Abstract: Certain embodiments provide means for managing automated access to computers, e.g., using SSH user keys and other kinds of trust relationships. Certain embodiments also provide for managing certificates, Kerberos credentials, and cryptographic keys. Certain embodiments provide for remediating legacy SSH key problems and for automating configuration of SSH keys, as well as for continuous monitoring.

Abstract: A machine implemented method of communication between server and remote device, the method comprising: determining an availability and address of the remote device on a network for communication with the server; obtaining a public key attributed to the remote device; signing the public key attributed to the remote device with a private key of the server and so generating a digitally signed certificate to verify the ownership of the public key as the remote device; and transmitting the digitally signed certificate to the remote device.

Abstract: A gateway (GW) in a wireless communication system, according to the present disclosure is provided. The GW generates self-signed authentication information, allocates the self-signed authentication information to at least one device, transmits a registration request message for requesting registration of the at least one device to a server if a certificate channel with the at least one device is generated based on the self-signed authentication information, and transmits certificate information for the at least one device to the at least one device if the certificate information for the at least one device is received from the server.

Abstract: A network of electronic appliances includes a plurality of network units of electronic appliances. The network units include a first network unit and a plurality of second network units. The first network unit is connected to at least one of the second network units. Each of the network units includes a stem server and a plurality of peripheral devices connected to the stem server. The stem server includes at least one passcode and at least one list of a plurality of registration codes. Each list is associated to a respective passcode. Each registration code of one list associating to one passcode corresponds to a respective peripheral device. Each registration code is generated in response to a respective passcode using physical randomness of a respective peripheral device in correspondence to the passcode. An address of each identification cell is defined by several word lines and bit lines.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to receive untrusted input data at an enclave in an electronic device, isolate the untrusted input data from at least a portion of the enclave, communicate at least a portion of the untrusted data to an integrity verification module using an attestation channel, and receive data integrity verification of the untrusted input data from the integrity verification module. The integrity verification module can perform data integrity attestation functions to verify the untrusted data and the data integrity attestation functions include a data attestation policy and a whitelist.

Abstract: The present invention discloses a method, a device and a mobile browser client for realizing centralized management of intelligent hardware devices by an APP, wherein the method comprising: identifying identification information of an intelligent hardware device via an identification interface provided by an APP on a mobile terminal; based on the information identifying, establishing a bluetooth connection between the mobile terminal and the intelligent hardware device; acquiring, by the APP, hardware controlling information of the intelligent hardware device through the bluetooth connection; and providing, in the APP, a display interaction interface which is based on the hardware controlling information.

Abstract: A display device includes: a first wireless communication unit which performs wireless communication in a first format with an external device; a storage unit which stores connection information used in the wireless communication in the first format; a change unit which changes the connection information stored in the storage unit; and a display unit which displays an image received via the first wireless communication unit from the external device. A first information processing device includes: a wireless reader/writer which performs wireless communication in a second format in order to read information from or write information in a wireless tag; an acquisition unit which acquires the changed connection information; and a writing unit which outputs, to the wireless reader/writer, a signal for writing the connection information acquired by the acquisition unit into a first wireless tag.

Abstract: A method for generating a changing authentication input or password generation input for a user is provided. The method allows access to a computing device such as a smartphone or computer or using the computing device to communicate over a network to a server. Using recognizable objects displayed in positions on a graphic display, and input strings of text or alphanumeric characters the user has identified as related information relating to each recognizable object, a password or authentication can be generated by combining the input strings relating recognizable objects to paired related objects. Authentication can be varied easily for each access attempt by changing the recognizable objects displayed and/or the sequence of responses.

Abstract: One embodiment described herein provides a system and method for secure attestation. During operation, a Trusted Platform Module (TPM) of a trusted platform receives a request for an attestation key from an application module configured to run an application on the trusted platform. The request comprises a first nonce generated by the application module. The TPM computes an attestation public/private key pair based on the first nonce and a second nonce, which is generated by the TPM, computes TPM identity information based on a unique identifier of the TPM and attestation key, and transmits a public key of the attestation public/private key pair and the TPM identity information to the application module, thereby enabling the application module to verify the public key of the attestation public/private key pair based on the TPM identity information.

Abstract: Examples of the disclosure remotely activate a secure device for application development. A request is received at a device entitlement component for a developer kit from a secure device in a user mode via a network. A determination is made as to whether the secure device is in at least one allowed development group. In response to determining that the secure device is in the at least one allowed development group, a certificate is generated defining a permissions level associated with the developer identifier for the secure device. The certificate is transmitted to the secure device, including a key that interacts with a security processor of the secure device to convert hardware capabilities of the secure device to provide a developer mode at the secure device.

Abstract: In a wireless data network, network circuitry serves a wireless user device with hardware-trusted wireless data communications. The network circuitry comprises a physically-embedded hardware trust code and maintains hardware trust with a hardware trust server based on the physically-embedded hardware trust code. The network circuitry determines when a network server has hardware trust. The network circuitry determines when a wireless user device has hardware trust. The processing circuitry then exchanges user data between the wireless user device the network server when both the wireless user device and the network server have hardware trust. The processing circuitry does not exchange the user data between the wireless user device the network server when the wireless user device or the network server lack hardware trust.

Abstract: A memory device includes a memory cell array comprising a plurality of memory cells wherein each of the plurality of memory cells is configured to be in a data state, and a physically unclonable function (PUF) generator. The PUF generator further includes a first sense amplifier, coupled to the plurality of memory cells, wherein while the plurality of memory cells are being accessed, the first sense amplifier is configured to compare accessing speeds of first and second memory cells of the plurality of memory cells, and based on the comparison, provide a first output signal for generating a first PUF signature.

Abstract: A system to sign and authenticate secure transactions with an institution through a communications network, comprising a terminal connected to a communications network; a remote server with a database that stores for each user the user data userID, a private password encrypted K?priv, userID, a first security password K?mac, userID to generate an authentication password Kmac, userID and an identifier of the mobile device, Id?cel,userID; a mobile communication device of a user comprising a security code pin; an application, a transport password Ktransporte; a public password encrypted K?pub, userID and a second security password K?mac, userID for generating said authentication password Kmac, userID; and a remote hardware security module. A method to sign and authenticate secure transactions with an institution through a communications network with said system.

Abstract: Methods, systems, and computer programs for using an implicit certificate are described. In some aspects, an implicit certificate is accessed. The implicit certificate is associated with an entity and generated by a certificate authority. The implicit certificate includes a public key reconstruction value of the entity. Certificate authority public key information is accessed. The certificate authority public key information is associated with the certificate authority that issued the implicit certificate. A first value is generated based on evaluating a hash function. The hash function is evaluated based on the certificate authority public key information and the public key reconstruction value of the entity. A public key value of the entity can be generated or otherwise used based on the first value.

Abstract: An abstraction layer in a gaming environment intercepts calls to standard random number and user selection functions and returns data based on game operating mode and data availability. When operating as a Class 2 game, random number data may be received from a server while in a Class 3 game, random numbers may be received from a local random number generator. In a history mode or power recovery mode, calls for both random numbers and user selections may be supplied from a file storing data from a previously played or an interrupted game, respectively. Pay table testing may be accommodated by using predetermined random numbers resulting in known reel or other outcome states. The abstraction layer isolates game code from the unique requirements of the different modes of operation required for operating environment or regulatory compliance.

Abstract: A computing platform implements one or more secure enclaves including a first provisioning enclave to interface with a first provisioning service to obtain a first attestation key from the first provisioning service, a second provisioning enclave to interface with a different, second provisioning service to obtain a second attestation key from the second provisioning service, and a provisioning certification enclave to sign first data from the first provisioning enclave and second data from the second provisioning enclave using a hardware-based provisioning attestation key. The signed first data is used by the first provisioning enclave to authenticate to the first provisioning service to obtain the first attestation key and the signed second data is used by the second provisioning enclave to authenticate to the second provisioning service to obtain the second attestation key.

Abstract: Managing validity status of at least one associated credential includes providing a credential manager that selectively validates associated credentials for at least one device, the device invalidating a corresponding associated credential, and the device requesting that the credential manager validate the corresponding associated credential after invalidating the associated credential. The associated credential may be invalidated based on an external event, such as a user invalidating the associated credential from a UI of the device, a user improperly entering a pin value, a user indicating that a corresponding device is lost, the device entering sleep mode, the device locking a user interface thereof, the device shutting down, and a particular time of day. The at least one associated credential may be provided on an integrated circuit card (ICC) that may be part of a mobile phone and/or a smart card.

Abstract: Methods and systems for faster and more efficient smart card logon and for giving a client device full domain access in a remote computing environment are described herein. Components used to implement fast smart card logon may also be used to implement a federated full domain logon. A virtual smart card credential, which may be ephemeral, may be issued based on the acceptance of an external authentication event. Example external authentication events include logon at a Security Assertion Markup Language (SAML) Identity Provider, smart card authentication over TLS or SSL, and alternative authentication credentials such as biometrics or one-time password (OTP) without AD password. Moreover, the certificate operation interception components from fast smart card logon may be used to enable interaction with the virtual smart card without fully emulating a smart card at the PC/SC API level.

Abstract: One embodiment allocates a first virtual memory; receives executable code of a first piece of software; writes the executable code of the first piece of software directly into the first virtual memory; marks the first virtual memory as executable; executes the executable code of the first piece of software directly from the first virtual memory; and downloads and executes executable code of a second piece of software as facilitated by the executable code of the first piece of software.

Abstract: A computing device includes a processor and a persistent memory for storing information about a first public key associated with a first asymmetric key pair for authenticating the source of a digital certificate. The computing device also includes a second memory for storing one or more current key version indicators. Each of the current key version indicators is associated with a corresponding secondary public key, and the one or more current key version indicators are used by the processor to determine the trust of the corresponding secondary public key.

Abstract: In an authentication method according to the present disclosure, (1) a device transmits device history information with a CRL added thereto (hereinafter, device history information with added CRL) to a controller, (2) the controller transmits the device history information with added CRL to a server, and (3) if the version of the CRL included in the device history information with added CRL is older than the version of the CRL stored on the server, the server judges that the controller is unauthorized.

Abstract: The subject matter discloses a method operated on at least two servers for a third-party client, the method comprising receiving by a first server a first result of the first irreversible function applied to a secret key from a first third-party client, receiving by a second server a second result of the second irreversible function applied to the secret key from the third-party client, receiving by the first server, a message from a second third-party client, the first server computing a first hash function on said first result and on said message, and sending a result of the first hash function from the first server to the second server, the second server computing a second hash function on said second result and on the result of the first hash function sent from first server and outputting the result generated by second server as HMAC result.

Abstract: A method is provided in one example embodiment and includes receiving a traffic flow at a tamper resistant environment from an application, where the tamper resistant environment is separated from a host operating system. The method also includes applying a security token to the traffic flow and sending the traffic flow to a server. In specific embodiments, a security module may add information about the application to traffic flow. A trapping module may monitor for a memory condition and identify the memory condition. The trapping module may also, responsive to identifying the memory condition, initiate a virtual environment for the application, and check the integrity of the traffic flow.

Abstract: A method and apparatus for controlling document access and application usage using centrally managed rules. The rules are stored and manipulated in a central rule database via a rule server. Policy enforcers are installed on client systems and/or on servers and perform document access and application usage control for both direct user document accesses and application usage, and application program document accesses by evaluating the rules sent to the policy enforcer. The rule server decides which rules are required by each policy enforcer. A policy enforcer can also perform obligation and remediation operations as a part of rule evaluation. Policy enforcers on client systems and servers can operate autonomously, evaluating policies that have been received, when communications have been discontinued with the rule server.

Abstract: A method includes, for respective queues of a plurality of queues stored in a storage: generating, using a processor, a private key-public key pair; and storing the private key-public key pair to a back of the queue. The private key-public key pair may include a private key and a public key. The method also includes receiving a request from a certificate user to utilize a private key-public key pair. The method further includes retrieving a first private key-public key pair from a front of a first queue of the plurality of queues. The method also includes using the first private key-public key pair and generating a new private key-public key pair to replace the first private key-public key pair. The method also includes storing the new private key-public key pair to a back of the first queue.

Abstract: A method for securing data and safeguarding its origin, in which the data are transmitted from a customer device to a center in an encrypted manner using digital keys and certificates. The encryption includes the steps of generating several key pairs at a center and transmitting keys, key-encrypted keys, and encrypted data to a customer device. The customer device is afterwards able to transmit data encrypted by a safe key to the center. The data may be a PIN code.

Abstract: Disclosed are various embodiments for facilitating the distribution of files from a file repository. Files from a file repository can be distributed via peer to peer transmissions where the peer devices can perform authentication functions. The authentication can be performed based upon metadata associated with the files as well as based upon authentication requests submitted to an authentication server.

Abstract: In one embodiment, a security provisioning service automatically establishes trust in a device. Upon receiving a provisioning request, a security provisioning service identifies a verification item that is associated with the provisioning request. The security provisioning service performs one or more verification operations based on the provisioning request to determine whether the provisioning request is authorized. If the provisioning request is authorized, then the provisioning service establishes a verifiable identification for the device that is assured by the secure provisioning service and then executes the provisioning request. By automatically performing the verification operations to establish trust in the device, the provisioning service eliminates manual identification assurance operations that are performed as part of a conventional security provisioning process.

Abstract: A method for a manipulation protection of useful data packets to be transmitted via a bus system between at least two system components, wherein the system components include a signing and signing test unit by which data packets can be generated and tested. A first one of the system components generates an independent protective data packet with protective information for a useful data packet to be transmitted via the bus system, which protective data packet is independent of this useful data packet but, can be allocated unambiguously to it, after which the generated protective data packet is sent out separately from the associated useful data packet via the bus system to the second one of the system components and a verification of the authenticity of the useful data packet to be transmitted is effected by the transmitted protective data packet by the second one of the system components.

Abstract: The present disclosure is directed to secure sensor data transport and processing. End-to-end security may prevent attackers from altering data during the sensor-based security procedure. For example, following sensor data capture execution in a device may be temporarily suspended. During the suspension of execution, sensor interface circuitry in the device may copy the sensor data from a memory location associated with the sensor to a trusted execution environment (TEE) within the device. The TEE may provide a secure location in which the sensor data may be processed and a determination may be made as to whether to grant access to the secure resources. The TEE may comprise, for example, match circuitry to compare the sensor data to previously captured sensor data for users that are allowed to access the secured resources and output circuitry to grant access to the secured resources or to perform activities associated with a security exception.

Abstract: For communication of a first participant with at least one additional participant in a communication system via multiple protocols, the protocols using at least two different certificate formats, the first participant uses different certificates with the respective certificate formats for the communication via the different protocols, the different certificates being based on a shared public key. The first participant holds a shared associated private key for the different certificates. Provision of the certificates for the first participant includes generating the public key and the associated private key, signing the public key for provision of the first certificate, and signing the public key for provision of the second certificate.

Abstract: The invention provides a process for authenticating an identity of a user accessing a location in a secure manner using a communications device that is in direct communication with an independent server and in secondary communication with a second server, the communications device having a user interface and an input module, the process including the steps of hosting device information on the independent server for validation; generating and sending a user prompt from the device to the independent server for validation, and if validated as correct, creating a device ID and transaction ID as indexes to identify the device on the database; generating a randomised keypad on the user interface; inserting and submitting a pass code by way of the randomised keypad; relaying said pass code to the second server; and generating a second validation at the second server, using the pass code and thereby authenticating both user and device.

Abstract: An information processing system includes: one or more information processing apparatuses; and a management server, in which the management server includes a license key table management unit that receives inputs of a serial number, an application ID, and a license key from an administrator and registers them in a license key table, and a license key authentication unit that extracts the corresponding license key from the license key table by using the application ID and the serial number received from the information processing apparatus in which the application program is installed, and performs license key authentication of the application program by using the extracted license key, and the one or more information processing apparatuses each include an application installation unit that installs the application program, and an authentication requesting unit that transmits the application ID and the serial number to the management server to request for license key authentication.

Abstract: A first device that includes a processor configured to transmit/receive a trigger message to/from a second device based on wireless short-range communication. The trigger message initiates a registration process within a wireless local area network (WLAN).

Abstract: Techniques for signer-initiated electronic document signing via an electronic signature service using a mobile or other client device are described. Example embodiments provide an electronic signature service (“ESS”) configured to facilitate the creation, storage, and management of documents and corresponding electronic signatures. In some embodiments, when a signer user receives an electronic signature document on a mobile device, the signer may use a client module executing on the mobile device to import the document into the ESS. Once the document is imported into the ESS, the signer can access, review, and sign the document at the ESS via the mobile device. After signing the document, the signer can use the mobile device to cause the ESS to provide the signed document to one or more recipients.

Abstract: An electronic device for management of cryptographic keys, and a corresponding method implemented in a computing device comprising a physical processor, transmit feature data of the device to a key generation module, wherein the feature data comprises information corresponding to an identifier or an attribute of the device, and receive, by the device from the key generation module, a digital signature of the transmitted feature data. The device installs the received digital signature as a cryptographic private key for communication, and performs a cryptographic operation using the installed digital signature as the cryptographic private key.

Abstract: An item is shared based on an information boundary and access control settings. An application such as a document management application detects a selection of an information boundary to manage a sharing action associated with the item. The information boundary includes rules to define how the item is shared. A selection of an access control list is also detected to manage recipients who have an access to the item. The access control list allows a recipient in the list an ability to search and discover the item. In response to a detection of the sharing action to share the item, the information boundary and the access control list is applied to the item. The item is then shared based on the information boundary and the access control list through a link of the item transmitted to a recipient.

Abstract: A software management shell may provide an execution environment for one or more software agents, e.g., by creating new instances of itself on a suitable hardware platform. For example, such a management shell may address new or shifting requirements that renders a software agent non-compliant by creating a new management shell that meets the new or shifting requirements. A new management shells may learn and advertise its capabilities and capacity to assist existing management shells in meeting the new or shifting requirements. The creation of new management shells, and the migration of software agents between shells, may be in response to policy changes that govern how the software agents are to operate within the management shells and on a given hardware platform.

Abstract: The invention relates to a storage device management method allowing to manage the storage space, on a storage device, by proposing to an end user to store a new content he was going to consume if its storage determined size is lower than an already stored content size.

Abstract: An Access Point (AP) connection method in an electronic device and the electronic device thereof are provided. The method includes transmitting a request message relating to AP information connected for wireless Local Area Network (LAN) connection and inquiring about a rogue AP, to an Internet server, when the AP is not the rogue AP according to a response message received from the Internet server, maintaining connection to the AP, and providing other AP information to the Internet server.

Abstract: Disclosed are various embodiments for facilitating the distribution of files from a file repository. Files from a file repository can be distributed via peer to peer transmissions where the peer devices can perform authentication functions. The authentication can be performed based upon metadata associated with the files as well as based upon authentication requests submitted to an authentication server.

Abstract: [Object] To propose an information processing device, wireless communication system, information processing method, and storage medium which can mutually authenticate communication partners simply and safely. [Solution] The information processing device including: an acquisition unit configured to acquire first identification information for identifying another terminal; and a communication unit configured to transmit information for mutual authentication between an own terminal and the other terminal to the other terminal specified based on the first identification information through a network service.

Abstract: A method and system for user authentication on a touch-screen device using an authentication token. A housing of the authentication token includes several electrodes. At least one of the electrodes is located on the upper side of the token in order for the user to hold the token. The token is applied onto a touch-screen of the user mobile device by the user holding the electrode. Other electrodes are located on the other (lower) side of the token housing. These electrodes come in contact with the touch-screen during the authentication procedure. The token contains executive units connected to the electrode held by the user and to at least one of the electrodes applied to the touch-screen. Since the electric connection between the token electrodes exists, the touch-screen sensors register a touch at the point of application of the electrode(s).

Abstract: A system and method for evaluating, scoring, and encouraging group performance towards a common goal is disclosed. In an embodiment, individuals of a group have an incentive to encourage other group members to drive better and achieve an improved overall driving score for the group. A group driving score is determined based on the driving performances of members of the group. The group may establish a driving score goal and work toward achieving that goal using real-time group reinforcement communications.

Abstract: The present invention concerns a method of generating a biometric certificate of a user performed by a data processing device of a certifying authority, comprising a step of generating (E4) a certificate for said user comprising data related to the identity of the user and truncated authentication data of said user generated using a method of generating a biometric authentication datum, comprising steps of: acquiring (E1) first biometric data of said user; generating (E2) a first a proof of knowledge of said first biometric data from the first acquired biometric data and from a pseudo-random function; generating (E3) a first truncated authentication datum by applying a truncation function to said first generated proof of knowledge.

Abstract: Example embodiments presented herein are directed towards a physical node, and corresponding methods therein, for providing authentication of a wireless device within a visiting wireless network while the wireless device is in a roaming state. The wireless device is registered to a home wireless network. The physical node further comprises a virtual representation of a functionality of at least one core network node controlled by the home wireless network. Thus, such authentication may be provided and control according to home network based procedures.

Abstract: A protocol for issuing and controlling digital certificates is described in which an identity management system is used to identify a user requesting a digital certificate and is also used to issue the digital certificate itself. Accordingly, an IDM-based PKI system is provided.

Abstract: A deployable computing environment may facilitate interaction and data sharing between users and devices. Users, devices, and relationships between the users and devices may be represented within the deployable computing environment. A relationship between a user and a device may specify that the device is owned by the user and that the device is authorized to perform operations within the deployable computing environment on behalf of the user. Secure authentication of devices and users for interaction within the deployable computing environment is achieved by authenticating tickets corresponding to the user, the device, and the relationship. A device identification ticket and a user identification ticket are used to authenticate the device and user for interaction within the deployable computing environment. A device claim ticket allows the device to perform delegated operations (e.g., data synchronization, peer connectivity, etc.) on behalf of the user without the user's credentials (e.g.

Abstract: The present technology provides a less burdensome mechanism to bring media items owned or licensed in the physical world into an account hosted by an electronic media provider. A specific use case deals with magazine subscriptions wherein the electronic media provider can send entity identifying information to a publisher clearinghouse that has subscription data for many different magazines. If the entity information sufficiently matches subscription information, the clearinghouse sends back data identifying magazines for which the entity is entitled to a digital copy, and these magazines become available to the user through the electronic media provider.

Abstract: Techniques are disclosed for dynamically generating a digital certificate for a customer server. A customer server creates a certificate profile and receives an associated profile identifier from a certificate authority (CA). The customer server installs an agent application received from the CA. The agent application generates a public/private key pair and an identifier associated with the customer server. The agent application sends a signed request to the CA that includes the profile identifier, server identifier, and the public key corresponding to the key pair. Upon receiving the credentials, the CA generates a dynamically updatable certificate. Thereafter, if the customer changes information associated with the certificate (or if external conditions require a change to the certificate, such as a key compromise or change in security standards), the CA may generate an updated certificate based on the certificate profile changes and the public key.