to the acquirer server.