Abstract: A sending device may send data intended for a target device. An intermediate device may intercept the data sent from the sending device and forward the communications to the target device. Security data (e.g., a security certificate for authentication) along with an encrypted version of the security data may be sent at the application layer such that it passes from the sending device, through the intermediate device, and to the target device without being analyzed or modified by the intermediate device. The target device may use the encrypted security data and the security data to verify the identity of the sending device.

Abstract: Systems, methods, and computer-readable media for managing digital certificates and other security credentials. A routing and management server is communicatively connected to a certificate user device and to a plurality of certificate generators. The server performs operations that may include: optionally registering the certificate user device; receiving a request for one or more digital certificates from the certificate user device; analyzing the request to determine an appropriate certificate generator, from among the plurality of certificate generators, for producing the one or more digital certificates; optionally translating the request into a format required by the appropriate certificate generator; transmitting the request to the appropriate certificate generator; receiving the one or more digital certificates from the appropriate certificate generator; and providing the one or more digital certificates to the certificate user device.

Abstract: A method and a system for validating a proposed change to a configuration of an application are provided. The method includes: receiving a user request for changing a setting of one or more parameters of the configuration of the application; retrieving, from a memory, a set of rules that relate to permissible settings for the parameters; comparing the request to the retrieved rules; determining whether the request is acceptable based on a result of the comparison; and when the request is determined as being acceptable, validating the request. The rules may be applicable across an entirety of an organization or specific to a particular line of business. The parameters may relate to report formats or digital dashboards that are generated by executing the application.

Abstract: A process generates a certificate of authenticity for a virtual item. Further, the process sends, with the processor, the certificate of authenticity to a decentralized network of computing devices such that two or more of the computing devices store the certificate of authenticity. The two or more of the computing devices receive, from a user device that provides a virtual reality experience in which a virtual item is purchased, a request for authentication of the certificate of authenticity. In addition, the two or more computing devices authenticate the certificate of authenticity based on one or more consistency criteria for the certificate of authenticity being met by the two or more computing devices.

Abstract: An identity verification is managed by generating a workflow used by a control apparatus that controls a system in which a plurality of business entities manages attribute information in user information that identifies a user. The workflow is generated, based on a first list of target business entities that perform identity verification of the user, a second list of business entities indicating whether cooperation is performed among the business entities for the identity verification, a number of electronic certificates that certify the user information for completing the identity verification, and a procedure time taken by each of the business entities for the identity verification, so that the workflow minimizes a procedure time taken for completion of the identity verification by the target business entities, and that describes a distribution procedure of the electronic certificates that are used in the identity verification at each of the business entities.

Abstract: A revocable lightweight group authentication method and system for an edge controller is described here. When the edge controller needs to be registered, an edge server generates a private key of the edge controller and sends the private key to the edge controller, and meanwhile adds the edge controller to a group list of the edge server; the edge server updates a certificate of the edge controller, adds the certificate to a certificate list of the edge server and sends the certificate to the edge controller so that the edge controller updates the private key according to the updated certificate; and then the edge controller generates a signature according to the updated private key, and sends the signature to the edge server so that the edge server authenticates the edge controller after determining that the signature meets preset requirements.

Abstract: A computing system includes a server. The server is communicatively coupled to a data repository and is configured to store a data in the data repository. The server is further configured to create, via a visual information flow creation tool, at least one information flow object. The server is additionally configured to create, via the visual information flow creation tool, an electronic signature field in the at least one information flow object, and to provide the at least one information flow object to communicate an electronic signature request to an electronic signature system.

Abstract: Among other things, techniques are described for provisioning and authentication of devices in vehicles. In one aspect, a device in a vehicle establishes a communication session with a network server that manages provisioning of devices corresponding to an enterprise associated with the vehicle. The device receives instructions from the network server to generate cryptographic keys, and in response, generates a public and private key pair. The device sends, to the network server, a certificate signing request that includes the public key and an identifier of the device. In response, the device receives a digital security certificate for the device, and a security certificate of a signing certificate authority. The device authenticates the security certificate of the certificate authority using a known enterprise root certificate, and upon successful authentication, stores the device security certificate and the security certificate of the signing certificate authority.

Abstract: A bridge component is interposed between a content targeting portion of a computerized content management system and a security portion of the system. the content targeting portion has a plurality of targeting segments defined therein. The bridge component creates a plurality of corresponding security groups for at least a subset of the plurality of targeting segments for which pre-existing security groups have not been created. For the targeting segments, accessing, with the bridge component, underlying logic used by the content targeting portion to create the targeting segments, and use the logic to determine whether each potential group member matches the logic. Add at least those of the potential group members that match the logic, and are not already present, to an appropriate one of the corresponding security groups; remove those that do not match. Apply security to the resulting updated security groups with the security portion, and distribute content accordingly.

Abstract: An apparatus receives data access parameters from an external device of a transmission destination, where the data access parameters includes an access ticket, a transmission condition to transmit data, and information on the transmission destination of the data, and the access ticket includes a first program accessible to the data whose utilization by others is authorized by a user. The apparatus generates a notice object corresponding to the information on the transmission destination, and transmits the notice object to the transmission destination. The apparatus executes the first program of the access ticket to acquire the data when the transmission condition is satisfied, and transmits the acquired data to the transmission destination to set the acquired data in the notice object.

Abstract: Systems, computer program products, and methods are described herein for secure resource allocation communication with a network. The present invention may be configured to provide, to a device management system, a request for authentication and receive, from the device management system, a file including a link to a certificate system. The present invention may be further configured to provide, using the link, a certificate enrollment request to the certificate system and receive, from the certificate system, a signed certificate. The present invention may be further configured to establish, using the signed certificate, a wireless connection to a network. In some embodiments, the present invention may include a scanner device for processing instruments associated with resource allocations and a network device communicatively connected to the scanner device for enabling the scanner device to communicate wirelessly with the network.

Abstract: A certificate credential and an associated signature is received. The certificate credential and the associated signature are authenticated at an operating system level. Whether the certificate credential has expired is validated at an application level via an external certificate authority. Access to encrypted data is allowed based at least in part on the authentication and the validation of the certificate credential.

Abstract: In various examples, a computerized method for document-sharing conferencing is described. The method may include steps such as acquiring and saving an electronic document. The method may include receiving an active event indication and instructing the electronic document to be displayed on one or more displays during an active event. The method may further include receiving an active layer for the electronic document and instructing the active layer to be displayed on the electronic document during the active event. The method may also include saving the active layer with the electronic document.

Abstract: Disclosed in some examples are methods, systems, devices, and machine-readable mediums that detect evil twin and other anomalous access points in an IT infrastructure by detecting access points that are not in their expected locations based upon an analysis of access point reports from one or more computing devices.

Abstract: To easily identify an invalid device certificate by means of a validity check when signing keys that are used to create device certificates are compromised, a piece of status information is provided for device certificates that comprises positive evidence of the existence and validity of the device certificate, and alternatively or additionally to apply a special validity model for device certificates, wherein the time of issue of the device certificate is documented by means of a signed electronic timestamp, and wherein a different signing key is used for signing the timestamp than for signing the device certificate. Additionally, all information that is required for the validity check of a device certificate is stored in a memory of the device or in a memory associated with the device, so that an identity check on the device can be performed at any time without fetching additional data.

Abstract: A system and techniques are described herein for providing authentication. The technique includes registering user authentication data such as biometrics data with a communication device. The authentication data is linked to an account or service provider, and is used to verify the identity of the user when accessing the account. The communication device may obtain a public/private key pair, for which the pubic key may be stored on a secure remote server. When the user attempts to access the account or service provider, the user may provide the authentication data to authenticate the user to the communication device. Thereafter, the communication device may sign an authentication indicator using the private key and send the authentication indicator to the secure remote server. Upon verification of the signature using the public key, the secure remote server may grant access to the user, for example, by releasing a token.

Abstract: A system performs digital notarization using a biometric identification service. A signature requesting service receives a request to validate a digital item with a signature for a person. The signature requesting service provides a payload that identifies the digital item and/or the person to an identity service. The identity service obtains one or more digital representations of biometrics for the person, determines an identity for the person, and returns a data structure including the payload and one or more identity attestations regarding the determined identity. The identity service encrypts at least a portion of the data structure using a private encryption key. A public encryption key for the identity service can then be used to decrypt the portion to verify that the data structure was generated by the identity service after determining the identity. In this way, validation can be verified to the full trust level of the identification service.

Abstract: A system for communicating with multiple vehicles or other electronic devices that share a common media access control (MAC) or other address is disclosed. Upon receiving a certificate signing request (CSR) from a connected device and determining that the device does not have a unique address, the system will generate a unique address for the device and embedding the unique addresses in a certificate, sign the certificate, and transfer the certificate to the device. Then, when the system communicates with the device, the system may use that unique address to identify the device.

Abstract: Some embodiments provide a novel method of tracking connections in a network. The method receives an identification of a first network endpoint and a second network endpoint. The method then determines that the first network endpoint cannot directly address a packet flow to the second network endpoint. The method identifies an address translation rule of a network device that translates an address of the second network endpoint into a translated address. The method then determines that the first network endpoint can directly address a packet flow to the translated address. The method then identifies a route from the first network endpoint to the second endpoint through the network device that translates the address and displays the route including an identifier of the network device.

Abstract: An apparatus and methods are disclosed for monitoring the operation of an electrical power-transfer system and detecting and handling hazardous and undesirable system states. In accordance with one embodiment, an electrical signal is injected into the electrical power-transfer system. During or after the injection of the electrical signal, an electrical property between a first sensor and a second sensor are measured to obtain a measurement. The electrical power-transfer system is determined to be in a hazardous state based on the measurement, and in response to the determination one or more actions are performed to correct the hazardous state.

Abstract: An application installed on a user device (e.g., a mobile device, a smart device, a communication device, a computing device, etc.) may be used to validate, authenticate, and/or authorize another application installed on and/or associated with the user device.

Abstract: A first apparatus performs a pairing providing process of displaying a provision string on the first apparatus and transmitting the provision string to a server apparatus, the provision string being of a given number of digits that changes every given amount of time in such a manner that, every given amount of time, the provision string is subjected to carrying and a new character is added to the rightmost digit of the provision string. A second apparatus transmits an acceptance string to the server apparatus, the acceptance string being input from the second apparatus based on the provision string displayed on the first apparatus. The server apparatus compares the provision string with the acceptance string, and determines that pairing is established between the first apparatus and the second apparatus when the provision string and the acceptance string match each other.

Abstract: A computer-implemented method includes a proxy receiving an authorization message from a load balancer and the proxy selecting an authorization cell from a plurality of authorization cells designated for the proxy in response to receiving the authorization message. The proxy sending a second authorization message to the selected authorization cell and the proxy receiving a response message from the selected cell, wherein the response message corresponds to the second authorization message. The proxy then sending a second response message to the load balancer in response to receiving the response message.

Abstract: Various embodiments include method performed by a processor of a vehicle processing system for misbehavior detection, including receiving first vehicle-to-everything (V2X) information from a first vehicle, receiving second V2X information from neighbor vehicles of the first vehicle, determining a distribution of information in the second V2X information, and performing a security action in response to determining that information in the first V2X information is outside a confidence threshold of the distribution of information in the second V2X information.

Abstract: Dynamic-PKI social Certificate Authority (CA) systems and methods are provided, which generate and issue certificates at time of device deployment instead of time of manufacture. The provided systems and methods utilize an interface to initiate a Certificate Signing Request (CSR), and which then generates and signs the CSR with a public key. The signed CSR is then securely transmitted to a Certificate Signing Request Processor (CSRP), which undergoes an optional verification process and is then processed to return a signed certificate. The signed certificate is then directly or indirectly provided to the device for provisioning into the network.

Abstract: A method for registering and provisioning an electronic device is provided. The method includes a step of inserting a first keypair into a secure element of the electronic device. The first keypair includes a public key and a private key. The method further includes a step of requesting, from a server configured to register and provision connected devices, a provisioning of credentials of the electronic device. The method further includes a step of verifying, by the server, the electronic device credentials. The method further includes a step of registering, by the server, the electronic device. The method further includes a step of transmitting, from the server to the electronic device, a device certificate. The method further includes steps of installing the transmitted device certificate within the secure element of the electronic device, and provisioning the electronic device according to the installed device certificate.

Abstract: A wireless communication network serves a wireless user device with a wireless communication service from a wireless network slice that includes a Virtual Network Function (VNF). The VNF maintains hardware-trust with a distributed ledger. The distributed ledger maintains hardware-trust with the VNF. The VNF delivers the wireless communication service to the wireless user device from the wireless network slice. The VNF generates slice data that characterizes the service delivery. When the VNF maintains the hardware-trust with the distributed ledger, the VNF transfers the slice data to the distributed ledger. When the distributed ledger maintains the hardware-trust with the VNF, the distributed ledger stores the slice data.

Abstract: A public key infrastructure (PKI) ecosystem includes a first organization computer system having a first processor, a first memory, and a first organization process including instructions that are (i) encoded in the first memory, and (ii) executable by the first processor. The ecosystem further includes a second organization computer system having a second processor and a second memory, a digital ledger, and domain name system security extensions (DNSSEC). When executed, the first instructions cause the first processor to create at least one public/private PKI keypair for a first domain name, in the DNSSEC, register the first domain name and create a certificate authority (CA), register the CA in the blockchain, using the CA, create a certificate for a first entity, register the certificate in the blockchain and/or the DNSSEC, and assert, to the second organization computer system, trust in the first entity based on the registered certificate.

Abstract: A communication adapter of a gas turbine engine of an aircraft includes a communication interface configured to wirelessly communicate with an offboard system and to communicate with an engine control of the gas turbine engine, a memory system, and processing circuitry. The processing circuitry is configured to receive an engine control dynamic data recording request from the offboard system, confirm an authentication between the communication adapter and the engine control, transfer the engine control dynamic data recording request received at the communication adapter from the offboard system to the engine control based on the authentication, and transmit an update completion confirmation of the engine control from the communication adapter to the offboard system based on a confirmation message from the engine control.

Abstract: A method at an Intelligent Transportation System (ITS) Transmitting Entity, the method including: generating an ITS message; augmenting the ITS message with an Integrity Report generated by an integrity detection function at the ITS Transmitting Entity to create an augmented ITS message; signing the augmented ITS message with an Authorization Certificate or Ticket, the Authorization Certificate or Ticket including an assurance indication from an Audit Certificate Authority for the integrity detection function; and sending the signed, augmented ITS message to an ITS Receiving Entity.

Abstract: Systems, methods, and devices for offloading network data to a datastore. A system includes a publisher device in a network computing environment. The system includes a subscriber device in the network computing environment. The system includes a datastore independent of the publisher device and the subscriber device, the datastore comprising one or more processors in a processing platform configurable to execute instructions stored in non-transitory computer readable storage media. The instructions includes receiving data from the publisher device. The instructions include storing the data across one or more of a plurality of shared storage devices. The instructions include providing the data to the subscriber device.

Abstract: A blockchain network control system and method is disclosed. The system includes a processor coupled to a storage comprising a plurality of network entity definitions each defining a different network entity that make up a target network architecture for a permissioned blockchain network. The system also includes a control object communicatively coupled to an ordering service and a plurality of organizations. The plurality of organizations was established by the blockchain network control system by instantiating the organizational membership service provider, registering and enrolling each peer node within each organization, storing the cryptographic identity generated for the peer node, and then instantiating the plurality of peer nodes.

Abstract: A request to add tags (e.g., labels, key-value pairs, or metadata) to resources can be digitally signed by the entity making the request, such that the source can be verified and an authorization determination made for each tag. For a request involving multiple services (or entities) that can each add tags, any tag added by a service can be included in the request and digitally signed by that service. Each service processing the request can also digitally sign the request before forwarding, so that each service signs a version of the request, which includes elements signed by other services earlier in the request chain. When the request is received to a tagging service, the service ensures that every tag was digitally signed by the appropriate authorized entity or service, and validates the signatures to ensure that no data was modified or omitted, before adding the tags to the designated resource(s).

Abstract: Techniques for securing digital signatures using multi-party computation. A method includes generating at least one first secret share by a first system, wherein at least one second secret share is generated by one of at least one second system; signing data based on the at least one first secret share when a signing policy is met, wherein the signing is part of an interactive signing process including running a multi-party computation protocol by the first system and the at least one second system, wherein the signed data corresponds to a public key generated based on the plurality of secret shares, wherein the signing policy requires a minimum number of secret shares, wherein shares of one system alone are not sufficient to meet the signing policy, wherein no portion of shares of one system are revealed to the other system during the interactive signing process.

Abstract: A method is provided that includes receiving, at a first access point in a local area network, a request from a client device to access a wireless local area network. The method also includes creating authentication credentials for the client device based on an identification of the client device, and transmitting the authentication credentials for the client device to a second access point, wherein the first access point and the second access point share a secure block chain application. The method also includes allowing the client device to roam from the first access point to the second access point without requesting new authentication credentials. A system and a non-transitory, computer-readable medium storing instructions to perform the above method are also provided.

Abstract: RFID technology may be used to provide digital identities for physical items. An RFID IC attached to or integrated into a physical item contains an identifier for the physical item. Digital identity information associated with the item, such as ownership information, history, properties, and the like, may be located on one or more networks. An entity, after authenticating itself and/or the item, may use the identifier to locate, retrieve, and/or update the item's digital identity information on the network.

Abstract: Techniques for a server-based association of a device with a user account are described. In an example, a computer system receives, from a second device, first data of a first device. The first data indicates a request for a first association between the first device and a user account. The computer system determines that the first data is valid based on second data associated with the first device. Based on the first data being valid, the computer system sends, to the second device, third data to initiate a user authentication. The computer system then receives, from the second device, a user identifier based on the user authentication and determines that a second association between the user identifier and the user account already exists. The computer system causes the first association between the first device and the user account to be generated based on the second association.

Abstract: A data linkage system includes a data accumulation system that collects and accumulates data held by an information system; and a control service section that manages access information used by the data accumulation system to connect to the information system. The control service section asks the data accumulation system to test the connection to the information system by using the access information managed by the control service section.

Abstract: Disclosed are systems, methods, and non-transitory computer-readable media for network security using Root of Trust (RoT). A node in the vehicle networking system receives an authentication message from an adjacent node in the vehicle networking system. The authentication message included identifying information of the adjacent node that is digitally signed with a digital signature having been generated using a private key. The adjacent node accessed the identifying information of the second node from a source image authenticated during a secure boot of the adjacent node. The node accesses a public key available to the node and authenticates the adjacent node based on the public key and the digital signature included in the authentication message.

Abstract: In embodiments, an authentication server interfaces between a user device with a self-signed certificate and a verifying computer that accepts a user name and password. The user device generates a self-signed certificate signed by a private key on the user device. The self-signed certificate is transmitted to a verifying party computer over a network. The verifying party stores the self-signed certificate with user identification data, including at least one of a user name, user address, user email, user phone number, user tax ID, user social security number and user financial account number. In subsequent communications, the verifying party receives a certificate chain including the self-signed certificate, and matches that with the user identification data stored in a database.

Abstract: An example operation includes one or more of initiating a transaction of a blockchain by a contributing member of a group to assign a digital data based document to itself or to at least one other member of the group, validating a block of the blockchain associated with the transaction by the contributing member or the at least one other member that are verified, sending an ephemeral location of the document to the contributing member or the at least one other member that are verified, and modifying the document in the ephemeral location by the contributing member or the at least one other member that is verified.

Abstract: A data center 5th-Generation (5G) network encrypted multicast-based authority authentication method, system, and device, and a medium. In the present disclosure, authority authentication and data connection are performed on each platform of a data center by 5G network encrypted multicast, and a network encrypted multicast component is configured on the platform of the data center. An encrypted multicast packet is sent to a network by the platform. Connection is completed by handshaking and mutual heartbeat transmission between the platforms. Authority verification is performed through the multicast packet. In this manner, the problem of security risk of traditional authority authentication may be reduced, and the intercommunication speed and efficiency of each platform of the data center may be improved greatly.

Abstract: An on-boarding server is configured to receive a data set and a manufacturer identifier from a communications device, validate an identity from the data set, and locate a first terminal cryptographic key associated with the manufacturer identifier in a terminal database. The on-boarding server is configured to confirm, using the located first terminal cryptographic key, that the manufacturer identifier received from the communications device was signed with a second terminal cryptographic key. The located first terminal cryptographic key and the second terminal cryptographic key are an asymmetric cryptographic key pair. The on-boarding server is configured to determine an acquirer server from the data set, provide the acquirer server with a merchant identifier, and download to the communications device a payload that includes the merchant identifier.

Abstract: A method, a device, and a non-transitory storage medium are described in which an blockchain-based network information management service is provided. The service provides blockchain mechanisms that allows for the management and disbursement of network information among network devices of a RAN, a core network, and an application layer network. The service may define a structure for the network information that may be used by RAN devices, core devices, and application layer devices of different vendors and third parties.

Abstract: An operations server synchronizes updates to a cloud-based shared versioned file system. The shared versioned file system includes directories and sub-directories that are divided into shards. The operations server coordinates requests from local filer servers, each running a respective local version of the shared versioned file system, to update a shard in the cloud-based shared versioned file system. The operations server can provide a global lock on the shard to a local filer server before it updates the shard in the cloud-based shared versioned file system.

Abstract: A terminal configuration server is configured to associate a terminal identifier with a cryptographic key set, and to provide a communications device with the terminal identifier and the cryptographic key set. The terminal configuration server is configured to receive the terminal identifier from the communications device via a communications network, and establish an encrypted tunnel with a terminal via the communications device and the cryptographic key set. The encrypted tunnel is encrypted end-to-end between the terminal configuration server and the terminal. The terminal configuration server is configured to receive a payload request from the terminal via the encrypted tunnel, locate a payload that is associated with the terminal identifier in the payload database, and download the located payload to the terminal via the encrypted tunnel.

Abstract: A communications device transmits data in preconfigured resources of an uplink of a wireless communications network by performing a procedure to determine whether the communications device can transmit signals in the preconfigured resources of the uplink, and if the communications device determines that it can transmit signals in the preconfigured resources, transmitting signals representing the data in the preconfigured resources. The procedure to determine whether the communications device can transmit signals in the preconfigured resources of the uplink includes a transmission parameter confirmation procedure which confirms that a value of one or more transmission parameters to be used for transmitting the signals representing the data can be used for the signals representing the data to be detected by an infrastructure equipment of the wireless communications network.

Abstract: A system and a method for creating a holistic, flexible, scalable, confidential, low-latency, high-volume, immutable distributed ledger for the financial services and other industries. The system allows a scalable blockchain solution with respect to accessible memory requirements of distributed ledgers or distributed databases with confidentiality in the shared records as well as accommodating low-latency, high-capacity transaction capabilities. The method includes a fundamental, generic, logical representation of financial services life-cycles transactions in terms of variable sets of four simple, sequential components. The optimal process generates a self-validating, variable n-dimensional, multi-hash-linked, interdependent distributed ledger that allows the individual network participants to recreate the ledger without having to refer to or confirm with other network participants.

Abstract: Methods, systems, and apparatuses, including computer storage media and hardware security modules, for performing batch cryptography on hardware security modules. A hardware security module can receive a request to perform one or more cryptographic operations. The request can include a batch data structure storing a plurality of data elements. The hardware security module can unbatch the plurality of data elements, perform one or more cryptographic operations on the plurality of data elements to generate a plurality of outputs, generate an output batch data structure storing the plurality of outputs, and transmit the output batch data structure in response to the request. The request and the batch data structure can be formed in accordance with a batch hardware security module application program interface (API) implemented by the hardware security module.

Abstract: A printer may include a controller configured to: in a case where a predetermined instruction is obtained from a user under a situation where a service state of the printer for receiving a print job providing service from a server is a disabled state, shift the service state from the disabled state to an enabled state; in a case where a registration instruction to register printer information related to the printer in the server is obtained, send the printer information to the server; in a case where the registration instruction is obtained under the situation where the service state is the disabled state, shift the service state from the disabled state to the enabled state without obtaining the predetermined instruction from the user.