Abstract: An industrial automation gateway providing an extended web of trust is provided. The industrial automation gateway includes a cloud communication interface coupled with a cloud automation facility, a hardware memory, and a processor coupled with the cloud communication interface and the hardware memory. The cloud automation facility includes a cloud hardware memory storing a cloud root certificate from a first root certificate authority and a subordinate certificate. The hardware memory stores a gateway root certificate from a second root certificate authority and the subordinate certificate. The processor is configured to determine if the subordinate certificate has been certified by the first root certificate authority and the second root certificate authority.

Abstract: A computer-implemented method, a computer system, and a computer program product are provided for enforcing multi-level security (MLS) on a message transmitted over a network that may be insecure. The method includes the processor obtaining a request from a source to send a message to a target, where the request includes the message and a context indicating a requested security level for the message. The processor encrypts the message based on ascertaining the message received in the request is a plaintext. The processor authenticates the encrypted message based on ascertaining the encrypted message is a ciphertext, where the target is enabled to trace the authenticated ciphertext back to the source. The processor transmits the authenticated encrypted message to the target across the network.

Abstract: A computer-implemented method, a computer system, and a computer program product are provided for enforcing multi-level security (MLS) on a message transmitted over a network that may be insecure. The method includes the processor obtaining a request from a source to send a message to a target, where the request includes the message and a context indicating a requested security level for the message. The processor encrypts the message based on ascertaining the message received in the request is a plaintext. The processor authenticates the encrypted message based on ascertaining the encrypted message is a ciphertext, where the target is enabled to trace the authenticated ciphertext back to the source. The processor transmits the authenticated encrypted message to the target across the network.

Abstract: A module such as an M2M device or a mobile phone can include a removable data storage unit. The removable data storage unit can include a nonvolatile memory, a noise amplifying memory, and a cryptographic unit. The nonvolatile memory can include (i) shared memory for access by both the module and the cryptographic unit, and (ii) protected memory accessible only by the cryptographic unit. The cryptographic unit can use a noise memory interface and noise amplifying operations in order to increase and distribute bit errors recorded in the noise amplifying memory. The cryptographic unit can (i) generate a random number using the noise amplifying memory and (ii) input the random number into a set of cryptographic algorithms in order to internally derive a PM key pair. The private key can be recorded in protected memory and the public key signed by a certificate authority.

Abstract: When a client requests a data import job, a remote storage service provider provisions a shippable storage device that will be used to transfer client data from the client to the service provider for import. The service provider generates security information for the data import job, provisions the shippable storage device with the security information, and sends the shippable storage device to the client. The service provider also sends client-keys to the client, separate from the shippable storage device (e.g., via a network). The client receives the device, encrypts the client data and keys, transfers the encrypted data and keys onto the device, and ships it back to the service provider. The remote storage service provider authenticates the storage device, decrypts client-generated keys using the client-keys stored at the storage service provider, decrypts the data using the decrypted client-side generated keys, and imports the decrypted data.

Abstract: A system and a computer-based method for providing bundled services to a client application in a service call to a service system in a service provider computer system includes receiving a message defining an API service request comprising at least a parameter portion and a payload portion, determining at the gateway system an identity of an application transmitting the received message using identity information that has been established within the service provider computer system, providing, by a services platform, at least one of encryption services and decryption services for data contained in the payload portion using the parameters received in the parameter portion, managing key material for security of the data, and transmitting the encrypted data back to the calling application.

Abstract: In one embodiment, a method, system, and apparatus are described, the method, system, and apparatus including generating metadata to be associated with each block of a series of blocks, the generating including, except for an initial block, receiving: a first block, including a signed block, and a second block to be signed, retrieving a first value including a square of a random number, R?2, multiplying R?2 by a nonce, r, and setting r·R?2 to be a square of a first random number, denoted R2, for the second block, retrieving a second value from the first block, the second value including K-bit vector, E?, determining a bit string value of the second block, M, computing E=hash(R2?M?E?), and determining a signature, Sig, for the second block by calculating Sig=r Sig? SE-E?. Related methods, systems, and apparatuses are also described.

Abstract: The invention allows verification of authenticity of a maintenance means connectable to a controller of a passenger transportation/access device of a building. A digitally signed license key including a public asymmetric cryptography key of the maintenance means and optionally a one-way hash of a unique identifier of the maintenance means is used for this verification. Furthermore, an asymmetric cryptography key pair of the maintenance means and a symmetric cryptography key created by the controller are utilized in this verification.

Abstract: The present disclosure provides a globally accessible, un-forgeable, and permanent repository of published events in the form of an event ledger. A method according to the present disclosure includes receiving a request from a publisher to publish to an event ledger an event including a name of the publisher, a date and time at which the event occurred, a description of the event, and a cryptographic signature of the event signed using a private key of the publisher, receiving a certificate from the publisher including a public key of the publisher, validating the cryptographic signature of the event using the received certificate, and publishing the event to the event ledger.

Abstract: A method and system for providing a secure communication network using an electrical distribution grid is disclosed. A device connected to the electrical distribution grid initiates a request for a secured key token by signaling an intelligent communicating device residing at or near an edge of the grid. The intelligent communicating device forwards the request to a receiver at a distribution substation on the electrical grid. This receiver enhances the properties of the request such that a grid location for the request can be inferred. The enhanced request is forwarded to a server at the distribution substation, which compares the request grid location to a Grid Map and Policies of known secure grid locations. Any inconsistencies between the grid location inferred from the enhanced request and the Grid Map and Policies locations are considered evidence of tampering, and the server rejects the request.

Abstract: A computer-implemented method comprises composing a plurality of objects and a metadata object into a complex object at a first node. The metadata object refers to the plurality of objects in the complex object. The method further comprises transmitting the complex object to a second node.

Abstract: A method is provided for generating a public/private key pair and certificate. The method includes providing an integrated circuit (IC) with an IC specific initial public and private key pair and a public key certificate signed by a manufacturer of the IC. A smartcard having stored thereon customer unique configuration data related to the IC is provided to a customer of the IC manufacturer. The smartcard enables the customer to generate a customization value and a customized public key using the customer unique configuration data. In response to the customer receiving the public key certificate signed by the IC manufacturer from the IC, the customer is enabled to provide the customization value, the customized public key, and a public key certificate signed by the customer to the IC. The IC is thus enabled to generate a customized private key, thus providing an IoT device with a public/private key pair and a certificate signed by the device manufacturer without the use of a trusted party.

Abstract: This first communication section transmits, to an authentication server, an encryption key, identification information capable of uniquely identifying a peripheral device, and signature information of the identification information. A second communication section receives data based on an authentication process performed in the authentication server on the basis of the identification information and the signature information transmitted by the first communication section, then, encrypts second data transmission request information, and transmits the encrypted request information to the authentication server. A third communication section receives second data which is encrypted and transmitted from the authentication server in response to the request information transmitted by the second communication section, then decrypts the second data, and transmits the decrypted second data to the authentication server.

Abstract: A providing device according to the present application includes a detecting unit and a providing unit. The detecting unit detects a function, from among functions used for communication with an authentication server that authenticates the identity of a user by verifying a signature of authentication result information that is information created by adding the signature using a predetermined key to an authentication result obtained by an authentication device that performs personal authentication on the user and that is information processed by a specific authentication procedure, that is not held by a terminal device that is used by the user. The providing unit provides the function detected by the detecting unit to the terminal device that is used by the user.

Abstract: Some embodiments provide a method for a first device that identifies definitions of different groups of devices, each of which is defined by a set of properties required for a device to be a member. The method monitors properties of the first device to determine when the device is eligible for membership in a group. When the first device is eligible for membership in a first group of which the device is not a member, the method sends an application for membership in the first group signed with at least a private key of the device to at least one other device that is a member of the first group. When the first device becomes ineligible for membership in a second group of which the first device is a member, the method removes the device from the second group and notifies other devices that are members of the second group.

Abstract: Some implementations may include a computer-assisted method for digitizing an identification document, the method including: receiving a digital biometric of a subject; applying the received digital biometric to a digital identification document; applying a digital watermark to the digital identification document, the digital watermark encoding personally identifiable information of the subject identified by the digital biometric; and generating the digital identification document with the applied digital watermark, the digital identification document comprising both the digital watermark and the digital biometric.

Abstract: Systems, apparatuses, services, platforms, and methods are discussed herein that provide digital security services and enhance digital security certificate issuance for communication systems. In one example, a digital security platform is presented that includes a client interface service configured to receive requests for digital security certificates from one or more requesting entities. The digital security platform includes a certificate service configured to process the requests against evaluation criteria to select certificate authorities to handle the requests, and handler processes configured to interface with associated ones of the selected certificate authorities for issuance and delivery of the digital security certificates.

Abstract: A computer implemented method and system are provided for verifying authenticity of a medical component endpoint. The method is under control of one or more computer systems configured with specific executable instructions. The method receives, at a local medical equipment (LME) node, a cipher message combination that includes a challenge and a corresponding valid response, the LME node is unable to independently calculate the valid response. The method conveys the challenge, from the LME node, to a medical component endpoint that includes an authentication circuit, receives a candidate response from the component endpoint, where the candidate response is generated by the authentication circuit based on the challenge and determines whether the candidate response matches the valid response from the corresponding cipher message combination. The method further authenticates the component endpoint based on whether the candidate and valid responses match.

Abstract: Systems and methods are provided for facilitating account login, wherein the method is implemented by a first server that is associated with a first account. In some embodiments, the method comprises receiving, from a terminal device, a request to log into a second account associated with a second server, wherein the request includes a first identifier associated with the first account and a second identifier associated with the second server. The method further comprises generating account information to be transmitted to the second server based on the first identifier; and transmitting the account information to the second server based on the second identifier; wherein the transmission of the account information enables the second account to be automatically logged into at the second server.

Abstract: The present disclosure provides methods and apparatus for administering an interface between a machine-to-machine, M2M, device and a network application function, NAF, for secure communication between the M2M device and the NAF. In one method, the M2M device comprises security information for enabling secure communication via the interface, and administers the interface by: setting a secure interface lifetime parameter based on a lifetime of at least part of the security information; and transmitting administration data to the NAF, wherein the administration data comprises the secure interface lifetime parameter.

Abstract: A system and method for verifying the identity of internet hotspots, comprising a user device having a processor, memory, and radio transceiver, an internet hotspot, a wireless access point, coupled to the radio transceiver of the user device and the internet hotspot, and a program stored in the memory and adapted to run on the processor of the user device, wherein the program is configured to identify a mobile wireless access point for connection by a user, connect a user to the wireless access point through a login request, query an initial probe request for the identity of the authenticating source of the wireless access point, perform a security check on the wireless access point, verify the validity and authenticity of the wireless access point to prevent transmission of information associated with the user device, and either permit or drop the connection to the wireless access point upon verification.

Abstract: Systems, methods, and software can be used to access an enterprise resource. In some aspects, a certificate for accessing enterprise resources at one or more service providers (SP) is received at an enterprise mobility management (EMM) client on a mobile device from an EMM server. An authentication request is sent to an identity provider from an application on a mobile device. In response to the authentication request, an authentication challenge is received from the identity provider. The authentication challenge includes a certificate request. In response to the authentication challenge, an authentication response is sent from the application. The authentication response includes the certificate. An authorization token is received from the identity provider. The authorization token indicates whether the identity provider validates the certificate and the mobile device.

Abstract: A quorum-based access mechanism can require multiple entities to provide credentials over a determined period of time in order to obtain access to one or more resources in an electronic environment. This can include receiving a request that is signed by multiple signatories, or receiving multiple requests within a determined period that are each signed by a respective and authorized signatory. In some embodiments the receiving of a primary request causes notifications to be sent to other potential signatories, and a specified or minimum number must respond timely with a signed request to have the access granted. The quorum-based access mechanism can function as an additional authorization layer sitting in front of more conventional authorization and authentication mechanisms. In some embodiments a quorum token can be passed with the request, whereby resources in the environment can make access determinations based on the information in the token.

Abstract: An information processing system is provided that includes a server, a communication terminal, and a peripheral device. The peripheral device includes a secure storage section with a secure region. The secure region is accessible by internal component of the peripheral device. Certificate data is read out from the secure region and transmitted to the server. The server performs authentication, on the basis of the certificate data, regarding whether the peripheral device is a peripheral device whose connection to the communication terminal is permissible. In response to authentication of the peripheral device, execution of a process that involves transmission and reception of encrypted data is permitted between the peripheral device and the communication terminal.

Abstract: Systems and methods herein can provide device-specific access to an e-mail server, including an EWS-based e-mail server. In an example, a management server controlled by a system administrator provides device identification information to a user device and to a tunnel server. The management server also provides a custom request identifier to the tunnel server, and provides instructions to the e-mail server to allow access for requests including that custom request identifier. The tunnel server receives a request from the user device, rewrites the request to include the custom request identifier, and passes the request to the e-mail server.

Abstract: The disclosed technology is generally directed to device certification in an IoT environment. For example, such technology is usable in managing relationships between IoT devices and an IoT Hub. In one example of the technology, an IoT Hub receives a registration request. Next, the IoT Hub sends a registration verification to the IoT device. Next, the IoT Hub receives a ping from the IoT device. Next, the IoT Hub sends a response to the ping to the IoT device. Next, the IoT Hub receives verification of a validation of a log file output by a device based on running a plurality of unit tests on a device with a software development kit. Next, the IoT Hub automatically sends code to the IoT device.

Abstract: Method and server for issuing a cryptographic key. One method includes distributing a first group key to a first communication device and a second communication device. The method also includes distributing a security request to the first communication device. The method further includes receiving a security status from the first communication device responsive to transmitting the security request. The method also includes determining when security of the first communication device is compromised based on the security status. The method further includes distributing, via a server, the cryptographic key to the first communication device when the security of the first communication device is not compromised. The method also includes distributing, via the server, a second group key to the second communication device when the security of the first communication device is compromised and the first communication device cannot be fixed or deactivated.

Abstract: Techniques are disclosed for generating multiple key pairs using different algorithms and similarly installing certificates signed using the different algorithms. A customer server receives a selection of algorithms for generating a public/private key pair (e.g., RSA, ECC, DSA, etc.). The customer server generates key pairs for each selection and also generates corresponding certificate signing requests (CSR). The customer server sends the CSRs to a certificate authority (CA). The CA generates certificates associated with algorithm and sends the certificates to the customer server. The customer server may prompt a user to select one or more of the certificates to install, and upon receiving the selection, the customer installs the certificates.

Abstract: A system, apparatus, method, and machine readable medium are described for delegating trust to a new client device or a new authenticator on a trusted device. For example, one embodiment of a method comprises: implementing a series of trust delegation operations to transfer registration data associated with one or more trusted authenticators on a trusted client device to one or more new authenticators on a new client device or on the trusted client device.

Abstract: Introduced are systems and methods that enable modification of logs in multiple off-line databases. Multiple off-line devices can mistakenly associate different respondents with the same identification (ID) unique to the system. When the multiple off-line devices synchronize with each other, or synchronize with a server hosting the central database, the software running on the off-line devices, or on the server detects that the modified logs come from different respondents, and the software assigns two different IDs unique to system to the logs. In another embodiment, multiple off-line devices can mistakenly associate the same respondent with two different IDs unique to the system. When the multiple off-line devices synchronize with each other or with the server, the software running on the off-line devices, or the server detects that the modified logs come from the same respondent, and the software assigns the logs to the same ID unique to system.

Abstract: A method for transferring digital multimedia rights, the method including but not limited to requesting permission from the destination end user to transfer the digital multimedia rights to the destination end user device; and if the permission is received from the destination end user, canceling the source set of digital multimedia rights associated with the source end user and transferring the source set of digital multimedia rights associated with the source end user to the destination end user device. A system and computer program product are disclosed for performing the method.

Abstract: A method, system, and computer usable program product for verifying and enforcing certificate use are provided in the illustrative embodiments. A certificate is received from a sender. The certificate is validated before communicating a message associated with the certificate to a receiver. If the certificate is invalid, a policy is selected based on a type of invalidity of the certificate. An action is taken to enforce the policy for using the certificate. The certificate may be received from the sender at a proxy. The validating may further include verifying the validity of the certificate using a certificate from a certificate database accessible to the proxy over a network. the proxy may copy a part of the certificate database to a second certificate database local to the proxy. The validating may further include verifying the validity of the certificate using a certificate revocation list accessible to the proxy over a network.

Abstract: A service provider network includes a certificate manager that auto-generates and auto-renews security certificates for customers of the provider network. The security certificates may be usable to implement a Secure Sockets Layer (SSL) protocol, or other types of security protocols. The certificate manager generates a public key, private key pair for the customer, generates the certificate signing request (CSR) on behalf of the customer, transmits the CSR to the certificate authority (CA), and binds the resulting CA-generated certificate and private key to whatever internet-facing service the customer chooses (e.g., a load balancer).

Abstract: The smart card chip for generating a private key and public key pair in accordance with an embodiment of the present invention comprises: a communication unit for performing at least one of a contact communication with an external device and a near-field wireless communication therewith; a control unit for communicating with the external device through the communication unit and generating a private key and public key pair; and a memory unit for storing the generated private key and public key pair, wherein if receiving a command to generate a private key and public key pair from the external device, the control unit checks if a pre-generated private key and public key pair is stored in the memory unit, and if the pre-generated private key and public key pair is stored in the memory unit, the control unit reads the pre-generated private key and public key pair.

Abstract: Described herein are various technologies pertaining to identifying counterfeit integrated circuits (ICs) by way of allowing the origin of fabrication to be verified. An IC comprises a main circuit and a test circuit that is independent of the main circuit. The test circuit comprises at least one ring oscillator (RO) signal that, when energized, is configured to output a signal that is indicative of a semiconductor fabrication facility where the IC was manufactured.

Abstract: An information interaction method, includes: obtaining, by an encryption accessory, one or more user features, the encryption accessory including a hardware logic circuit; performing, by the hardware logic circuit, a logical operation on the one or more user features to generate a hardware function; and using the hardware function for an access authentication by a social networking service (SNS) server.

Abstract: Disclosed is a working method for a multi-seed one-time password, which falls within the field of information security. The method comprises: powering and initializing a one-time password, opening a total interrupt, initializing the state of a system, and then entering a sleep mode; when the one-time password detects the interrupt, awakening the one-time password from the sleep mode, and entering an interrupt processing flow; after the interrupt processing flow is ended, checking each awakening flag; and executing a processing flow corresponding to the set awakening flag. According to the present invention, a user can burn seed data into the one-time password by operating the one-time password, and can update the seed data in the one-time password. In addition, according to the present invention, the one-time password is capable of storing and managing a plurality of seeds.

Abstract: A non-transitory storage device includes machine readable instructions that, when executed, cause a processing resource to perform various operations. One such operation, for example, is to receive a selection of a blueprint to be used for configuration purposes. Other operations may include automatically validating the selected blueprint and automatically configuring the computing device in accordance with the selected and validated blueprint. Various related apparatuses and method are provided as well.

Abstract: Embodiments presented herein provide a validation service used to validate a certificate chain for both public facing servers as well as internal, non-public facing servers. To validate a certificate chain, the client generates a request with the network address and sends it to the validation service. In response, the validation service attempts to establish a connection with the server at the network address. If successful, the validation service receives a certificate chain from the server and can verify that the certificate chain is complete, valid, and chains to a trusted root. If the validation service cannot connect to the network address identified in the request, then the validation service sends a local validation component to the requesting client. The local validation component executes from the client and validates the certificate chain presented by the network server.

Abstract: The misuse of public key, private key, and public/private key certificates poses significant security challenges to computer networks that are addressed by certificate monitoring. Certificate monitoring allows network administrators to detect and remedy poor security practices related to public key certificates and to detect and combat the malicious use of public key certificates in a centralized environment. Best practices and detection methods and systems are developed over time via machine learning to improve network security, and any detected misuse may be brought to a network administrator's attention or automatically remedied.

Abstract: Systems and methods for wireless enabled security in relation to a storage drive are described. In one embodiment, the systems and methods may include receiving, at a storage drive, a request from a host of the storage drive. In some cases, the request may be received via a wired connection between the storage drive and the host. In some embodiments, the systems and methods may include determining whether the request is flagged by the host as a secure connection request, processing the request upon determining the request is not flagged as a secure connection request, and establishing a wireless connection with the host upon determining the request is flagged by the host as a secure connection request.

Abstract: An identity management system is augmented to provide a methodology to generate an objective measure of administrative effectiveness with respect to account certification. In the approach, erroneous account information is intentionally inserted into a recertification campaign. The erroneous account information is tracked through the recertification process and used as a measurement to evaluate whether a particular manager/administrator whose accounts are impacted is successful in recognizing the erroneous account information (e.g., as a percentage of erroneous account records located). The dummy information is tracked and used to generate a quantitative measure of the effectiveness of a particular recertification campaign or a particular manager who is responsible for recertifying accounts. The results can also be used to drive other enterprise metrics and compliance systems.

Abstract: A method of automatic security parameter renewal includes determining if the security parameter satisfies a renewal condition, the determining including automatically detecting a time when a security parameter is going to expire, and automatically updating the security parameter when the renewal condition is satisfied. The automatically updating the security parameter includes modifying a certificate upon receipt of a new certificate.

Abstract: Various systems and methods for providing a smart entry system are described herein. A smart entry system includes a detector to detect a person near a portal to a room; a transceiver to attempt to establish a wireless connection between the smart entry system and a user device associated with the person; and a user interface to present a notification to the person based on a state of the wireless connection.

Abstract: Embodiments are directed to a system and method of exchanging certificate pinning information between a server and client over an unprotected network by: obtaining a server certificate fingerprint to validate the server to the client during network communication; upon receipt of a request from the client, wrapping the server certificate fingerprint in an envelope that is encrypted using a hash of a password defined by the user and transmitted for storage on the server; and transmitting the envelope as part of a payload over the network to the client to enable the client to decrypt the envelope using the password and obtain the server certificate fingerprint for pinning to data elements transmitted to the server.

Abstract: Techniques for utilizing a trusted platform module of a host device are described. According to various embodiments, a client device that does not include a trusted platform module (TPM) may leverage a TPM of a host device to provide trust services to the client device.

Abstract: Identity certificates such as SSL certificates can be issued in such a way that their use can be disabled upon short notice. In one embodiment, private signing information associated with a certificate is used by an infrastructure service on behalf of an entity, without making the private signing information accessible to the entity. In another embodiment, short-term certificates are dynamically issued to an application based on a previous certificate authorization.

Abstract: A method for providing multiple users with security access to an electronic system is provided. The method comprising: providing a plurality of parent security roles, wherein each parent security role includes a plurality of transactions authorized to be performed in the electronic system, providing a plurality of child security roles, wherein each child security role is derived from one of the plurality of parent security roles, setting up the multiple users in the electronic system and their associated user passwords, assigning one of the plurality of child security roles to each of the multiple users to provide the multiple users with security access to the electronic system at once, and providing each of the multiple users with security access to the electronic system, via the associated user password, in accordance with the child security role assigned to the user.

Abstract: The invention discloses a network function virtualization-based certificate configuration method, apparatus, and system. A virtualized network management entity obtains initial credential information of a virtualized network function entity; and installs the initial credential information onto the virtualized network function entity during or after instantiation of the virtualized network function entity, so that the virtualized network function entity obtains, from a certificate authority by using the initial credential information, a formal certificate issued by a network operator of the virtualized network function entity. The invention not only can apply to a network function virtualization scenario, but also can resolve a problem of a security risk in network function virtualization.

Abstract: The present invention relates to a two-factor authentication pattern-based door lock control method and a two-factor authentication pattern-based door lock that converts a locked state of a door lock to a released state thereof or maintains the released state of the door lock if additional authentication of a user is not performed, thereby allowing the user to have a help from an outsider (acquaintance, neighbor, security staff, guard, police officer, fire fighter, and so on) in an emergency situation where the user is trapped in an indoor space by an invader.