Abstract: Disclosed are various approaches for implementing certificate pinning in a tunnel client on a client device. A tunnel client receives a connection request from an application executed by the client device to connect to a remote server. The tunnel client determines that the remote server corresponds to a known pinned host and then determines whether the remote server presents a certificate matching a pinned certificate for the known pinned host. If the presented certificate matches the pinned certificate, the tunnel client allows a connection to be established between the application and the remote server through a network tunnel between the tunnel client and a tunnel server.

Abstract: A collection of wearable communicating devices generates signals that may be detected and analyzed to produce a fingerprint of the collection of wearable devices. An analysis unit may recognize patterns or other information in detected signals and generate a fingerprint of a body area network corresponding to the collection of wearable devices. The fingerprint may be fuzzy fingerprint, matchable with a fingerprint of a similar, but not necessarily identical, collection of wearable devices that has been previously generated or obtained. The fingerprint may be used for tracking or other purposes. Some embodiments may allow the generation of additional signals that modify the fingerprint.

Abstract: Method for enabling zero sign-on (ZSO) through a standard web browser. The device running the browser is first enrolled with a web service using an installed enrollment agent on the device which authenticates a user of the device. After authentication, the enrollment agent stores a device profile that includes a user certificate for the user and an authority certificate issued by said web service. The device profile is stored at a device location accessible by each of the web browsers used by said device. The enrollment agent configures each of the web browsers on the device to respond correctly to ZSO certificate challenges from the web service. Once enrolled, the device's web browsers can respond correctly to a ZSO Uniform Resource Locator (URL) certificate challenge received from the web service. After a successful response to the challenge, the browser is granted a secure socket layer (SSL) connection.

Abstract: A method for sharing a cross-platform account resource is described. An authentication request carrying a user name, a password, and an ID of an APP resource server is transmitted to an account management server, based on a register account on the account management server; an authentication ticket corresponding to the APP resource server is received from the account managements server, and the authentication ticket is stored, in which the authentication ticket carries a user ID, an authorization key and a refresh key; a resource request is transmitted to the APP resource server, based on the user ID and the authorization key in the authentication ticket; an APP resource is received from the APP resource server, after the APP resource server requests the account management server to verify the authentication ticket by using the user ID and the authorization key.

Abstract: A certificate management method, a device, and a system relate to the communications field and for certificate management are used to resolve a problem that communication security of a virtual network system is degraded because after a virtualized network function (VNF) instance is terminated in the virtual network system, a private key corresponding to a certificate of the VNF instance may be illegally obtained by an attacker to forge an identity of the VNF instance. A specific solution includes obtaining, by a first device, a certificate identifier of a first instance, and updating certificate status information of the first instance to a revocation state according to the certificate identifier of the first instance, or sending, by the first device, a first request message to a second device, where the first request message requests to revoke a certificate of the first instance.

Abstract: A blockchain is used to track chain of custody associated with devices and user entities associated with those devices. In an embodiment, an identity engine traverses a blockchain to determine one or more transactions associated with a device and, in some cases, one or more users of that device. Based at least in part on the content of an authentication or provisioning request and that of the chain of custody, the identity engine provisions the device for a given user.

Abstract: A per-resource user authority management unit that manages user authorities per resource, a user authority refinement unit that refines authorities linked to a user by the per-resource user authorities, and an authority verification unit that determines whether execution of processing with respect to a resource is permitted by using an authority that has been refined by the user authority refinement unit are provided.

Abstract: A protocol for issuing and controlling digital certificates is described in which an identity management system is used to identify a user requesting a digital certificate and is also used to issue the digital certificate itself. Accordingly, an IDM-based PKI system is provided.

Abstract: Aspects of the present disclosure relate to computer system security. A machine accesses a set of records corresponding to a set of users having access to a computer system. The machine stores, for each user in the set of users, a baseline profile representing baseline activity of the user with respect to a set of data sources of the computer system. The machine monitors activity of the set of users with respect to the set of data sources. The machine determines, based on monitoring the activity of the set of users, that a user action of a specified user, with respect to one or more data sources from the set of data sources, is anomalous relative to the baseline profile of the specified user. The machine provides a digital transmission representing the anomalous user action.

Abstract: Methods and systems are provided for demonstrating authorization to access a resource to a verifier computer controlling access to the resource. The method comprises, at a user computer, storing an attribute credential certifying a set of attributes; and communicating with a revocation authority computer to obtain an auxiliary credential, bound to the attribute credential, certifying a validity status for each attribute in the attribute credential. The method further comprises, at the user computer, communicating with the verifier computer to prove possession of the attribute credential and the auxiliary credential such that the verifier computer can determine whether at least one attribute in the attribute credential, certified as valid by the auxiliary credential, satisfies an access condition for the resource.

Abstract: A method and apparatus for establishing a wireless connection. A digital certificate having a second name is obtained by a processor unit in response to receiving a selection of a network using a first name broadcast by a wireless access point. A determination is made by the processor unit as to whether the digital certificate is valid. A determination is made by the processor unit as to whether the second name in the digital certificate matches the first name broadcast by the wireless access point. The processor unit establishes the wireless connection to the wireless access point in response to the digital certificate being valid and the second name in the digital certificate matching the first name broadcast by the wireless access point.

Abstract: Systems and methods are disclosed for generating one or more hardware reference keys (HRK) on a computing device, and for attesting to the validity of the hardware reference keys. An initial hardware reference key can be a silicon attestation key (SIK) generated during manufacture of a computing system, such as a system-on-a-chip. The SIK can comprise an asymmetric key pair based at least in part on an identifier of the processing system type and a unique identifier of the processing system. The SIK can be signed by the computing system and stored thereon. The SIK can be used to generate further HRKs on the computing device that can attest to the processing system type of the computing device and an operating system version that was running when the HRK was generated. The computing device can generate an HRK attestation (HRKA) for each HRK generated on the computing system.

Abstract: A system and method for efficient certificate authentication management and distribution of large, web scale authentication information. The method includes receiving at a server, security certificate information, said security certificate including a unique certificate identifier. A structured data source, such as an XML file or database is encoded with a unique record for each possible security certificate using the record ID as the security certificate ID. Each unique record includes a record of four bits or less. Owing to the small size of the data source, large amounts of security certificates may be managed and distributed efficiently over a network to one of more private gateways allowing for large scale certificate authentication.

Abstract: Embodiments include methods, systems and computer program products method for online presence interaction using a behavioral certificate. The computer-implemented method includes monitoring, using a processor, one or more online presence interactions by one or more users. The processor determines whether a behavioral certificate exist for the online presence. The processor cross-references one or more authorized inputs, outputs or actions for the online presence based at least in part on an existence of a behavioral certificate for the online presence. The processor transmits the behavioral certificate, wherein the behavioral certificate advises the one or more users how to interact with the online presence.

Abstract: A method may include obtaining a common reference string. The method may further include obtaining a first public key for a first party and a second public key for a second party. The method may also include obtaining a first encrypted message, the first encrypted message encrypted using the first public key. The method may further include obtaining a second encrypted message, the second encrypted message encrypted using the second public key. The method may also include obtaining a proof. The method may further include verifying, using the proof, the common reference string, the first public key, and the second public key, that a decryption of the first encrypted message and a decryption of the second encrypted message are equivalent without decrypting the first encrypted message and without decrypting the second encrypted message.

Abstract: A first entity and a second entity establish a protected authenticated communication channel using an implicit certificate issued by a certificate authority. In some examples, the implicit certificate is generated based at least in part on the ring learning with errors (“RLWE”) problem. Using the implicit certificate, the first entity and the second entity exchange information that enables the entities to negotiate a shared secret. The shared secret may be used to establish a cryptographically protected communication channel. Successful use of the shared secret authenticates the identity of the first entity and the second entity.

Abstract: Systems for secure provisioning and management of computerized devices. The system may include a distributor appliance that is communicatively connected to the computerized device, and that is operable to receive a digital asset and to load the digital asset into the computerized device. It may also include a digital asset management system that is connected via a first secure communication channel to the distributor appliance, and that is operable to generate and conditionally transmit the digital asset to the distributor appliance; and a provisioning controller that is connected via a second secure communication channel to the distributor appliance and is connected via a third secure communication channel to the digital asset management system, and that is operable to direct the digital asset management system to transmit the digital asset to the distributor appliance. The computerized device is not fully functional before the digital asset is loaded into it.

Abstract: Techniques are described for using two tokens to request access to a secure server. The tokens allow the server to verify, without an external call, that the requesting device is one identified in the request and that the requesting device is authorized by a trusted identity provider. A first token is an authentication token issued by the trusted identity provider and including a client device public key. The second token is a proof-of-possession token that is signed by a client device using a client device private key corresponding to the client device public key. The server obtains the client device public key from the authentication token, and then uses the client device public key to validate the proof-of-possession token. The authentication token can be re-used by a server creating its own proof-of-possession token for presentation to a second server to access a secure service on the second server.

Abstract: A public key embedded in a scoped application can be used to permit a trusted application to access a scoped application. The scoped application can receive a request for access to an interface of the scoped application from the trusted application. The request can include a signed identifier that is signed using a private key corresponding to the public key. The signed identifier can be authenticated using the public key. The scoped application can also verify that the signed identifier matches an identifier of the trusted application. Responsive to the authentication and verification, the trusted application may be permitted to have access to the interface of the scoped application. The private key and the public key are generated at a customer service instance operated by a computing provider. The private key is not shared outside of the customer service instance.

Abstract: Methods, apparatus, systems and articles of manufacture to issue digital certificates are disclosed. An example apparatus includes a certificate issuer to communicate, from a first entity, a digital certificate to be signed with a request for identifiers, and a value receiver to receive, at the first entity, a first value uniquely identifying a second value from a second entity and, after a period for accepting identifiers has ended, receiving, at the first entity, the second value from the second entity, the certificate issuer to combine, at the first entity, the second value and a third value to generate a certificate identifier for the digital certificate and to issue the digital certificate with the certificate identifier.

Abstract: One embodiment described herein provides a system and method for secure attestation. During operation, a Trusted Platform Module (TPM) of a trusted platform receives a request for an attestation key from an application module configured to run an application on the trusted platform. The request comprises a first nonce generated by the application module. The TPM computes an attestation public/private key pair based on the first nonce and a second nonce, which is generated by the TPM, computes TPM identity information based on a unique identifier of the TPM and attestation key, and transmits a public key of the attestation public/private key pair and the TPM identity information to the application module, thereby enabling the application module to verify the public key of the attestation public/private key pair based on the TPM identity information.

Abstract: A biometric certification request authentication (BCRA) computing device is provided for authenticating a requestor undergoing a certificate signing request process. The BCRA computing device is communicatively coupled to a memory device.

Abstract: An example system for securely provisioning computerized devices of a plurality of tenants includes a Security Credential Management System (SCMS) host that is communicatively connected to the devices and is operable to receive provisioning requests from computerized devices needing certificates. Each provisioning request indicates a tenant identifier (ID) uniquely identifying a tenant of the plurality of tenants. The system also includes a virtual registration authority communicatively connected to the SCMS host and operable to transmit requests to SCMS backend components.

Abstract: Systems and methods for characterizing a client apparatus on at least one server apparatus are provided. A first certificate is received in the event of a first request for a connection set-up from a server apparatus in a client apparatus. One or more predefined certificate parameters of the first certificate are stored as a set of characterization parameters in the client apparatus. Each further certificate from a server apparatus is checked that is received in the client apparatus in the event of a request for a further connection set-up, against the stored characterization parameter set. A request for a further connection set-up is accepted only if all of the predefined certificate parameters of the further certificate match all characterization parameters of the characterization parameter set.

Abstract: According to one embodiment of the present disclosure, a virtualized communication device dynamic provisioning system includes a computer-based set of instructions that are executed to generate a user interface for receiving selection of one or more virtualized communication devices. The instructions may then receive provisioning information associated with the selected virtualized communication devices from the user interface, and provision the virtualized communication devices in accordance with the received provisioning information to prepare and equip the virtualized communication devices according to the financial transaction.

Abstract: An electronic device is provided. The electronic device includes at least one processor that is configured to execute a first application in an REE, to execute a second application in a TEE, and to execute an agent that performs data transmission between the first application and the second application, a communication circuit configured to communicate with a server, and a secure memory area that is accessible by the TEE. The at least one processor is configured to obtain a random value from the server, to transmit a response message including the random value to the server through the communication circuit, to receive encrypted SIM data from the server, to obtain a SIM profile from the encrypted SIM data using a private key corresponding to the public key, and to store the obtained SIM profile in the secure memory area.

Abstract: A cryptographic proxy service may be provided. Upon determining that data associated with a network destination comprises at least some sensitive data, a cryptographic service may provide a security certificate associated with the network destination. The plurality of data may be encrypted according to the security certificate associated with the network destination and provided to the cryptographic service for re-encryption and transmission to the network destination.

Abstract: The email attachment security system and method using out-of-band authentication allows a recipient to receive a secure digital file from a sender. The system server receives from the sender a send request, a digital file with a recipient's email address and phone number. The system server encrypts the digital file and sends an email to the recipient with a clickable link that, when clicked, initiates the out-of-band authentication by opening a customized webpage requesting the recipient verify the sender-provided recipient phone number. After verification, an authentication PIN is forwarded to the recipient's telephone via voice or text message. This authentication PIN is input at the customized webpage by the recipient to complete the authentication. Then the encrypted digital file (attached to the email in the first aspect) is decrypted and access to the digital file is provided to the authenticated recipient.

Abstract: To provide overall security to a utility management system, critical command and control messages that are issued to components of the system are explicitly approved by a secure authority. The explicit approval authenticates the requested action and authorizes the performance of the specific action indicated in a message. Key components of the utility management and control system that are associated with access control are placed in a physical bunker. With this approach, it only becomes necessary to bunker those subsystems that are responsible for approving network actions. Other management modules can remain outside the bunker, thereby avoiding the need to partition them into bunkered and non-bunkered components. Access to critical components of each of the non-bunkered subsystems is controlled through the bunkered approval system.

Abstract: Digital certificates include pointers to remote certificate information stores that maintain usage information associated with digital certificates. The pointers provide a mechanism for enabling the remote certificate information stores to be queried for usage information associated with a particular digital certificate. The usage information can be used to determine a validity of the digital certificate.

Abstract: A computing resource service receives a request from a user to access a first computing resource. In response to the request, the computing resource service obtains policies applicable to the request. If the policies include at least one conditional policy that defines a dependency condition that is based at least part on privileges for accessing a second computing resource, the service determines whether the dependency condition is satisfied. If the dependency condition is satisfied, the service evaluates the obtained policies to determine whether to fulfill the request.

Abstract: Techniques are disclosed to automate secure propagation of a configuration to a plurality of servers in a server cluster. For example, the techniques may include a method. The method may include receiving, at a first computing device, a first public key associated with a target computing device, the first computing device having an updated configuration. The method may further include encrypting, at the first computing device, the updated configuration using the first public key. The method may further include sending the encrypted configuration to the target computing device. The method may further include decrypting, at the target computing device, the encrypted configuration using a first private key associated with the target computing device, wherein the first public key and the first private key are a first keypair associated with the target computing device. The method may further include updating the target computing device with the updated configuration.

Abstract: A method is provided for delegating behavior of a smart contract associated with a blockchain to code that is not part of the blockchain. A system directs execution by a virtual machine of the smart contract. During execution of the smart contract, the smart contract sends to a cryptlet container service, via a cryptodelegate, a request to delegate a behavior to a cryptlet that executes on an attested host. During execution the cryptlet container service identifies a host for executing code of the cryptlet in an appropriate cryptlet container. The cryptlet container service directs the identified host to execute the code of the cryptlet to perform the delegated behavior. After the delegated behavior is performed, the cryptlet container service receives from the cryptlet a response to the requested behavior. The cryptlet container service sends the response to the smart contract on the blockchain that is verified by the cryptodelegate.

Abstract: An operating apparatus stores user information including authentication information of users permitted to use a process-carrying-out apparatus; acquires authentication information of a user of the process-carrying-out apparatus; in response, returns a state of the process-carrying-out apparatus from a power saving state into a normal state to carry out a process; carries out authentication of the user based on the authentication information of the user and the stored user information; if the authentication is not successful, requests the process-carrying-out apparatus to carry out authentication the user; if any authentication is successful, permits the use of the process-carrying-out apparatus; and, if the use of the process-carrying-out apparatus is permitted, stores the authentication information of the permitted user.

Abstract: An apparatus includes a memory device that stores a set of instructions, and at least one processor that executes the instructions to perform control to cause a storage unit to store a digital certificate issued by a certification authority, release a public key whose validity is certified by the digital certificate and perform encrypted communication with an external apparatus using the public key, and transmit, to the certification authority, an acquisition request for revocation information about digital certificates in a case where a predetermined condition is satisfied.

Abstract: A communication beacon including a calculation unit associated with a memory unit for data backup and with a clock circuit and a communication circuit, the beacon being supplied with power by a power supply unit. The communication circuit includes a first interface unit using a first protocol, at least one second interface unit using a second protocol, and an antenna connected to each of the interface units.

Abstract: An exemplary virtual reality media content access control system (“system”) selectively provides access to virtual reality media content for experiencing by a user of a media player client device (“client device”). In certain examples, the system detects a request from the client device to access an immersive virtual reality world that includes a virtual object assigned an access permissions profile, determines an access key and a device key associated with the request, validates the access key and the device key associated with the request, determines metadata associated with the access key, and selectively provides, based on the access permissions profile for the virtual object and on at least one of the device key associated with the request and the metadata associated with the access key, access to the virtual object for experiencing by the user of the client device as part of the immersive virtual reality world.

Abstract: There is provided an information processing device including an obtaining unit configured to obtain, from a user terminal, developer identification information, and access control information for controlling whether or not one or more functions possessed by the information processing device are permitted to be executed, the developer identification information and the access control information being related to an application program possessed by the user terminal, a determination unit configured to determine whether or not a developer of the application program indicated by the developer identification information is a developer who has made an advance request for authorization for use, and a control unit configured to control execution of at least a portion of the one or more functions based on the access control information, based on the result of the determination by the determination unit.

Abstract: The present disclosure is directed to secure sensor data transport and processing. End-to-end security may prevent attackers from altering data during the sensor-based security procedure. For example, following sensor data capture execution in a device may be temporarily suspended. During the suspension of execution, sensor interface circuitry in the device may copy the sensor data from a memory location associated with the sensor to a trusted execution environment (TEE) within the device. The TEE may provide a secure location in which the sensor data may be processed and a determination may be made as to whether to grant access to the secure resources. The TEE may comprise, for example, match circuitry to compare the sensor data to previously captured sensor data for users that are allowed to access the secured resources and output circuitry to grant access to the secured resources or to perform activities associated with a security exception.

Abstract: One example method may include generating a template transaction certificate by one or more entities which verify proof of ownership of attributes incorporated into the template transaction certificate, and generating one or more operational transaction certificates by the one or more entities which verified proof of ownership of the template transaction certificate.

Abstract: An electronic device is provided. The electronic device includes a communication module, and a processor. The processor is configured to receive a first user context of a first user from a first user device and a second user context of a second user from a second user device via the communication module, to determine when the first user and the second user are within a specified distance, by using location information in the first and second user contexts, to set permissions to access at least a portion of the first and/or second user contexts based on the determination, to receive a request from the first user for information in the second user context, and to provide the information in the second user context to the first user when the permissions of the second user context allows the first user to access the information in the second user context.

Abstract: The present disclosure discloses a voice communication processing method and system, an electronic device, and a storage medium. The method includes: initiating from a first account, through a first application, a voice activation request to a server side; receiving a verification code that is returned by the server side and that corresponds to the first account; calling, through the first application, a voice communication authorization interface to send an authentication request comprising the verification code to the server side; the server side providing an authentication result; and initiating operations of the voice communication service interface, based on the authentication result.

Abstract: A root user device associated with a user receives a request from a non-root user device associated with the user to issue a digital certificate to the non-root user device. The root user device utilizes a shared secret to determine whether the request is valid. If the request is determined to be valid, the root user device uses a public cryptographic key of a cryptographic key pair generated by the non-root user device to generate the digital certificate. The root user device digitally signs the digital certificate by using its private cryptographic key of a cryptographic key pair generated by the root user device. The root user device issues the digitally signed digital certificate to the non-root user device for use in authentication of the non-root user device.

Abstract: A system performs a setup function which outputs a master secret key associated with a content producing device and public parameters. The system generates a secret key for a user in a content centric network (CCN) based on a master secret key associated with the content producing device, and a schema associated with the user. In response to an interest from the user that includes a name that matches the schema, the system encrypts a payload of a content object based on the name and the public parameters. The system transmits the content object to the user. The encrypted payload is configured such that it can only be decrypted by the secret key of the user and cannot be decrypted by the user if the name in the interest does not match the schema, thereby facilitating schematized access control to content objects in the CCN.

Abstract: Provided are a computer program product, system, and method for sharing alias addresses among logical devices for a control unit managing access by hosts to logical devices configured with capacity from attached physical devices. An alias management group of logical devices and alias addresses assigned to the logical devices is configured. A plurality of requests to establish an association of the host with a logical device and the alias addresses assigned to the logical devices in the alias management group are received from a host. Acknowledgment is made to the host that the association is established in response to determining that the host is assigned the logical devices and alias addresses of the logical devices in the alias management group. The host can use one available alias address assigned to any one of the logical devices to access any one of the logical devices indicated in the association.

Abstract: Systems and methods for container orchestration security employ one or more processors that separate a lifecycle of one or more containers into a plurality of predefined container image lifecycle phases; segregates control of the plurality of predefined container image lifecycle phases into a plurality of control environments separately controlled by different enterprise control components isolated from one another. In addition, one or more external processors may generate one or more certificates that are based on the platform, state attributes and meta data for interaction of the container with one or more external nodes. The one or more processors may also control the promotion, update and deletion of container images between the plurality of lifecycle phases and registries in different control environments as well as between the enterprise registries and the plurality of other registries that are part of multiple external clouds.

Abstract: Method for verifying data generated by an electronic device included in equipment, the electronic device including a computing unit, a one-time programmable memory and a volatile memory, the equipment including a rewritable non-volatile memory and a communication bus enabling the electronic device to store data in the rewritable non-volatile memory. The method includes: creating a secured channel by encryption between the equipment and a server; obtaining an authentication key from the server; loading data and a message authentication code from the rewritable non-volatile memory to the volatile memory, the message authentication code obtained by the electronic device from the authentication key and said data prior to the storage of said data and message authentication code in the rewritable non-volatile memory, the electronic device not having kept the authentication key following the obtaining of the message authentication code; verifying said data using the secret key and the message authentication code.

Abstract: A cryptographic ASIC and method for autonomously storing a unique internal identifier into a one-time programmable memory in isolation, by a foundry or a user. When later powered on, the ASIC calculates the value of the unique internal identifier from a predetermined input and compares the calculated identifier value to the stored identifier value. A match indicates the stored value is valid, while a mismatch indicates the stored value is invalid, whether due to natural memory component aging or damage by unauthorized access attempts. The ASIC may compare the calculated identifier to another copy or copies of the stored identifier, and disregard unreliable copies of the stored identifier. The ASIC may compare multiple copies of the stored identifier in a voting scheme to determine their validity. The confirmed valid lifetime of the ASIC thus extends far beyond the useful lifetime of a single copy of the stored identifier.

Abstract: Methods and a system are disclosed for providing autonomous driving system functions. The system includes a controller providing functions for automated user recognition in the autonomous vehicle, at least one environmental sensor configured to scan an environment of the autonomous vehicle and to transmit scan data of the environment to a biometric recognition module of the autonomous vehicle, and a biometric recognition module configured to analyze the scan data of the environment based on a gesture recognition algorithm by using a processor. The gesture recognition algorithm analyzes the scan data of the environment based on at least one biometric feature by using the processor. The at least one biometric feature comprises at least a flagging down gesture and the controller is configured to stop the autonomous vehicle at a position relative to the user and to configure the autonomous vehicle to offer to the user the use of the autonomous vehicle.

Abstract: Systems and methods for creating a unique identification number to maintain customer privacy. The system includes a memory that stores instructions for executing processes for creating the unique identification number and a processor configured to execute the instructions.