Abstract: Scalable method and system for secure sharing of encrypted information in a cloud system, the encrypted information being encrypted only once, and each user joining and accessing a shared folder by individual encrypted key material transferred.

Abstract: Trusted beacon based location determination system and method is disclosed. An electronic beacon broadcasts a cryptographically signed beacon identifier to listening devices. Listening devices are configured to verify the integrity of the cryptographically signed beacon identifier by using the beacon's public key. Listening devices may also be configured to verify the validity of the public key by verifying a digital certificate corresponding to the beacon. Listening devices may be configured with location-based functionality that determines a relative location of the listening device if the cryptographically signed beacon identifier is verified.

Abstract: A web server receives a packet including a web request from a browser of a client. The request includes a session cookie comprising a client token and a session identifier. A secret session token is calculated based on the session identifier and header data that includes data from one or more packet header fields. The web request is processed if the secret session token matches the client token and blocked otherwise. Determining the secret session token may include hashing the session identifier, at least a portion of a user agent string included in a user agent header of the web request, and at least a portion of a source IP address included in an IP header of the packet. The secret session token may have been provided to the client as a session cookie included in a response to an initial web request from the client.

Abstract: A method and system for detecting vulnerable root certificates in container images are provided. The method includes receiving an event to scan at least one container image hosted in a host device, wherein the least one container image includes resources utilized to execute, by the host device, at least a respective software application container; extracting contents of layers of the at least one container image; scanning the extracted contents to generate a first list designating all root certificates included in the at least one container image; generating a second list designating all root certificates trusted by the host device; comparing the first list to the second list to detect at least one root certificate designated in the first list but not in the second; and determining the at least one detected root certificate as vulnerable.

Abstract: A method includes verifying the identity of an individual. A virtual passport for the individual is created upon verifying the identity of the individual. The virtual passport uniquely identifies the individual. A public/private key pair associated with the individual is generated. The virtual passport is signed with the private key. The signed virtual passport is entered in a public block chain. The signed virtual passport may be retrieved from the public block chain. The authenticity of the signed virtual passport may be determined via the public key.

Abstract: A system and method for integrating hierarchical authentication systems and non-hierarchical authentication systems. The system and method is provided in one configuration as a mobile app that functions to allow a mobile device to access highly sensitive data while simultaneously ensuring a highly secured environment utilizing both hierarchical authentication systems and non-hierarchical authentication systems to provide a highly reliable authentication process.

Abstract: Embodiments describe apparatuses, systems, and methods for analyzing digital certificates. A system may scan the internet to identify all publicly available digital certificates. The system may further determine external information for individual digital certificates that is not found within the digital certificate. The system may store the external information and internal information that is found within the digital certificates. The system may run one or more queries on the stored information to identify one or more vulnerable digital certificates among a set of digital certificates associated with a client. For example, the system may identify differences between the internal information and/or external information among the digital certificates of the set and/or may compare the internal information and/or external information for the digital certificates of the set to expected information. Other embodiments may be described and claimed.

Abstract: Systems and methods are provided for managing data across a network based on multiple keys assigned to different participants in association with the data. One exemplary method includes identifying, by an originating party, a relying party, identifying data relevant to at least one interaction between the originating party and the relying party, and encrypting the data based on a secret. The method also includes generating a key set based on the secret, where the key set has at least three keys and is structured such that the secret is derivable from at least two of the at least three keys, and disseminating a first key of the key set and the encrypted data to a control party and disseminating a second key of the key set to the relying party.

Abstract: An on-ledger certificate authority operates a node of a distributed ledger that controls a certificate issuance store and a certificate revocation store. When the certificate authority issues a certificate, the node issues a ledger transaction with an instruction to store a validation hash of the certificate in the issuance store, and when a certificate is revoked, a ledger transaction with an instruction to store the serial number of the certificate in the revocation store. As such transactions propagate throughout the ledger, the instructions are executed by on-ledger verifiers in their local replicas of the stores. An on-ledger verifier validates a certificate by verifying that its serial number is not in the revocation store while its validation hash is in the verifier's replica of the issuance store.

Abstract: Measures, including methods, apparatus and computer software are provided for processing electronic tokens. An authorization request is received in relation to processing of an electronic token. An identifier for a user terminal associated with the electronic token, and an account, are determined on the basis of the authorization request. In some arrangements, a location query for the user terminal is performed on the basis of the determined identifier, whereby to determine a location of the user terminal on the basis of a proximity of the user terminal to one or more base stations in a cellular telecommunications network. In some arrangements, a challenge message is sent to the user terminal, to establish a confidence that the transacting user terminal is the designated user terminal. Processing of the electronic token in relation to the account is selectively authorized on the basis of the result of the location query or challenge response.

Abstract: An encrypted link is established with multiple ciphers. During a handshake protocol when establishing a secure session, at least two sets of cipher suites are transmitted to a server by a client. A choice cipher suite for each set of the at least two sets of cipher suites are received by the client from the server. The client selects a first choice cipher suite from among the choice cipher suites received from the server. The client establishes a connection with the server using the first choice cipher suite to encrypt the connection.

Abstract: A method includes creating, by system firmware at an information handling system, a virtual Advanced Configuration and Power Interface (ACPI) bus device. A management service event is registered by a bus device driver corresponding to the virtual ACPI bus device. The management service event, when executed, determines whether a target device is in a condition to receive revised firmware.

Abstract: In one embodiment, a distributed denial of service attack on a network is identified. In response to the distributed denial of service attack, a script to request a short term certificate is executed. The short term certificate is generated by a certificate server and received either directly or indirectly from the certificate server. An instruction to redirect traffic using the short term certificate and private key is sent to a distributed denial of service attack protection service that is operable to filter or otherwise mitigate malicious traffic involved in the distributed denial of service attack.

Abstract: A process to investigate intrusions with an investigation system is disclosed. The process receives forensic facts from a set of forensic events on a system or network. A suspicious fact is identified from the forensic facts. A related fact from the forensic facts is identified based on the suspicious fact.

Abstract: Provided is a method for assigning a time-to-live (“TTL”) value for a domain name system (“DNS”) record at a recursive DNS server. The method comprises obtaining, from a client, the TTL value for the DNS record; and storing, in a memory of the recursive DNS server, the TTL value, an identifier of the client, and the DNS record.

Abstract: A method of managing a token and a server for performing the same are provided. According to the embodiments of the present disclosure, it is possible to easily authenticate a counterpart device using a one-time key HN(T) for a D2D communication between a first device and a second device, without using a separate secure channel (e.g., secure sockets layer (SSL), transport layer security (TLS), or the like) in an environment where it is difficult to synchronize the first device with the second device without intervention of a server.

Abstract: There is provided a control apparatus including a secure storage unit and a processing unit that controls a control target on a basis of authenticated information that is stored in the secure storage unit and the authentication information is authenticated by an authentication apparatus. The processing unit controls the control target by controlling execution of an application.

Abstract: Provided are embodiments of electronic document processing that include a workflow engine executing a workflow that includes verifying material data of an electronic document, providing a verified copy of the electronic document to a reviewer for review and, in response to receiving approval of the electronic document from the reviewer, obtaining a digital signature of material data of the electronic document from the reviewer. The workflow may include a similar process for multiple reviewers, and providing the electronic document to a processor for processing.

Abstract: Communicating media data over a communication system in which a first communication instance for a user of the communication system is implemented at a first user terminal, and a second communication instance for the user of the communication system is implemented at a second user terminal. The user is simultaneously logged into the communication system via: (i) the first communication instance at the first user terminal, and (ii) the second communication instance at the second user terminal. A media communication session is established between the first and second communication instances, wherein the media communication session is authenticated on the basis of the same user being simultaneously logged into the communication system via both the first and second communication instances. Media data is communicated in the media communication session from the first communication instance at the first user terminal to the second communication instance at the second user terminal.

Abstract: Systems, and methods are provided to provide cloud-based coordination of customer premise service appliances. A system can include a cloud-based service platform, which includes a coordination server and a cloud-based service appliance, and an on-premise service appliance. The coordination server is configured to establish a service session, select a service appliance, and control a sequence of operations on the selected service appliance. Establishing the service session can include establishing a service session with a first client in response to a service request received from the first client, the first client associated with an account including a service policy. Selecting the service appliance can include selecting the cloud-based service appliance or the on-premise service appliance, based on the service policy, to handle the service request.

Abstract: The disclosure discloses a method and device for access control. The method includes: when a group of tasks are executed, controlling an access of a subject to an object according to operation permission corresponding to each of the tasks in the group of tasks. The device comprises a control component arranged to, when a group of tasks are executed, control an access of a subject to an object according to operation permission corresponding to each of the tasks in the group of tasks.

Abstract: A certificate manager allows a particular entity such as an individual computer system, computer application, or network service, to define a customized set of rules that are used to identify digital certificates that are trusted by the particular entity. When a digital certificate is presented to the entity, the certificate manager determines whether the digital certificate is trustworthy by examining the characteristics of the certificate such as the expiration of the certificate, the characteristics of the certificate authorities that signed the digital certificate, or the signing algorithms used to generate the digital signatures on the certificate. The certificate manager may be combined with trusted root CA stores, pinned certificate stores, and other certificate management systems to define a customized set of potentially trusted certificates based on the characteristics of the particular entity.

Abstract: Certain embodiments provide means for managing automated access to computers, e.g., using SSH user keys and other kinds of trust relationships. Certain embodiments also provide for managing certificates, Kerberos credentials, and cryptographic keys. Certain embodiments provide for remediating legacy SSH key problems and for automating configuration of SSH keys, as well as for continuous monitoring.

Abstract: A system and method for authenticating an additively manufactured component are provided. The method includes locating an identifying region on the component which may be positioned at a predetermined location relative to an identifiable datum feature. The identifying region may be scanned to determine a component identifier of the component. A reference identifier may be obtained from a database and compared to the component identifier to determine whether the component is authentic.

Abstract: A computer-implemented method for protecting a kernel for secure boot of an operating system includes preparing a kernel component with a signature for a secure boot. A processing unit modifies a machine owner key (MOK) file to include a trusted certificate. The MOK is separate from the kernel file. The processing unit validates the kernel component using a modified Grub file, a modified Shim file, and the MOK, and executes a secure boot using the validated kernel component. The kernel is unchanged by the secure boot process. The kernel component that is protected may be either a program executable (PE) file or a non-PE file.

Abstract: Disclosed is a computer-implemented method for establishing a secure connection between two electronic computing devices which are located in a network environment, the two electronic computing devices being a first computing device offering the connection and a second computing device designated to accept the connection, the method comprising executing, by at least one processor of at least one computer, a connection-establishing application for exchanging an information packet between the first computing device and the second computing device comprising a secret usable for establishing the connection, and evaluating a response from the second computing device for establishing the secure connection.

Abstract: An electronic apparatus includes an authenticator configured to identify registered finger information that coincides with detected finger information by matching the detected finger information with the plurality of registered finger information in a predetermined order, an executor configured to execute a function corresponding to the registered finger information identified by the authenticator, a user identifier configured to identify the actual user among the plurality of registered users by acquiring user identification information representing the actual user or by performing a determination process configured to determine the actual user, and a controller configured to change the predetermined order according to the actual user identified by the user identifier.

Abstract: A blockchain of transactions may be referenced for various purposes and may be later accessed by interested parties for ledger verification or information retrieval. One example method of operation may include one or more of receiving an access request from a requesting device for access to an encryption key associated with a user device, broadcasting the request to peer nodes for approval or disapproval, storing a transaction to a blockchain indicating the approval or disapproval of the request for access to the encryption key, and providing access to the encryption key when the approval is indicated.

Abstract: A clustered storage system in one embodiment comprises a plurality of nodes, with each of at least a subset of the nodes comprising a set of processing modules configured to communicate over one or more networks with corresponding sets of processing modules on other ones of the nodes. In conjunction with a failure of a first instance of a process running on a given one of the nodes and a subsequent restart of a second instance of the process, at least one of the processing modules is to identify at least one transfer buffer command of the first instance of the process, to identify a plurality of logically ordered commands of the first instance of the process, and to provide distinct treatment of the transfer buffer command relative to treatment of the logically ordered commands in a manner that ensures that the restart of the second instance of the process is not delayed to await completion of the transfer buffer command or the logically ordered commands.

Abstract: Provided are a computer program product, system, and method for sharing alias addresses among logical devices for a control unit managing access by hosts to logical devices configured with capacity from attached physical devices. An alias management group of logical devices and alias addresses assigned to the logical devices is configured. A plurality of requests to establish an association of the host with a logical device and the alias addresses assigned to the logical devices in the alias management group are received from a host. Acknowledgment is made to the host that the association is established in response to determining that the host is assigned the logical devices and alias addresses of the logical devices in the alias management group. The host can use one available alias address assigned to any one of the logical devices to access any one of the logical devices indicated in the association.

Abstract: In an embodiment, a computer-implemented method comprises, receiving, at a first server, a plurality of certificates and an inventory list and storing the plurality of certificates and the inventory list in a blockchain; receiving, at a second server associated with the blockchain, a validation request from a device and validating the device; in response to validating the device, receiving, at the second server, a certificate request from the device and verifying the certificate request against the inventory list stored in the blockchain; and in response to verifying the certificate request, enrolling the device by sending a certificate from the plurality of certificates stored in the blockchain to the device.

Abstract: A mechanism for providing secure feature and key management in integrated circuits is described. An example method includes receiving, by a root authority system, data identifying a command that affects operation of an integrated circuit, singing, by the root authority system, the command using a root authority key to create a root signed block (RSB), and providing the RSB to a security manager of the integrated circuit.

Abstract: Apparatuses, methods and storage media associated with managing a computing platform in view of an expiration date are described herein. In embodiments, an apparatus may include a computing platform that includes one or more processors to execute applications; and a trusted execution environment that includes a tamper-proof storage to store an expiration date of the computing platform, and a firmware module to be operated in a secure system management mode to regulate operation of the computing platform in view of at least whether a current date is earlier than the expiration date. Other embodiments may be described or claimed.

Abstract: A certificate manager for a multi-tenant environment can be authorized to automatically renew a certificate for a customer of the environment. Prior to the end of the validity period of the certificate, the certificate manager can obtain a new certificate on behalf of the customer and notify the customer that the certificate is ready to be deployed. The certificate will not be deployed until the customer releases the hold on the certificate. If no such instruction is received, notifications can be sent to the customer about the upcoming end of the validity period, and those notifications can be sent with increasing frequency. If no notification is received before the validity period is to expire, the certificate manager can automatically deploy the certificate to ensure that a valid certificate remains in place for the customer on the associated resource(s).

Abstract: A computer-implemented method for protecting a kernel for secure boot of an operating system includes preparing a kernel component with a signature for a secure boot. A processing unit modifies a machine owner key (MOK) file to include a trusted certificate. The MOK is separate from the kernel file. The processing unit validates the kernel component using a modified Grub file, a modified Shim file, and the MOK, and executes a secure boot using the validated kernel component. The kernel is unchanged by the secure boot process. The kernel component that is protected may be either a program executable (PE) file or a non-PE file.

Abstract: The various embodiments described herein include methods, devices, and systems for providing secure access to network resources. In one aspect, a method is performed at a trust broker system. The method includes: (1) receiving, from a client system, a request to access network applications and resources hosted by a server system; (2) identifying a domain providing the requested network applications and resources; (3) determining whether the client system is authorized to access the domain; (4) identifying a particular server containing the domain; (5) identifying a proxy server assigned to the particular server; and (6) in accordance with a determination that the client system is authorized to access the domain: (a) transmitting an identification value for the client system to the identified proxy server; and (b) after transmitting the identification value to the identified proxy server, transmitting, to the client system, contact information for connecting to the identified proxy server.

Abstract: A method for monitoring access of users to Internet SaaS applications includes the CISO (company Internet security office) in the configuration and operation of the method, instead of relying only on whatever security the SaaS application implements. Certificates, not accessible to users, are pushed to a user's client. When an access request is received from a client by an application, a gateway requests from the client the certificate. After a notification and approval process with the user, a received certificate is verified, user access to the application is allowed or denied, and the CISO notified of the attempted access.

Abstract: In one embodiment, a security provisioning service automatically establishes trust in a device. Upon receiving a provisioning request, a security provisioning service identifies a verification item that is associated with the provisioning request. The security provisioning service performs one or more verification operations based on the provisioning request to determine whether the provisioning request is authorized. If the provisioning request is authorized, then the provisioning service establishes a verifiable identification for the device that is assured by the secure provisioning service and then executes the provisioning request. By automatically performing the verification operations to establish trust in the device, the provisioning service eliminates manual identification assurance operations that are performed as part of a conventional security provisioning process.

Abstract: The disclosed technology is generally directed to device certification in an IoT environment. For example, such technology is usable in managing relationships between IoT devices and an IoT Hub. In one example of the technology, an IoT Hub receives a registration request. Next, the IoT Hub sends a registration verification to the IoT device. Next, the IoT Hub receives a ping from the IoT device. Next, the IoT Hub sends a response to the ping to the IoT device. Next, the IoT Hub receives verification of a validation of a log file output by a device based on running a plurality of unit tests on a device with a software development kit. Next, the IoT Hub automatically sends code to the IoT device.

Abstract: A group structure preserving signature system that can be applied to groups based on symmetric bilinear mapping, that reduces the signature length, and that enables efficient computation of verification equations is provided. At least, information indicating p, G1, G2, GT, e, g1, and g2, information needed to obtain e(hu, hv), and data that includes gs, hs, gt, ht, {g1, h1}, . . . , {gK, hK} are held as a public key vk, and data that includes vk, ?s, ?s, ?t, ?t, ?u, ?v, {?1, ?1}, . . . , {?K, ?K} are held as a secret key sk. A signature device selects ? and ? at random from integers between 0 and p?1, both inclusive, obtains w, s, t, and r, and generates, as a signature ?, data that includes w, s, t, and r. A verification device verifies the signature ? by using two verification equations.

Abstract: Facilitation of secure network traffic over an application session by an application delivery controller is provided herein. A method for secure network traffic transmission over an application session may include receiving, from a client device, a SYN data packet intended for an application server. The method may continue with determining, based on the SYN data packet, that the client device is a trusted source. The method may further include transmitting, based on the determination that the client device is the trusted source, a SYN/ACK packet to the client device. The SYN/ACK packet may include information for the client device to authenticate the client device to the application server directly as the trusted source.

Abstract: An apparatus and a method for managing user identity, the method comprising: establishing a connection secured with Transport Layer Security (TLS) from a client device to an IRP server; authenticating, at the IRP server, user login via the client device, with Strong Client Authentication (SCA) or Username/Password Authentication (UPA); upon request from the client device, registering or retrieving at the IRP server user identity information comprising user information, and an Internet Protocol (IP) address of the client device; upon request from the client device, registering or retrieving at the IRP server one or more digital certificate; sending from the client device to the IRP server a Certificate Signing Request (CSR) via the secured connection; upon request from the client device, returning a signed digital certificate from the IRP server to the client device; sending a PKCS #12 package from the client device to the IRP server; and upon request from the client device, returning a PKCS #12 package from t

Abstract: Utilizing multimedia content in a digital signature to facilitate authentication. A message requester public key is received from a message requester. A digital certificate is generated containing the message requester public key. Multimedia content identifying the message requester is retrieved. Multimedia content is inserted into the digital certificate. A message digest is generated from the digital certificate including the multimedia content. The message digest and included multimedia content is encrypted with a certificate authority private key to generate a digital signature. A certificate authority public key is retrieved. The digital certificate including the digital signature and certificate authority public key is transmitted to a message owner.

Abstract: User authentication techniques are provided for multiple authentication sources and for non-binary authentication decisions. An authentication request is received from an application server to authenticate a user for access to a protected resource. Pre-flow rules and the authentication request are evaluated to dynamically determine a plurality of authentication servers to invoke for the authentication request and an order for the invocation. A first authentication server is contacted to obtain a first authentication result for the user. In-flow rules and the first authentication result are evaluated to determine if additional authentication of the user should be performed. A second authentication server is contacted based on the determined invocation order and/or a result of the in-flow rules to obtain a second authentication result for the user. Decision rules and the first and second authentication results are evaluated to determine an authentication decision.

Abstract: A non-transitory computer-readable storage medium comprising instructions stored thereon. When executed by at least one processor, the instructions may be configured to cause a computing system to at least receive a message, the message including a header, an encrypted symmetric key, and an encrypted body, decrypt the encrypted symmetric key using a private key to generate a decrypted symmetric key, decrypt the encrypted body using the decrypted symmetric key to generate a decrypted body, and store the header, the decrypted symmetric key, and the decrypted body in long-term storage.

Abstract: Embodiments include methods, systems and computer program products method for online presence interaction using a behavioral certificate. The computer-implemented method includes monitoring, using a processor, one or more online presence interactions by one or more users. The processor determines whether a behavioral certificate exist for the online presence. The processor cross-references one or more authorized inputs, outputs or actions for the online presence based at least in part on an existence of a behavioral certificate for the online presence. The processor transmits the behavioral certificate, wherein the behavioral certificate advises the one or more users how to interact with the online presence.

Abstract: A secure component of a telecommunication device is described herein. The secure component is configured to determine that a threshold amount of time has passed since reception of a heartbeat communication from a remote telecommunication server. In response to determining that the threshold amount of time has passed, the secure component performs at least one of preventing access to one or more services of the telecommunication device or deleting user data from the telecommunication device.

Abstract: A system and method for transmitting user credentials to another device. According to some embodiments, a method is described of receiving into a first portable electronic device a set of credentials from a user, the set of credentials to include a WLAN SSID and a network key, the set of credentials to allow the first device to connect to the WLAN. The set of credentials is used to connect the first device to the WLAN. The first device creates a message for wireless transmission, the message includes the set of credentials for accessing the WLAN and is adapted to be delivered to a second device. Finally, the first device transmits the message over the air, wherein the message is addressed to the second device. The second device receives the message and uses the credentials in the message to connect to the WLAN. Other embodiments are also described.

Abstract: Provided are a computer program product, system, and method for sharing alias addresses among logical devices by a host accessing logical devices provisioned with a capacity from physical devices managed by a control unit. The host establishes with the control unit an association of logical devices and alias addresses assigned to the logical devices, wherein the alias addresses are associated with an alias management group. Alias address pool information is generated indicating each of the logical devices and their assigned alias addresses indicated in the association. The host uses from the alias address pool information any one of the alias addresses in the alias address pool information to access any of the logical devices associated with the same alias management group as the alias address.

Abstract: There is provided an information processing apparatus including a memory that retains a first secret key corresponding to a first public key, and a processor that requests a change of a usage state of a second public key registered by a second apparatus in a first apparatus that retains a public key corresponding to a secret key from the first apparatus according to authentication using the first public key associated with the second public key and the first secret key.