Abstract: Methods include receiving a request for verified data from a requesting entity. Methods also include requesting, from a user, consent to obtain user data corresponding to the user. Methods further include receiving the consent and obtaining preliminary data corresponding to the user. Methods also include transmitting a message to a user data provider in response to receiving the consent, in which the message comprises the preliminary data and a request for the user data. Methods also include receiving response data, wherein the response data corresponds to the user data. Methods further include analyzing the response data and determining the verified data in response to analyzing the response data. Methods also include providing the verified data to the requesting entity.

Abstract: An authentication apparatus updates a first execution information entry corresponding to a first identification information entry of an authentication target having undergone authentication processing, and transmits the first identification and execution information entries to a management apparatus. The management apparatus updates an execution information entry corresponding to the first identification information entry, and stores a first sequence information entry indicating a sequence number. The management apparatus transmits the first sequence and identification information entries to the authentication apparatus.

Abstract: Embodiments of the present invention disclose a method, system, and computer program product for bluesalt security. A computer receives a confidential data configuration wherein specific sensor are assigned to specific confidential information. The assigned sensors are measured for values as a system administrator enters a password corresponding to the confidential information. The measured values are converted into a salt and concatenated with the password to generate a primary key. The primary key is used to encrypt the confidential information, then the primary key is encrypted using a secondary key comprised of a second password with a second set of sensor information as the salt. The encrypted key is saved securely while the secondary key is destroyed. In order to decrypt the confidential information, a user must replicate the password and sensor values to generate the primary or secondary key.

Abstract: A system and method are provided to access a secure host device using a personal security device (PSD). A user's PSD may hold a credential of a requesting component of the secure host device. The credential may only be readable from the PSD when a secure channel is established therewith. The establishment of a secure channel with the PSD may require access to keys. The secure host device may contain a SAM capable of securely storing and operating keys. The SMA may contain the relevant keys to support establishment of a secure channel with the personal security device and release a credential to its requesting component. These criteria may achieve the secure release of the credential from the PSD to the requesting component of the secure host device to achieve access by the user when the PSD is presented in the non-contract field of a card reader monitored by the secure host device.

Abstract: A mobile electronic device according to an embodiment has an identifier, a determiner, and a permitter. The identifier identifies the operating system of a mobile terminal to which its own device is connected and determines whether the identified operating system is a prescribed operating system. If the identifier determines that the identified operating system is the prescribed operating system, the determiner performs processing to determine whether or not authentication data held in its own device and authentication data held in an authentication data holding device that can communicate via a network match. If the determiner determines that there is a match, the permitter permits data processing using processing data held in a processing data holding device that can communicate via the network.

Abstract: A method of establishing a secure communications path between a first local server on a local network and a device on a wide area network comprising: establishing a first secure communications connection between a second local server on the local network and the device; establishing a second secure communications connection between the second local server and the first local server, wherein the second local server impersonates the device for at least a portion of the connection request; and proxying data between the local server and the device.

Abstract: Methods, systems, apparatus, and non-transitory computer readable media are described for a scalable computer-telephony integration system. Various aspects may include storing sets of call agent login information for several call agents within the computer-telephony integration system and across several independent computing systems in a contact center login database. Additionally, various aspects may include generating several contact center service categories and sets of contact information for each contact center service category, which may be stored in a contact center directory database. When an incoming call is received from a customer, various aspects may include obtaining customer call information from the customer and generating a customer call key, which may be stored as a reference to the customer call information in a contact center customer call information database.

Abstract: Techniques for cross-ACL multi-master replication are provided. The techniques allow a replication site in a multi-master replication system implementing an asynchronous replication protocol and an access control policy to appropriately apply received data change updates to data maintained at the site even where a data change update is missing information because of the implemented access control policy.

Abstract: Particular embodiments described herein provide for an electronic device that can be configured to receive untrusted input data at an enclave in an electronic device, isolate the untrusted input data from at least a portion of the enclave, communicate at least a portion of the untrusted data to an integrity verification module using an attestation channel, and receive data integrity verification of the untrusted input data from the integrity verification module. The integrity verification module can perform data integrity attestation functions to verify the untrusted data and the data integrity attestation functions include a data attestation policy and a whitelist.

Abstract: A system-on-chip (SoC) includes multiple hardware modules that are implemented on a substrate. The hardware modules include a plurality of hardware and software security features and the SoC provides one or more external interfaces for accessing the security features. A validation module, implemented in the boot code of the SoC for example, manages security certificates to control access to the plurality of security features. Each security certificate includes one or more unique identifiers corresponding to one or more hardware modules in the SoC and access control settings for one or more security features of the one or more hardware modules. The security certificate additionally includes a certificate signature signed by a secure key.

Abstract: A system and method for user certificate initiation, distribution, and provisioning in converged WLAN-WWAN interworking networks. A computing device operable in a wireless local area network sends a public key to a mobile device operable in a wireless cellular wide area network. The mobile device performs a bootstrapping procedure with a cellular operator in the wireless cellular wide area network to obtain a user certificate based on the public key. The mobile device sends the user certificate to the computing device for installation on the computing device. The user certificate may be used for digital signature, verification, and encryption purposes. The user certificate is also used in both the wireless local area network and the wireless wide area network for authenticating a subscriber when accessing services from both networks.

Abstract: Exposure of sensitive information to users is controlled using a first security token containing user identity and user credentials to represent the user who requests services, and a second security token containing two other identities, one identifying the token issuer and the other identifying the owning process. When requesting services, the token-owning process sends a security token to indicate who is making the request, and uses its key to digitally sign the request. The token-owning process signs the request to indicate that it endorses the request.

Abstract: A system for monitoring resources transferred over a network includes a capture module that is configured to capture content transferred over a network between a requestor device and a server device. The content includes a resource, a digital signature associated with the resource and a digital certificate associated with the digital signature. The system includes a resource monitor module that is configured to receive the captured content from the capture module. The resource monitor module includes at least one memory, at least one processor and a resource analyzer module that is configured to use the at least one processor to inspect one or more attributes of the digital certificate and inspect the digital signature and verify the digital certificate using the attributes and verify the digital signature.

Abstract: An information processing apparatus includes a transmission unit, a notification unit, and an instruction unit. The transmission unit transmits a request for processing to a destination at which the request is accepted. The notification unit makes a notification of destination information including first information used to call the information processing apparatus and second information concerning the requested processing. The instruction unit instructs an external apparatus, when the external apparatus calls the information processing apparatus using the destination information, to perform an operation concerning the requested processing on the basis of the second information.

Abstract: In an embodiment, a central computer performs a data processing method. The central computer receives telemetry data from intrusion sensors. The central computer stores authentication records in a hosts database. Each authentication record is based on the telemetry data and comprises a thumbprint of a public key certificate and a host identifier of a sender computer. The central computer receives a suspect record that was sent by a first intrusion sensor. The suspect record has a first particular thumbprint of a first particular public key certificate and a first particular host identifier of a suspect sender. From the hosts database, the central computer searches for a matching record having a same host identifier as the first particular host identifier of the suspect record and a same thumbprint as the first particular thumbprint of the suspect record. The central computer generates an intrusion alert when no matching record is found.

Abstract: A method for signing a wrapped computer application is described. In some embodiments, methods may include receiving a wrapped computer application via a first secure communication connection from a first remote server, authenticating the first secure communication connection, modifying the wrapped computer application based at least in part on the authenticating, and transmitting the wrapped computer application via a second secure communication connection to a second remote server based at least in part on the modifying.

Abstract: A network device receives packets for one or more traffic flows to be sent into a network. The network device computes a flow identifier for each of the one or more traffic flows based on information contained in one or more headers of the packets for each of the one or more traffic flows and based on at least one value that is changed on an ongoing basis. The packets for each of the one or more traffic flows are encrypted to produce encrypted packets for each of the one or more traffic flows. An encapsulation is added to the encrypted packets for the one or more traffic flows. The flow identifier is included in a field of the encapsulation for a corresponding traffic flow.

Abstract: A method and system for generating and processing an authenticity certificate. A request for a step certificate is received from a requester entity. The step certificate authenticates an involvement of the requester entity about an object. The request includes an object identifier, a requester entity type of the requester entity, and a requester identity certificate of the requester entity. The object identifier is hashed. A signature is created and includes the hashed object identifier, the requester entity type, a certifier identity certificate, and the requester identity certificate. A hashing result is generated by hashing a concatenation of the object identifier, the requester entity type, the certifier entity certificate, the requester identity certificate, and the signature. The step certificate is generated and includes the hashing result. The step certificate is encrypted. The encrypted step certificate is sent to the requester entity for subsequently storing the step certificate on a media.

Abstract: A method for managing keystore information on a computing device may include requesting a keystore from a distribution system, receiving the keystore from the distribution system, and populating a runtime environment with keystore information contained within the keystore. A method for generating a keystore may include receiving, by a distribution system, a request for a keystore from a computing device, generating a key pair including a public key and a private key, generating a certificate signing request, digitally signing the public key with the private key, generating the keystore, combining the signed public key with the private key in the keystore, and providing the keystore to the computing device. A method for generating a truststore may include receiving, by a distribution system, a request for a truststore from a computing device, generating the truststore, adding a certificate to the truststore, and providing the truststore to the computing device.

Abstract: A method includes receiving a first message that includes a first relational key element based on a first group element, and a second relational key element based on the first group element and raised to the power of a first plaintext value. The method also includes receiving a second message that includes a third relational key element based on a second group element, and a fourth relational key element based on the second group element and raised to the power of a second plaintext value. The method additionally includes comparing the first message to the second message without decryption of the first or second messages and, based on the comparison, determining that the first plaintext value and the second plaintext value are the same.

Abstract: A method, system, and computer program product for parsing an information string to extract requested information related to a remotely monitored device communicatively coupled to a network, including accessing the device using an HTTP protocol to obtain an information string associated with the device; determining, based on a type of the requested information, data extraction information for optimally extracting the requested information from the device; parsing the information string according to the data extraction information to identify substrings within the information string; and determining the requested information based on the information string, identified substrings, and the data extraction information.

Abstract: A credential, such as a password, for an entity is used to generate multiple keys. The generated keys are distributed to credential verification systems to enable the credential verification systems to perform authentication operations. The keys are generated such that access to a generated key allows for authentication with a proper subset of the credential verification systems. Thus, unauthorized access to information used by one authentication system does not, by itself, allow for successful authentication with other authentication systems.

Abstract: A method includes receiving biometric data, the biometric data non-uniformly distributed and processing the biometric data to a level of randomness as a plaintext vector, the level of randomness associated with a security level. The method also includes encrypting the plaintext vector using a relational linearity encryption scheme to generate a linearity ciphertext representative of the plaintext vector, encrypting the plaintext vector using a relational proximity encryption scheme to generate a proximity ciphertext representative of the plaintext vector, and communicating the linearity ciphertext and the proximity ciphertext to an authentication server.

Abstract: A secure access method for an application (app) program is to be implemented by a secure access device, which includes first authentication data and a first control regulation. The secure access method includes the steps of making a determination as to whether a to-be-authenticated app program, which is executed in an operating system, is provided with the first authentication data and the first control regulation; and, when a result of the determination is negative, identifying the to-be-authenticated app program as an unauthenticated illegitimate app program, and disallowing the illegitimate app program to access a to-be-accessed device.

Abstract: A method and system is provided for signing data such as code images. In one embodiment, the method comprises receiving, from a requestor, a request to sign the data according to a requested configuration selected from a first configuration, in which the data is for use with any of the set of devices, and a second configuration in which the data is for use only with a subset of a set of devices; modifying the data according to the requested configuration; generating a data signature using the modified data; and transmitting the generated data signature to the requestor. Another embodiment is evidenced by a processor having a memory storing instructions for performing the foregoing operations.

Abstract: User identity token for identifying a user of a communication network A first node (13), e.g., a policy controller of a communication network, receives a request (101) from a second node (15), e.g., an application server for providing a service in the communication network. The request (101) includes a transport address assigned to a user of the communication network. Further, the first node (13) accesses mapping data (31) relating the transport address to a subscription identity of the user and determines a user identity token which is mapped to the subscription identity of the user and masks the subscription identity. The first node (13) then sends a response to the second node (15). The response (102) includes the user identity token.

Abstract: Providing information about digital certificate validity includes ascertaining digital certificate validity status for each of a plurality of digital certificates in a set of digital certificates, generating a plurality of artificially pre-computed messages about the validity status of at least a subset of the set of digital certificate of the plurality of digital certificates, where at least one of the messages indicates validity status of more than one digital certificate and digitally signing the artificially pre-computed messages to provide OCSP format responses that respond to OCSP queries about specific digital certificates in the set of digital certificates, where at least one digital signature is used in connection with an OCSP format response for more than one digital certificate. Generating and digitally signing may occur prior to any OCSP queries that are answered by any of the OCSP format responses.

Abstract: In one embodiment, a method is provided that may include one or more operations. One of these operations may include, in response, at least in part, to a request to store input data in storage, encrypting, based least in part upon one or more keys, the input data to generate output data to store in the storage. The one or more keys may be authorized by a remote authority. Alternatively or additionally, another of these operations may include, in response, at least in part, to a request to retrieve the input data from the storage, decrypting, based at least in part upon the at least one key, the output data. Many modifications, variations, and alternatives are possible without departing from this embodiment.

Abstract: Described is an electronic credentialing system that allows personal identity devices to interact; each interacting device has an installed identity engine that acquires, holds, issues and uses electronic credentials (e-credentials), these electronic credentials can be installed on personal identity devices, such as: smart phones, tablets, laptops, embedded systems, and/or personal computers.

Abstract: Embodiments include method, systems, and computer program products for filtering trust services records. Embodiments include receiving a trust services record that includes a plurality of security components and that is usable to secure data that is stored in an untrusted location. It is determined whether the trust services record has been tampered with, including verifying each of the plurality of security components of the trust services record. The trust services record is filtered based on the determination of whether the trust services record has been tampered with. The filtering includes, when the trust services record is determined to have not been tampered with, allowing performance of at least one task with respect to the secured data; and, when the trust services record is determined to have been tampered with, disallowing performance of any task with respect to the secured data.

Abstract: System and method for dynamically managing message flow. According to the example embodiments, an intermediary network device or a client device dynamically manages the flow of messages received from an electronic exchange by analyzing the client device's capabilities, such as CPU utilization. Based on a percentage of total CPU utilization, the level of throttling is dynamically adjusted, such that if the percentage of CPU utilization, or load, increases, then throttling is increased from a lower level to a higher level. Similarly, if the percentage of CPU utilization decreases significantly enough, then throttling is decreased to a lower level.

Abstract: In a computer-implemented authentication method, a first authentication request from a first machine is received at an authentication server. The first authentication request includes an identification of a second machine that is to provide a requested service. An authentication token including client-specific and server-specific portions is generated at the authentication server, responsive to receiving the first authentication request from the first machine. An authentication identifier and the server-specific portion of the authentication token are transmitted from the authentication server to the second machine, responsive to receiving the first authentication request from the first machine. A second authentication request, including the authentication identifier and both the server-specific and the client-specific portions of the authentication token, is received at the authentication server from the second machine.

Abstract: An electronic device includes a boot memory, a hardware memory programmed with a signing key, and a processor configured to implement a fixed trusted module and a dynamic trusted image module. The fixed trusted module contains a digital certificate, which includes a platform key used to verify a first boot module, and a package verification key used to validate authenticity of an image update file. The dynamic trusted image module contains a platform certificate signed by the signing key. The platform certificate includes a platform verification key used to validate at least one of (i) a second boot module, (ii) an operating system loader, (iii) an operating system, or (iv) a file system. The platform certificate also includes image information associated with one or more images stored in the platform certificate, key information associated with one or more public keys, and electronic device-specific data.

Abstract: An image forming apparatus includes first and second token request transmission units, first and second token reception units, a storage unit, and a device resource request transmission unit. The first token request transmission unit transmits a first token acquisition request containing device credential information. The first token reception unit receives a first token corresponding to the device credential information. The storage unit stores the received first token. The second token transmission unit acquires the stored first token and sends a second token acquisition request containing the acquired first token and identification information for identifying a management unit that manages a device resource. The second token reception unit receives a second token corresponding to the identification information. The device resource request transmission unit transmits a request for a process related to a device resource, the request containing the received second token.

Abstract: Techniques for electronic signature process management are described. Some embodiments provide an electronic signature service (“ESS”) configured to manage electronic identity cards. In some embodiments, the ESS generates and manages an electronic identity card for a user, based on personal information of the user, activity information related to the user's actions with respect to the ESS, and/or social networking information related to the user. The electronic identity card of a signer may be associated with an electronic document signed via the ESS, so that users may obtain information about the signer of the document. Electronic identity cards managed by the ESS may also be shared or included in other contexts, such as via a user's profile page on a social network, a user's email signature, or the like.

Abstract: The systems, methods and apparatuses described herein provide a computing environment that manages application specific identification of devices. An apparatus according to the present disclosure may comprise a non-volatile storage storing identifier (ID) base data and a processor. The processor may be configured to validate a certificate of an application being executed on the apparatus. The certificate may contain a code signer ID for a code signer of the application. The processor may further be configured to receive a request for a unique ID of the application, generate the unique ID from the code signer ID and the ID base data and return the generated unique ID.

Abstract: The embodiments relate to a near field communication system including a plurality of near field communication devices which communicate with each other via a radio interface. During generation of a common cryptographic key between the near field communication devices of the near field communication system, at least one of the two near field communication devices monitors during generation of the cryptographic key via the radio interface in a generation period whether an additional near field communication device which could be a potential active attacker communicates with one of the near field communication devices via the radio interface. If such a suspicious type of communication is detected, generation of the common cryptographic key is optionally terminated.

Abstract: A system and method for updating a system that controls files executed on a workstation. The workstation includes a workstation management module configured to detect the launch of an application. A workstation application server receives data associated with the application from the workstation. This data can include a hash value. The application server module can determine one or more categories to associate with the application by referencing an application inventory database or requesting the category from an application database factory. The application database factory can receive applications from multiple application server modules. The application database factory determines whether the application was previously categorized by the application database factory and provides the category to the application server module. Once the application server module has the category, it forwards a hash/policy table to the workstation management module.

Abstract: A method includes receiving a first and a second linearity ciphertexts representative of a first and second biometric templates, respectively that are encrypted using a relational linearity encryption scheme (linearity scheme). The linearity scheme is based on learning parity with noise. The method includes discovering a linearity relationship between the first and the second linearity ciphertexts. The method includes receiving a first and a second proximity hash value representative of the first and second biometric templates, respectively encrypted using a relational proximity hash scheme (proximity scheme). The proximity scheme is based on the linearity scheme and an error correcting code. The method includes detecting a proximity between the first and the second proximity hash value in terms of a Hamming distance. The method includes authenticating an identity of a user based on the proximity and the linearity relationship.

Abstract: An information handling device has a first connection unit, a Web application executing unit to generate a device operating command, a second connection unit, an application authentication processing unit to generate a platform authenticator, an application origin information attacher to attach origin information of the web application to the platform authenticator, and a third connection unit to establish a connection for transmitting the device operating command and the platform authenticator attached with the origin information to the second communication device in order to transmit the device operating command and the platform authenticator attached with the origin information.

Abstract: The present technology provides a less burdensome mechanism to bring media items owned or licensed in the physical world into an account hosted by an electronic media provider. A specific use case deals with magazine subscriptions wherein the electronic media provider can send entity identifying information to a publisher clearinghouse that has subscription data for many different magazines. If the entity information sufficiently matches subscription information, the clearinghouse sends back data identifying magazines for which the entity is entitled to a digital copy, and these magazines become available to the user through the electronic media provider.

Abstract: A communication system (10) includes a certificate authority (100) for performing authentication, a roadside device (110), a vehicle-mounted terminal (120), a first server (130), and a second server (140). The vehicle-mounted terminal transmits its position information to the first server. The certificate authority acquires information about a vehicle-mounted terminal likely to appear according to place and time from the first server. The certificate authority allows the second server to verify validity of a certificate for a vehicle-mounted terminal acquired from the first server. The certificate authority generates a first list of vehicle-mounted terminals having valid certificates and a second list of vehicle-mounted terminals having invalid certificates according to place and time based on a verification result. The certificate authority transmits the first and second lists to the roadside device and the vehicle-mounted terminal.

Abstract: Coding and decoding words formed of alphanumeric characters, in which a listing of symbols are provided, each symbol being associated with a different alphanumeric character, converted and transmitted to another who has the listing of symbols, (the symbols may be different colors icons, or sounds), each associated with a different alphanumeric character.

Abstract: A device authentication server authenticates a remotely located device using unique data associated with the user of the device stored on a remotely located server that has an established relationship with the device, such as client logic installed on the device and authentication data of the user stored on the device. The unique data can be unique metadata associated with inter-person messages. Since each user receives and sends a unique collection of messages, the unique message meta-data associated with a user's account is, in aggregate, unique.

Abstract: Within a secure messaging environment, a determination is made that a request to send a message has been generated by a message sender. A message protection policy configured to process the message within the secure messaging environment is identified. The message protection policy specifies that, within the secure messaging environment, a secured digital certificate, other than a digital certificate of the message sender, is configured with an associated private key to digitally sign the message on behalf of the message sender. Based upon the message protection policy, a determination is made to digitally sign the message using the private key of the secured digital certificate. The message is signed on behalf of the message sender using the private key of the secured digital certificate.

Abstract: Within a secure messaging environment, a determination is made that a request to send a message has been generated by a message sender. A message protection policy configured to process the message within the secure messaging environment is identified. The message protection policy specifies that, within the secure messaging environment, a secured digital certificate, other than a digital certificate of the message sender, is configured with an associated private key to digitally sign the message on behalf of the message sender. Based upon the message protection policy, a determination is made to digitally sign the message using the private key of the secured digital certificate. The message is signed on behalf of the message sender using the private key of the secured digital certificate.

Abstract: A method includes receiving biometric data, the biometric data non-uniformly distributed and processing the biometric data to a level of randomness as a plaintext vector, the level of randomness associated with a security level. The method also includes encrypting the plaintext vector using a relational linearity encryption scheme to generate a linearity ciphertext representative of the plaintext vector, encrypting the plaintext vector using a relational proximity encryption scheme to generate a proximity ciphertext representative of the plaintext vector, and communicating the linearity ciphertext and the proximity ciphertext to an authentication server.

Abstract: Embodiments of the present invention address deficiencies of the art in respect to configuring a computing appliance and provide a method, system and computer program product for device certificate based virtual appliance configuration. In one embodiment of the invention, a virtual appliance secure configuration method can be provided. The method can include mounting non-volatile storage to the virtual appliance, retrieving a device certificate from the mounted storage and extracting a signature from the device certificate, activating the virtual appliance in a network domain and acquiring an adapter address and unique identifier for the virtual appliance, and authenticating the signature with the adapter address and unique identifier to ensure a unique active instance of the virtual appliance.

Abstract: Disclosed is a transformer for power line communication, capable of performing power line communication without being influenced by voltage attenuation due to voltage conversion. The transformer for power line communication includes: a transforming unit configured to convert a high primary voltage into a low secondary voltage, or convert a low secondary voltage into a high primary voltage; a separation unit configured to separate a data signal from a primary voltage input thereto; and a coupling unit configured to couple the data signal with the low secondary voltage.

Abstract: Embodiments described herein provide approaches for user access control to a secured application. Specifically, a custom authentication tool is configured to intercept a request from a user for access to a secured application and override one or more default requirements (e.g., application pre-registration, for accessing the application). That is, when credentials of the user are received at the authentication tool, they are verified against data within a user directory to generate a user profile, which is then provided to the secured application to satisfy the requirements for granting access to the user. As such, the secured application's requirements are met, yet users do not have to manually pre-register to obtain access because the registration is performed in the background by the authentication tool.