Abstract: A system and method for managing a trusted connection within a public cloud comprises transmitting a first token and a second token from a cloud service manager to a public cloud controller, initializing a public cloud manager in response to receipt of the first token and the second token, and generate a cloud certificate, and transmitting the cloud certificate and the second token from the public cloud manager to a management plane. The method further comprises establishing a trusted connection between the public cloud controller and the management plane in response to receipt of the cloud certificate and the second token by the management plane.

Abstract: A computer-implemented method includes: receiving, by a computer device, biometric data scanned from a guardian and biometric data scanned from a ward; receiving, by the computer device, data defining a relationship between the guardian and the ward; storing, by the computer device, the biometric data scanned from the guardian, the biometric data scanned from the ward, and the data defining the relationship in a record in a secure database; receiving, by the computer device, a request for validation including scanned biometric data; determining, by the computer device, the scanned biometric data matches the record in the secure database; and transmitting, by the computer device and in response to the determining, data defining an authorization based on the relationship.

Abstract: A device may download a session configuration file from a server over a network, obtain one or more parameters from within the session configuration file, download a content package based on the one or more parameters, and store the content package in a temporary folder. The device may also uncompressing the content package into a content folder in the temporary folder. The content folder includes resources that correspond to widgets in a template, wherein the content folder further includes the template, and wherein the template specifies a layout of the widgets on a page to be output to a display device.

Abstract: In embodiments, an authentication server interfaces between a user device with a self-signed certificate and a verifying computer that accepts a user name and password. The user device generates a self-signed certificate signed by a private key on the user device. The self-signed certificate is transmitted to a verifying party computer over a network. The verifying party stores the self-signed certificate with user identification data, including at least one of a user name, user address, user email, user phone number, user tax identification (ID), user social security number and user financial account number. In subsequent communications, the verifying party receives a certificate chain including the self-signed certificate, and matches that with the user identification data stored in a database.

Abstract: Methods, systems, and devices are described herein for delivering protected data to a trusted execution environment (TrEE) associated with a potentially untrusted requestor. In one aspect, a targeting protocol head may receive a request for protected data from a potentially untrusted requestor associated with a TrEE, and an attestation statement of the TrEE. The targeting protocol head may retrieve the protected data, and obtain a targeting key of the TrEE from, for example, the request in the case of clean room provisioning, or the attestation statement. The targeting protocol head may generate targeted protected data by encrypting the protected data with the targeting key, and provide the targeted protected data to the potentially untrusted requestor, where a private targeting key of the TrEE is required to decrypt the targeted protected data.

Abstract: In one embodiment, a device in a network receives traffic information regarding one or more secure sessions in the network. The device associates the one or more secure sessions with corresponding certificate validation check traffic indicated by the received traffic information. The device makes a self-signed certificate determination for an endpoint domain of a particular secure session based on whether the particular secure session is associated with certificate validation check traffic. The device causes the self-signed certificate determination for the endpoint domain to be used as input to a malware detector.

Abstract: A cryptographic system (100) is provided for distributing certificates comprising a certificate authority device (110) and multiple network nodes (140, 150, 160). A network node (140) sends a public key to the certificate authority device. The certificate authority device (110) generate a certificate comprising the public key, forms an identifier by applying an identity forming function to the certificate and generates local key material specific for the network node by applying a local key material generation algorithm of an identity based key pre-distribution scheme on the identifier, and sends the local key material encrypted to the network node. The network node may be authenticated implicitly through its access to a shared key obtainable from the local key material.

Abstract: Computer-implemented systems and methods for digital content protection and security in multi-computer networks are provided. In one embodiment, a system for cryptographic digital content protection and security is disclosed. The system may include at least one processor, and a storage medium comprising instructions that, when executed, configure the at least one processor to determine specifications of a computer terminal, determine a status of the computer terminal as a public terminal or a private terminal, identify sensitive information in a data transmission, generate output instructions associated with the sensitive information, and provide the data transmission and the output instructions to the computer terminal over a network.

Abstract: An authorization method using provisioned certificates is disclosed. The method includes writing security attributes to fields within a certificate and issuing the certificate to a software application on a principal node. The software application requests to perform actions on one or more resources on a resource node, sending one or more action requests along with a copy of its certificate. The resource node has an agent which verifies the permissions from the certificate and routes the request to its designated resource. The resource node returns one or more messages to the principal node, verifying whether or not complete the requests.

Abstract: A computer-implemented system and method for secure authentication of IoT devices are disclosed. The method for secure authentication of IoT devices comprises establishing a network connection with a network operator server via a control channel, establishing identity of the network operator server using a pre-shared server key, establishing identity of the IoT device using a pre-shared client key and cryptographically generating a session key for a network session to allow secure data exchange between the network operator server and the IoT device. The cryptographically generated session key is used for securely authenticating application running on the authenticated IoT device.

Abstract: An apparatus and system for authenticating features for download to an image scanning apparatus has a client computing device generate an image of a symbol that encodes authentication data. The client computing device hashes a communication parameter of its transceiver, digitally signs the hash value with a private key from public-private key pair, and encodes the hash value, digital signature and the unencrypted communication parameter into the symbol. The image scanning apparatus captures an image of the symbol, decodes the symbol, verifies whether the unencrypted communication parameter corresponds to the hash of the communication parameter, and a public key stored in the memory of the barcode reader corresponds with the private key used to sign the hash value. If the communication parameter corresponds with the hash value and the signature corresponds with the public key, the barcode reader enables its transceiver to download the feature from the client computing device.

Abstract: Methods and systems for encrypting data for a multi-tenant filesystem environment are provided. A system for encrypting data for a multitenant filesystem environment includes a file characteristics module that determines file characteristics for a file. The system also includes a user identification module that collects user identification information for one or more file operations, where a file operation in the one or more file operations is performed on a portion of the file. The system further includes a portion information module that gathers portion information about the portion of the file. Additionally, the system includes an encryption module that associates the portion information with a subtenancy encryption key in one or more subtenancy encryption keys based on the user identification information, where the one or more subtenancy encryption keys are associated with the file.

Abstract: When a client requests a data import job, a remote storage service provider provisions a shippable storage device that will be used to transfer client data from the client to the service provider for import. The service provider generates security information for the data import job, provisions the shippable storage device with the security information, and sends the shippable storage device to the client. The service provider also sends client-keys to the client, separate from the shippable storage device (e.g., via a network). The client receives the device, encrypts the client data and keys, transfers the encrypted data and keys onto the device, and ships it back to the service provider. The remote storage service provider authenticates the storage device, decrypts client-generated keys using the client-keys stored at the storage service provider, decrypts the data using the decrypted client-side generated keys, and imports the decrypted data.

Abstract: The present invention provides an information processing apparatus that stores digital certificates. The information processing apparatus selects a digital certificate among the digital certificates stored in the storing unit in accordance with an instruction of a user, obtains an expiration date of the selected digital certificate and revocation information on the selected digital certificate. The information processing apparatus determines validity of the selected digital certificate on a basis of the obtained expiration date and the obtained revocation information and sets the digital certificate determined to be valid as a digital certificate for communication.

Abstract: A method for utilizing a registration authority to facilitate a certificate signing request is disclosed. In at least one embodiment, a registration authority computer may receive a certificate signing request associated with a token requestor. The registration authority may authenticate the identity of the token requestor and forward the certificate signing request to a certificate authority computer. A token requestor ID and a signed certificate may be provided by the certificate authority computer and forwarded to the token requestor. The token requestor ID may be utilized by the token requestor to generate digital signatures for subsequent token-based transactions.

Abstract: Systems and methods are disclosed herein for determining the validity of certificates possessed by a plurality of computer system instances operating under a service of a computing resource service provider. A certificate authority may hold an election to determine an intermediary computer system instance among the plurality of computer system instances to communicate between the certificate authority and the plurality of computer system instances. The intermediary instance may receive a set of certificate fingerprints from the plurality of computer system instances. The intermediary instance may compare the set of certificate fingerprints to a valid certificate fingerprint generated using a valid certificate to determine the validity of certificates possessed by the plurality of computer system instances. The intermediary instance may generate a report based on the determination of the validity of the certificates.

Abstract: In one implementation, a workflow system can include a storage engine and a merger engine. The storage engine maintains a restricted workflow part on a first storage resource and maintains a customizable workflow part on a second storage resource. The merger engine retrieves the restricted workflow part based on the product version and merge the restricted workflow part with the customizable workflow part associated with the restricted workflow part.

Abstract: A network-based service for the management of cryptographic key, such as a key management service (“KMS”), provides a web service application programming interface (“API”). Cryptographic keys managed by the service may be stored in a one or more network-connected cryptographic devices such as network-connected hardware security modules (“HSM”). The key management service maintains metadata associated with the cryptographic keys. When a request is received by the key management service, the key management service uses an identifier provided with the request to identify metadata associated with a cryptographic key used to fulfill the request. The key management service uses the metadata to identify a cryptographic device containing the cryptographic key. The key management service generates a set of commands for fulfilling the request such that the commands are compatible with a protocol implemented by the identified cryptographic device, and the set of commands are sent to the identified cryptographic device.

Abstract: A data storage layer provides enhanced data security. In one implementation, the data storage layer allows selective encryption of specific parts of data blocks, with decryption restricted to pre-determined entities. The selective encryption may be applied to parts of data blocks that are stored in blockchains, for instance, to provide fine grained control over which entities with access to the blockchain can decrypt and use the parts of the data blocks with the enhanced security.

Abstract: Application specific certificate deployment may be provided. An application may generate a security certificate comprising a public key and a first private key. The public key may be stored in a shared segment of a memory store, from where it may be retrieved and signed. The signed public key may be re-deployed and/or used to transmit securely encrypted resources.

Abstract: A method of post-manufacture generation of the device certificate 20 for verifying an electronic device 2 according to a public key infrastructure is provided. The method comprises obtaining, at a certificate generating apparatus 40, a first key 42 associated with the device 2. A second key 22 for the electronic device is derived from the first key 42. The device certificate 20 for the PKI is generated with the second key acting as the public key 22 associated with the device certificate 20. In a corresponding way a private key 24 for the PKI can be generated by the electronic device 2 based on a shared first key 42. This approach enables the manufacturing cost for manufacturing an electronic device to be reduced whilst still enabling use of a PKI for attesting to properties of the device 2.

Abstract: Disclosed are a system, method and devices for simultaneous MACsec key agreement (MKA) negotiation between the devices. The present application controls a basic TLV message exchange between supplicant and authenticator in case of race condition to establish the secure association key (SAK) channel. The present application by controlling a basic TLV message exchange enables to establish a secure channel in race condition and achieves a high reliability of the product as this makes product launch MACsec services quickly and available for the service. Accordingly, when both sides (two supplicants) exchange hello with basic TLV at the same time, triggering the race condition, drops first message from the authenticator at supplicant and update the peer MN and the supplicant will not send reply. The authenticator when send next message (basic+potential peer TLV) with peer MN incremented by 1, the supplicant will respond with incremental message with live peer TLV.

Abstract: Some embodiments relate to a blockchain transaction device arranged to generate a transaction for a blockchain. The blockchain transaction device is configured to generate a transaction, said transaction comprising a signature, by calling a signing interface of a cryptographic kernel application to obtain the signature for the transaction. The cryptographic kernel application is configured to access a high security data area and compute the signature from a private key.

Abstract: Methods and systems generate an attributed network for tracing transmitted data that is attributable to a user. A digital registration certificate includes an identity marker and a verified privity marker. The digital registration certificate is registered with an immutable entry in a registry, with the immutable entry also storing the identity marker and referencing the verified privity marker, and with retrieval of the digital registration certificate being required to access the attributed network. A client device requests to access the attributed network, and the systems and methods authenticate a user of the client device by verifying biometric login data as matching the identity marker included in the immutable entry in the registry. The digital registration certificate is obtained from the registry. A virtual browser configured for accessing the attributed network packages the digital registration certificate with data specified by the client device.

Abstract: The present specification discloses a service authorization method, apparatus and device.

Abstract: A machine implemented method of communication between server and remote device, the method comprising: determining an availability and address of the remote device on a network for communication with the server; obtaining a public key attributed to the remote device; signing the public key attributed to the remote device with a private key of the server and so generating a digitally signed certificate to verify the ownership of the public key as the remote device; and transmitting the digitally signed certificate to the remote device.

Abstract: An apparatus includes a processor coupled to a memory wherein the processor and the memory are configured to provide a secure execution environment. The memory includes a shared secret value. The processor is configured to receive a certificate, wherein the certificate includes a device identifier and a digital signature. The processor validates the certificate based on the digital signature and the device identifier, recovers a cryptographic key based on the shared secret value and the device identifier, and performs a cryptographic operation based on the recovered cryptographic key.

Abstract: A computing platform implements one or more secure enclaves including a first provisioning enclave to interface with a first provisioning service to obtain a first attestation key from the first provisioning service, a second provisioning enclave to interface with a different, second provisioning service to obtain a second attestation key from the second provisioning service, and a provisioning certification enclave to sign first data from the first provisioning enclave and second data from the second provisioning enclave using a hardware-based provisioning attestation key. The signed first data is used by the first provisioning enclave to authenticate to the first provisioning service to obtain the first attestation key and the signed second data is used by the second provisioning enclave to authenticate to the second provisioning service to obtain the second attestation key.

Abstract: In embodiments, an authentication server interfaces between a user device with a self-signed certificate and a verifying computer that accepts a user name and password. The user device generates a self-signed certificate signed by a private key on the user device. The self-signed certificate is transmitted to a verifying party computer over a network. A redirecting module redirects the self-signed certificate chain to an authentication server. The authentication server is also provided a user name, password and verifying computer address, which is stored in a password database by the authentication server, in association with the self-signed certificate. Subsequent communications intended for the verifying computer with the self-signed certificate are redirected to the authentication server, which looks up the associated user name and password and transmits the associated user name and password to the verifying computer.

Abstract: An example system for securely provisioning computerized devices of a plurality of tenants includes a Security Credential Management System (SCMS) host that is communicatively connected to the devices and is operable to receive provisioning requests from computerized devices needing certificates. Each provisioning request indicates a tenant identifier (ID) uniquely identifying a tenant of the plurality of tenants. The system also includes a registration authority communicatively connected to the SCMS host and operable to transmit requests to SCMS backend components.

Abstract: Technical problems and their solution are disclosed regarding the location of mobile devices requesting services near a site from a server. Embodiments adapt and/or configure the transmitting device near the site, the mobile device communicating with the transmitting device using a short haul wireless communications protocol to deliver a token based upon a key shared with the server but invisible to the mobile device. The server can determine the proximity of the mobile device to the site to control actuation of the requested service or disable the service request, and possibly flushing the service request from the server.

Abstract: Methods of accessing a remote resource from a data processing device A method of accessing a remote resource from a data processing device for providing a rich user interface on a client device, the method comprising: pushing, from the data processing device, a first type of data comprising user interface resources to the remote resource; generating, on the data processing device, a second type of data comprising operational data relating to the operation of the data processing device; pushing from the data processing device, the second type of data, to the remote resource.

Abstract: In a synchronization system including a local terminal, latest metadata of a file in a local storage and latest metadata of a file in the server storage are managed in a first tree database, which is a virtual database in a local terminal, and each of the local terminals is allowed to upload or download a changed file on the basis of the metadata in the first tree database so that a conflict that may occur due to multiple users simultaneously changing files can be minimized.

Abstract: Disclosed is a method and apparatus for establishing a connection of a wireless communication interface between a client and a server using Bluetooth Low Energy (LE).

Abstract: In one embodiment, a method comprises: forwarding, by a root network device in a low power and lossy network, an authentication message to a constrained child network device having attached to the root network device, the authentication message generated by an authenticator device and specifying a certificate associated with the authenticator device; receiving a second authentication message destined for a second constrained network device via the constrained child network device; removing, from the second authentication message, the certificate; and outputting, by the root network device, the modified second authentication message that does not include the certificate toward the second constrained network device via the constrained child network device, the modified second authentication message causing the constrained child network device to restore the second authentication message for delivery to the second constrained network device, based on insertion of the certificate back into the modified second aut

Abstract: A device assists an embedded Universal Integrated Circuit Card (eUICC) resident in the device with verification of public key information or of security materials. The verification provided by the device can be configured by the user and/or by the eUICC. The verification includes checking for expiration of public key information or presence of an associated public key in a trusted list. The trusted list in some instances includes pinning hash values. The device can warn an end user and/or an infrastructure entity, of an issue if the verification fails. An extension of certificate revocation lists includes a logical indication of at least one new public key in a CRL list. A CRL data field may also indicate a previous CRL, where the previous CRL is the most recent CRL containing a public key listing with at least one new entry.

Abstract: Systems, computer products, and methods are described herein for an improved secure certificate system for identifying potential authorized and unauthorized interactions between a web browser and a website. The certificate system utilizes stored certification requirements (e.g., pinned certification requirements, third-party certification requirement system, or the like), and compares the stored certification requirements with received certification requirements. The system may notify the user or prevent the interaction between the web browser and website when the stored certification requirements do not meet the received certification requirements (e.g., a threshold requirement of certificates to validate, validated certificates, or the like). The certificate system allows the interaction between the web browser and website when the stored certification requirements meet the received certification requirements and the website is verified based on the certification requirements.

Abstract: A public key infrastructure (PKI) ecosystem includes a first organization computer system having a first processor, a first memory, and a first organization process including instructions that are (i) encoded in the first memory, and (ii) executable by the first processor. The ecosystem further includes a second organization computer system having a second processor and a second memory, a digital ledger, and domain name system security extensions (DNSSEC). When executed, the first instructions cause the first processor to create at least one public/private PKI keypair for a first domain name, in the DNSSEC, register the first domain name and create a certificate authority (CA), register the CA in the blockchain, using the CA, create a certificate for a first entity, register the certificate in the blockchain and/or the DNSSEC, and assert, to the second organization computer system, trust in the first entity based on the registered certificate.

Abstract: A security event that is associated with one or more communication devices is detected. For example, the security event may be an unexpected change in data being sent from a communication device outside an enterprise. In response to detecting the security event, a Virtual Service Network (VSN) is created that isolates one or more communication devices that may pose a security risk. A corrective action to mitigate the security event is then implemented. For example, the corrective action may be to dynamically instantiate a firewall on the VSN that blocks the transfer of data from the communication device outside the enterprise. This allows an administrator to review the security event and take further action if necessary. Because the VSN with the firewall is created dynamically, the network remains secure while the security event is investigated.

Abstract: A encrypted verification system and method includes detecting an attempt to access a service requiring multi-factor authentication from a first user computing device, requesting a trusted platform module (TPM) public key of a second user computing device, the second user computing device being coupled to the first user computing device, generating a nonce in response to receiving the TPM public key of the second user computing device, sending the nonce for signature by a TPM private key of the second user computing device, receiving a signed nonce, wherein the signed nonce is signed by the TPM private key and decrypted using the TPM public key of the second user computing device, and determining that a value of the signed nonce matches a value of the nonce to authenticate the first user computing device and allowing access to the service.

Abstract: Methods and systems are provided for demonstrating authorization to access a resource to a verifier computer controlling access to the resource. The method comprises, at a user computer, storing an attribute credential certifying a set of attributes; and communicating with a revocation authority computer to obtain an auxiliary credential, bound to the attribute credential, certifying a validity status for each attribute in the attribute credential. The method further comprises, at the user computer, communicating with the verifier computer to prove possession of the attribute credential and the auxiliary credential such that the verifier computer can determine whether at least one attribute in the attribute credential, certified as valid by the auxiliary credential, satisfies an access condition for the resource.

Abstract: An electronic device, having a communication module for wireless data communication with a further electronic device, which is distinguished in that the electronic device is configured to use at least one quantitative value in order to characterize a spatial reference of the electronic device to the further electronic device in order to secure the wireless data communication, with the further electronic device. Furthermore, an aspect of the invention relates to a vehicle system having at least one electronic device according to an aspect of the invention as well as a corresponding method.

Abstract: A secure industrial control system is disclosed herein. The industrial control system includes a plurality of industrial elements (e.g., modules, cables) which are provisioned during manufacture with their own unique security credentials. A key management entity of the secure industrial control system monitors and manages the security credentials of the industrial elements starting from the time they are manufactured up to and during their implementation within the industrial control system for promoting security of the industrial control system. An authentication process, based upon the security credentials, for authenticating the industrial elements being implemented in the industrial control system is performed for promoting security of the industrial control system. In one or more implementations, all industrial elements of the secure industrial control system are provisioned with the security credentials for providing security at multiple (e.g., all) levels of the system.

Abstract: A computer-implemented method for distributing digital certificates. A request for a digital certificate is received from a requesting system. A deployment challenge is sent to the trust agent running on the requesting system. A response to the deployment challenge is received from the trust agent running on the requesting system. The response to the deployment challenge is evaluated to determine whether the response is correct. The digital certificate is distributed to the requesting system in response to a determination that the response to the deployment challenge is correct.

Abstract: A method for leveraging a first secure channel of communication between a first agent and a second agent to create a second secure channel of communication between the first agent and a third agent. The method includes creating the first secure channel of communication between the first agent and the second agent using a configurable data-driven initial process on a first computing device. Responsive to the first agent receiving a request from the third agent to establish the second secure channel of communication, the method further includes retrieving identifying information from the third agent. The method further includes ending the identifying information from the third agent to the second agent over the first secure channel of communication. Responsive to receiving approval of the third agent's request from the second agent, the method further includes establishing the second secure channel of communication.

Abstract: A system and non-transitory computer program product for distributing digital certificates. A request for a digital certificate is received from a requesting system. A deployment challenge is sent to the trust agent running on the requesting system. A response to the deployment challenge is received from the trust agent running on the requesting system. The response to the deployment challenge is evaluated to determine whether the response is correct. The digital certificate is distributed to the requesting system in response to a determination that the response to the deployment challenge is correct.

Abstract: The embodiments herein relate to a method in a mobility management node (108) for handling overload in a communications network (100). When overload in the communications network (100) has been detected, the mobility management node (108) receives information indicating at least one blocked IP address to which access should be blocked. The mobility management node (108) receives a communication request message from a UE (101) via a RAN node (105). The communication request message is a request for communication by the UE (101). The mobility management node (108) determines that the UE's (101) request for communication should be rejected when the UE (101) is associated with a blocked IP address.

Abstract: Scalable method and system for secure sharing of encrypted information in a cloud system, the encrypted information being encrypted only once, and each user joining and accessing a shared folder by individual encrypted key material transferred.

Abstract: Trusted beacon based location determination system and method is disclosed. An electronic beacon broadcasts a cryptographically signed beacon identifier to listening devices. Listening devices are configured to verify the integrity of the cryptographically signed beacon identifier by using the beacon's public key. Listening devices may also be configured to verify the validity of the public key by verifying a digital certificate corresponding to the beacon. Listening devices may be configured with location-based functionality that determines a relative location of the listening device if the cryptographically signed beacon identifier is verified.

Abstract: A web server receives a packet including a web request from a browser of a client. The request includes a session cookie comprising a client token and a session identifier. A secret session token is calculated based on the session identifier and header data that includes data from one or more packet header fields. The web request is processed if the secret session token matches the client token and blocked otherwise. Determining the secret session token may include hashing the session identifier, at least a portion of a user agent string included in a user agent header of the web request, and at least a portion of a source IP address included in an IP header of the packet. The secret session token may have been provided to the client as a session cookie included in a response to an initial web request from the client.