Abstract: A proxy revocation service provides a reliable service for performing revocation checks. The proxy revocation service queries public certificate authorities for the revocation status of a set of digital certificates and maintains a database of the revocation statuses. The proxy revocation service provides a singular endpoint that is Application Protocol Interface (API) accessible to web clients. Web clients communicate with the proxy revocation service through use of API message to perform revocation checks, rather than communicating with the public certificate authorities using an online certificate status protocol (OCSP). Use of the proxy revocation service provides both a reliable service for performing revocation checks as well as shifts the complexity away from the web clients.

Abstract: A system includes a binary tree having leaf hashes. The leaf hashes include a device privacy protected index and a set of zero-knowledge commitments relating to a computer device. The system calculates the device privacy protected index using a verifiable random function such that a device entity path in the binary tree cannot reveal any information about any other device in the binary tree, and associates the set of zero-knowledge commitments with the device privacy protected index. The system then generates a privacy-protected attestation for the computer device using the device privacy protected index and the set of zero-knowledge commitments.

Abstract: As a default, a global permissions model is established. The global permissions model serves for applying a first set of resource access permissions to shared content objects. Additionally, a set of context-aware access policies that govern user interactions over the shared content object is established. When a particular user requests an interaction over a shared content object, then interaction attributes associated with the request are gathered. The context-aware access policies are applied to the request by determining a set of extensible access permissions that are derived from the interaction attributes. The context-aware access policies are enforced by overriding the first set of resource access permissions with dynamically-determined access permissions. When a particular access request is denied, a response is generated in accordance with the set of extensible access permissions and the user is notified. In some cases, the access request is permitted, but only after the user provides a justification.

Abstract: Methods and systems for configuring a security device, such as an electronic lock, are disclosed. In particular, the present disclosure describes methods and systems for provisioning a lock with a certificate such that any change to the lock, or changes to lock-server communication characteristics, can be detected and (optionally) prevented. As such, security of such devices is improved.

Abstract: Systems and applications are described that use group signature technology to allow for anonymous and/or semi-anonymous feedback while allowing for the application of rules and parameters. The use of group signature technology may serve to potentially mitigate or prevent malicious identification of individuals or entities providing a communication such as feedback. Feedback may range from constructive feedback all the way to the ‘whistleblower’ variety. It may be desirable to identify the individuals as belonging to a particular group or having a particular status or position while maintaining the anonymity of the individuals within the particular group.

Abstract: As described herein, a system, method, and computer program are provided for blockchain-based entity group management. An instance of a blockchain is maintained for each entity group of a plurality of defined entity groups. Further, the instance of the blockchain maintained for each entity group of the plurality of defined entity groups is utilized to manage group membership for the entity group, and control access by members of the entity group to a plurality of services having functionality configured for the plurality of defined entity groups.

Abstract: Provided is a method for assigning a time-to-live (“TTL”) value for a domain name system (“DNS”) record at a recursive DNS server. The method comprises obtaining, from a client, the TTL value for the DNS record; and storing, in a memory of the recursive DNS server, the TLL value, an identifier of the client, and the DNS record.

Abstract: A system and method for preventing use of invalid digital certificates is disclosed. The method comprises receiving, in a validation service from a requesting entity, a cryptographic asset and a request to evaluate the cryptographic asset, the cryptographic asset uniquely assigned to one of the plurality of devices by an associated one of the commercially distinct entities, the request comprising the cryptographic asset, determining an evaluation state of the cryptographic asset at least in part from a database derived from a plurality of public keys currently assigned to the plurality of devices and previously received by the validation service, determining a disposition of the cryptographic asset according to a disposition policy associated with the determined evaluation state and the device and effecting the determined disposition of the cryptographic asset.

Abstract: The present disclosure relates to systems, methods, and computer-readable media for enhancing security of communications between instances of clients and servers while enabling rotation of server certificates (e.g., X.509 certificates). The systems described herein involve updating a client list of server certificates (e.g., a certificate thumbprint) without reconfiguring or re-installing a client and/or server application, starting a new session (e.g., a hypertext transfer protocol secure (HTTPS) session), or deploying new code. The systems described herein may passively or actively update a client list of certificates to enable a client to security verify an identity of a server instance in a non-invasive way that boosts security from man-in-the-middle types of attacks.

Abstract: Two-way secure channels are provided between two parties to a communication with certification being provided by one party. One method comprises providing, by a first entity that provides a certificate authority, a first signed certificate to a second entity, wherein the first signed certificate is signed by the certificate authority and wherein the second entity generates a first request to sign a second certificate generated by the second entity, wherein the first request is generated by the second entity using a first credential generated by the second entity; receiving, from the second entity, (i) the first request to sign the second certificate, and (ii) the first signed certificate; and providing, in response to the certificate authority verifying the first signed certificate, a second signed certificate, signed by the certificate authority, to the second entity; wherein one or more additional communications between the first entity and the second entity use the two-way channel.

Abstract: A system performs digital notarization using a biometric identification service. A signature requesting service receives a request to validate a digital item with a signature for a person. The signature requesting service provides a payload that identifies the digital item and/or the person to an identity service. The identity service obtains one or more digital representations of biometrics for the person, determines an identity for the person, and returns a data structure including the payload and one or more identity attestations regarding the determined identity. The identity service encrypts at least a portion of the data structure using a private encryption key. A public encryption key for the identity service can then be used to decrypt the portion to verify that the data structure was generated by the identity service after determining the identity. In this way, validation can be verified to the full trust level of the identification service.

Abstract: Various embodiments include computing devices and methods for management of access credentials. A processor of a computing device may receive an authentication request from a client application support service to authenticate a client application. The processor may send a response comprising an authentication token to the client application support service. The processor may receive from the client application support service a request for an access token to access a target system. The processor may send a response comprising the access token to the client application support service to enable the client application support service to access the target system using the access token on behalf of the client application.

Abstract: Method and system for issuing public key infrastructure (PKI) certificates in a peer-to-peer wireless communication network, comprising generating, at a first certificate authority (CA) node in the peer-to-peer communication network, a PKI certificate based on public key information received from an applicant node in the peer-to-peer wireless communication network; and transmitting the PKI certificate generated by the first CA node to the applicant node using the peer-to-peer wireless communication network.

Abstract: Disclosed according to various embodiments are an electronic device for opening a communication service and a method for an operation of the electronic device.

Abstract: A system for communicating with multiple vehicles or other electronic devices that share a common media access control (MAC) or other address is disclosed. Upon receiving a certificate signing request (CSR) from a connected device and determining that the device does not have a unique address, the system will generate a unique address for the device and embedding the unique addresses in a certificate, sign the certificate, and transfer the certificate to the device. Then, when the system communicates with the device, the system may use that unique address to identify the device.

Abstract: The present embodiments relate to establishing secure data communication using an Elliptic-curve Diffie-Hellman ephemeral (ECDHE) key agreement procedure. Devices in a network environment can utilize a key agreement procedure to establish secure communication between multiple application layers in a micro service architecture. Particularly, a tunnel can be established between a mobile device and an encryption service by transmitting key information between the mobile device and the encryption service. This can allow for encryption keys to only be accurately generated by the mobile device and encryption service. Accordingly, intermediary nodes may be unable to decrypt the data, allowing for safe and secure transport of sensitive data.

Abstract: A method for using a self-signed digital certificate for establishing a secure connection between an Extensible Provisioning Protocol (EPP) client and a server on a communications network, including: receiving a communicated self-signed certificate from the EPP client; obtaining a unique identifier of the EPP client, the unique identifier associated with a domain name stored in a Domain Name System (DNS); using the unique identifier to access a designated DNS record in a DNS zone of the DNS associated with the domain name; retrieving the copy of the digital certificate from the designated DNS record, the copy of the digital certificate containing a public key of the EPP client bound to the domain name; authenticating the copy of the digital certificate with the communicated self-signed certificate; and receiving a generated session key from the EPP client to establish the secure connection over the communications network with the EPP client.

Abstract: A service provider receives a set of credentials from a customer and a request to access one or more services provided by the service provider. An authentication service of the service provider receives the set of credentials and, based at least in part on the received set of credentials, one or more activities performed by the customer, the customer's user profile, and the system configuration of the customer's computing device, calculates a risk score. The authentication service subsequently utilizes the calculated risk score to determine a credential rotation schedule for the set of credentials. The authentication service updates one or more servers to enforce the new credential rotation schedule and enables the customer to utilize the set of credentials to access the one or more services.

Abstract: Disclosed herein are a number of example embodiments where a proxy node is used in a wireless network to expand the functionality of one or more wireless nodes on the network. The proxy node can include a circuit whose function is made available to an associated wireless node in the wireless network via proxy. The wireless nodes and one or more such proxy nodes can be arranged in a wirelessly connected environment to support a variety of remote management operations, including location tracking, status monitoring, and remote control. In an example embodiment, the wireless nodes can be deployed in a retail store and provide remote management and control over any combination of product display assemblies, locks, power strips, display shelves, display hooks, and other node types.

Abstract: A system for generating unique digital certificates is provided that generates computed hashes public keys and compares them. The system method computes a hash of a public key, compares the computed hash of the public key with hashes of public keys previously generated, generates the digital certificate having the public key and a device identifier only if the computed hash of the public key does not match any of the hashes of public keys previously generated, and provides the digital certificate.

Abstract: One embodiment of the present application sets forth a computer-implemented method for establishing trust for handles used to identify digital objects in a digital object architecture (DOA) by associating a first attester identifier with a first attester from a trusted public key infrastructure (PKI), identifying a first digital object public key for a first digital object, generating, by the first attester, a first digital object identity attestation that associates the first digital object public key with a handle identifier for the first digital object, wherein the handle identifier is external to the trusted PKI, and generating a first attester identity attestation attesting that the first attester is authentic, where the first attester identity attestation includes the first attester identifier.

Abstract: Systems and method for generating and managing certificate authorities. For instance, a certificate service may provide one or more user interfaces for creating certificate authorities, such as a root certificate authority, a subordinate certificate authority, and/or an intermediate certificate authority. For example, a user may use a user device to create a certificate hierarchy. The certificate service may also provide one or more user interfaces for issuing certificates using the certificate authorities. One or more computing resources may then use the end-entity certificates issued from the certificate authority hierarchy for authentication and/or encryption. For security purposes, the certificate authority may also allow the user to set policies representing users that are able to access and/or utilize the certificate authorities to perform actions, such as issuing certificates.

Abstract: A system and method includes mobile device, a SIM associated with mobile device, an MNO computer, a computer associated with an owner of the mobile device, a first set of keys stored in the SIM for securely communicating with the MNO computer, and a second set of keys for securely communicating with the computer associated with the owner of the mobile device, to exchange application information. The SIM can be configured to determine when updated information related to the second set of keys is required, securely send a request to the MNO computer for updated information related to the second set of keys using the first set of keys, and responsively receive the updated information related to the second set of keys from the MNO computer, the updated information being provisioned by the computer associated with the owner of the mobile device.

Abstract: A method includes encrypting a first message that contains a first public key of a first peer, by using a second public key of a second peer; and decrypting a second message sent from the second peer by using a first private key paired with the first public key. The second message includes a write command and is encrypted at the second peer by using the first public key, and contains an encrypted data encrypted by the second peer using the second public key and hashed by using a secret key of the first peer. The first public key, the second public key, the first private key and the secret key are physically unclonable function (PUF)-based keys.

Abstract: In some aspects, methods and systems for a digital trust architecture are provided. In some aspects, the architecture includes a user account provisioning process. The provisioning process may make use of in person verifications of some personal information to ensure authenticity of the user information. Once the authenticity of user information is established, an account may be created. The user account may include a user email account, with integrated access to digital certificates linked to the user account. Account creation may also automatically publish the new user's public key in a publicly accessible directory, enabling encrypted email information to be easily sent to the new user.

Abstract: A method including determining, by a first user device, a sharing encryption key based at least in part on a folder access private key associated with a folder and an assigned public key associated with a second user device; encrypting the folder access private key associated with the folder utilizing the sharing encryption key; and transmitting the encrypted folder access private key to enable the second user device to access the folder. Various other aspects are contemplated.

Abstract: Dynamic directory service object creation and certificate management can be performed. In response to discovering a device connected to a network, a corresponding directory service object can be automatically created, and a digital certificate can be automatically acquired and deployed on the device to facilitate authentication. Further, actions can be logged, and notifications generated based on logged actions. Time involved in deploying and configuring directory services is reduced, efficiency is improved, and there is less of a chance for errors associated with manual configuration.

Abstract: A system and method for signing and authenticating electronic documents using public key cryptography applied by one or more server computer clusters operated in a trustworthy manner, which may act in cooperation with trusted components controlled and operated by the signer. The system employs a presentation authority for presenting an unsigned copy of an electronic document to a signing party and a signature authority for controlling a process for affixing an electronic signature to the unsigned document to create a signed electronic document. The system provides an applet for a signing party's computer that communicates with the signature authority.

Abstract: A system, method, and computer-readable medium are disclosed for implementing a cybersecurity system having a digital certificate reputation system. At least one embodiment is directed to a computer-implemented method executing operations including receiving a communication having an internet protocol (IP) address and a digital certificate at a device within the secured network; determining whether the IP address is identified as having a high-security risk level; if the IP address has a high-security risk level, assigning a security risk level to the digital certificate based on the security risk level of the IP address; and using the security risk level for the digital certificate in executing the one or more security policies. Other embodiments include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices.

Abstract: A proxy revocation service provides a reliable service for performing revocation checks. The proxy revocation service queries public certificate authorities for the revocation status of a set of digital certificates and maintains a database of the revocation statuses. The proxy revocation service provides a singular endpoint that is Application Protocol Interface (API) accessible to web clients. Web clients communicate with the proxy revocation service through use of API message to perform revocation checks, rather than communicating with the public certificate authorities using an online certificate status protocol (OCSP). Use of the proxy revocation service provides both a reliable service for performing revocation checks as well as shifts the complexity away from the web clients.

Abstract: Introduced are systems and methods that enable modification of logs in multiple off-line databases. Multiple off-line devices can mistakenly associate different respondents with the same identification (ID) unique to the system. When the multiple off-line devices synchronize with each other, or synchronize with a server hosting the central database, the software running on the off-line devices, or on the server detects that the modified logs come from different respondents, and the software assigns two different IDs unique to system to the logs. In another embodiment, multiple off-line devices can mistakenly associate the same respondent with two different IDs unique to the system. When the multiple off-line devices synchronize with each other or with the server, the software running on the off-line devices, or the server detects that the modified logs come from the same respondent, and the software assigns the logs to the same ID unique to system.

Abstract: Systems and methods for container orchestration security employ one or more processors that separate a lifecycle of one or more containers into a plurality of predefined container image lifecycle phases; segregates control of the plurality of predefined container image lifecycle phases into a plurality of control environments separately controlled by different enterprise control components isolated from one another. In addition, one or more external processors may generate one or more certificates that are based on the platform, state attributes and meta data for interaction of the container with one or more external nodes. The one or more processors may also control the promotion, update and deletion of container images between the plurality of lifecycle phases and registries in different control environments as well as between the enterprise registries and the plurality of other registries that are part of multiple external clouds.

Abstract: A device, method, or computer program product for conducting a cryptographic operation in a vehicle is disclosed herein. The device is arranged to receive key data and input data, and to conduct a cryptographic computation of the input data to output data using the key data. The cryptographic computation is conducted with or without side channel attack counter measures, which are toggled based on the key data or based on a control input.

Abstract: In an approach for an API key access authorization, a processor receives a transaction identity, a part of a token, and an API key identity attribute from a server. The transaction identity is generated in the server associated with generating the token. A processor receives a request from a client with the transaction identity for the part of the token. A processor looks up a transaction table via the transaction identity as an index. The transaction identity is associated with the part of the token and the API key identity attribute. A processor retrieves a client identity attribute through a second server via an IP address of the client. The second server registers the client. A processor matches a policy via the API key identity attribute and the client identity attribute. A processor sends the part of the token to the client.

Abstract: A certificate transfer system includes a first certificate management host and a certificate transfer management host. The first certificate management host is configured to generate a first certificate, sign an electronic device with the first certificate, and transmit a first Internet address to the electronic device to complete a certificate-issuance operation. The certificate transfer management host is configured to store a transfer device list and a second Internet address. When the first certificate management host receives the first certificate issued by the electronic device, the first certificate management host verifies that the first certificate is correct and determines that if the first certificate matches one of the certificates in the transfer device list, the first certificate management host returns the certificate transfer management host address to the electronic device.

Abstract: An information handling system includes a baseboard management controller and a media controller. The baseboard management controller includes a memory, and an immutable attribute of the baseboard management controller is fused in the memory during a factory process of the information handling system. The baseboard management controller generates a first seed value based on the immutable attribute, generates a first key value based on the first seed value, and provides the first key value. The media controller includes a secure memory and a processor. The processor receives the first key value from the baseboard management controller, and stores, during the factory process, the first key value in the secure memory. The first key value cryptographically links the secure memory to the baseboard management controller.

Abstract: A method and apparatus is provided for updating certificates in a trust chain and managing versions of the trust chain. A first electronic processor determines that a first certificate in a first level of the trust chain is to be updated, updating the first certificate and each certificate in a lower level in the trust chain that is lower than the first level, creates a second version of the trust chain including an updated first certificate and an updated certificate at each lower level in the trust chain, and transmits the second version of the trust chain to one or more entities.

Abstract: A pseudonym certificate management method, performed by a pseudonym certificate management apparatus interworking with an external server, may comprise: receiving, from the external server, a pseudonym certificate in a state locked based on a root value identifiable only by the external server; periodically receiving an unlocking key for the pseudonym certificate from the external server; activating the pseudonym certificate with the unlocking key; and when the activated pseudonym certificate is abnormal, deactivating the pseudonym certificate.

Abstract: A sending device may send data intended for a target device. An intermediate device may intercept the data sent from the sending device and forward the communications to the target device. Security data (e.g., a security certificate for authentication) along with an encrypted version of the security data may be sent at the application layer such that it passes from the sending device, through the intermediate device, and to the target device without being analyzed or modified by the intermediate device. The target device may use the encrypted security data and the security data to verify the identity of the sending device.

Abstract: Provided are embodiments of electronic document processing that include a workflow engine executing a workflow that includes verifying material data of an electronic document, providing a verified copy of the electronic document to a reviewer for review and, in response to receiving approval of the electronic document from the reviewer, obtaining a digital signature of material data of the electronic document from the reviewer. The workflow may include a similar process for multiple reviewers, and providing the electronic document to a processor for processing.

Abstract: An anonymous credential authentication system receives an anonymous credential signature value indicating that setting proposition information using a credential is satisfied from a user device that has been issued the credential combined with multiple pieces of attribute information constituting personal information, generates signer authentication information that confirms a signer of the anonymous credential signature value using an opening key, and outputs the signer authentication information.

Abstract: Systems and methods are provided to allow a smart phone or any terminal to activate a lock using a web site or server computer system. An access control system is provided that includes a server and an access device. The access device includes a processor and a communication module. The process has control of a lock and is able to receive a reservation certificate presented by a portable terminal through the communication module. The processor activates the lock when a current reservation certificate has been presented.

Abstract: A computer-implemented method, a system, and a computer program product for renewing a digital certificate. According to an embodiment of the present invention, the computer-implemented method comprises copying a digital certificate, from a first computer, onto a second computer, and requesting, from the second computer, renewal of the digital certificate by a certificate authority. The method further comprises loading a renewed digital certificate from the certificate authority, and saving the renewed digital certificate on the second computer. The renewed digital certificate is checked, on the second computer, for specified conditions, and the renewed digital certificate is copied from the second computer onto the first computer.

Abstract: A consumer of a software module issues a module certificate that enables a testing entity to automatically validate a software module from a producer of the software module. The consumer receives a request for a module certificate from the producer of the software module. The request indicates attributes of the software module. The consumer determines whether the attributes of the software module are within predetermined limits, and if the attributes are within predetermined limits, the consumer generates and signs the module certificate including the attributes of the software module. The consumer issues the module certificate to the producer of the software module. Once the consumer obtains a software package including the software module and the module certificate from the producer, the consumer directs a testing entity to validate the software module with the module certificate.

Abstract: Described herein is a system and method for validating media integrity using asymmetric key cryptography utilizing a public/private cryptographic key pair. The private key is kept secret and is known to an originator and/or publisher of a media file. The public key is added to the media file and is used to validate integrity of the media file, that is, that content of the media file (e.g., portion(s), frame(s)) has not been altered since publication of the media file. By validating integrity of the media file, strong proof that the media file came from an owner of the keypair (e.g., had possession of the private key) can be obtained, for example, resolving issues of trust and/or authenticity common in altered content. In some embodiments, information regarding an origin of the content can further be determined.

Abstract: During provisioning of a biometric device, a hardware root of trust is established between the biometric device and a server. The biometric device includes a cryptographic processor with a first encryption key stored in secure storage. The first encryption key is used to establish a mutually authenticated communication channel with the server. A set of additional encryption keys between the device and the server are established via the communication channel. Biometric data generated by the biometric device is encrypted using the additional keys and digitally signed. The server receives the encrypted and signed data via the communication channel and verifies the signature. Once the signature is verified, the biometric data is then decrypted. The server then processes the decrypted biometric data. Data that does not arrive via the communication channel, that fails the verification, or that fails decryption is deleted or disregarded.

Abstract: An information processing apparatus is provided. The apparatus performs operations comprising searching for devices connected to a network; displaying a screen for selecting a device to be used from among devices discovered through the search; when the device selected through the screen is a device which can perform encrypted communication and for which a result of processing for verifying a certificate received from the device is a failure, inquiring with a user as to whether to allow or reject communication with that device; and obtaining information of the selected device by communicating with the device when a user operation for allowing the communication has been made in response to the inquiring, and performing control for not establishing encrypted communication with the selected device when a user operation for rejecting the communication has been made.

Abstract: Embodiments of the present application relate to a method, apparatus, and system for verifying an identity of a user. The method includes receiving a preset key that is associated with a key carrier that is a physical object, storing the preset key in a database storing mappings between a plurality of preset keys and a plurality of users, receiving a verification key in connection with an identity verification of a user, retrieving the preset key associated with the user from the database, determining whether the verification key matches the preset key associated with the user, and causing a determination of whether the key carrier is authentic.

Abstract: A public key infrastructure (PKI) ecosystem includes a first organization computer system having a first processor, a first memory, and a first organization process including instructions that are (i) encoded in the first memory, and (ii) executable by the first processor. The ecosystem further includes a second organization computer system having a second processor and a second memory, a digital ledger, and domain name system security extensions (DNSSEC). When executed, the first instructions cause the first processor to create at least one public/private PKI keypair for a first domain name, in the DNSSEC, register the first domain name and create a certificate authority (CA), register the CA in the blockchain, using the CA, create a certificate for a first entity, register the certificate in the blockchain and/or the DNSSEC, and assert, to the second organization computer system, trust in the first entity based on the registered certificate.

Abstract: Embodiments of the present invention provide a method, program, and apparatus that may identify a device by using a virtual code generated based on a unique value of a chip inside a device without a separate procedure for identifying the device. Furthermore, embodiments of the present invention provide a method, program, and apparatus that may generate a virtual code, which is not matched with any other code, whenever a code for identifying a device is requested. Moreover, embodiments of the present invention provide a method, program, and apparatus for identifying a device that may add and use only an algorithm without changing a conventional process.