Abstract: A history management apparatus includes a storage unit configured to store usage application information of a user in a region into which entry is restricted by biometric authentication, a cancellation control unit configured to cancel, in a case where a predetermined visitor has succeeded in biometric authentication at a gateway of the region, and the usage application information is satisfied, restriction on entry into the region, a history registration unit configured to register, into the storage unit, history information of a visitor who has succeeded in the biometric authentication, a generation unit configured to generate, in a case where a disclosure request for the history information has been received from a terminal of a predetermined disclosure requestor, disclosed information obtained by performing predetermined processing on the history information in accordance with an attribute of the disclosure requestor, and an output unit configured to output the disclosed information to the terminal.

Abstract: Dynamic evaluation of data store access store permissions is disclosed: obtaining a set of record identifiers (IDs) associated with a selected data store associated with an external system; determining record-level access permissions associated with a user for records in the selected data store associated with the set of record IDs; inferring one or more data store-level access permissions associated with the user for the selected data store based at least in part on the record-level access permissions associated with the user for the records in the selected data store; and presenting the inferred one or more data store-level access permissions associated with the user at a user interface.

Abstract: A computer-implemented method for use by a client device is provided. The client device comprises a memory and is configured to send data according to a cryptographic protocol that uses a key. The method comprises: generating a data unit and a seed related to the data unit; generating a measurement result of the client device related to the seed; generating an attestation key based on the measurement result and a key that is agreed in accordance with the cryptographic protocol; encrypting the data unit at least in part based on the attestation key; and generating an output comprising the encrypted data unit. Related methods for use by a server device and a network component, and related client device, server device and network component are also provided.

Abstract: A method of a local bundle assistant (LBA) negotiating a certificate with a secondary platform bundle manager (SPBM) in a wireless communication system including: transmitting a request message requesting information of certificates supported by a secondary secure platform (SSP) to a secondary platform bundle loader (SPBL) of the SSP; receiving the information of certificates supported by the SSP including information of certificate issuers corresponding to a family identifier from the SPBL; transmitting the information of certificates supported by the SSP to the SPBM; and receiving a certificate of the SPBM for key agreement, information of public key identifiers of certificate issuers to be used by the SSP, and information of the family identifier from the SPBM.

Abstract: The present invention provides systems and methods for supporting encrypted communications with a medical device, such as an implantable device, through a relay device to a remote server, and may employ cloud computing technologies. An implantable medical device is generally constrained to employ a low power transceiver, which supports short distance digital communications. A relay device, such as a smartphone or WiFi access point, acts as a conduit for the communications to the internet or other network, which need not be private or secure. The medical device supports encrypted secure communications, such as a virtual private network technology. The medical device negotiates a secure channel through a smartphone or router, for example, which provides application support for the communication, but may be isolated from the content.

Abstract: Disclosed are systems and methods for utilizing designed market access (DMA) zones in conjunction with mobile networks so as to enable secure, appropriate read/write access to streaming content. The disclosed systems and methods enable a mapping of an Internet Protocol (IP) address to a particular geolocation node of a mobile network, whereby a DMA for such node can be identified/determined. Accordingly, the DMA can be leveraged for monitoring a customer user's location respective to streaming service/media access requests.

Abstract: A non-transitory computer readable storage medium including instructions that, when executed by a computing system, cause the computing system to perform operations. The operations include collecting, by a processing device, raw data regarding a user action. The operations also include converting, by the processing device, the raw data to characteristic test data (CTD), wherein the CTD represents behavior characteristics of a current user. The operations also include identifying, by the processing device, a characteristic model corresponding to the behavior characteristics represented by the CTD. The operations also include generating, by the processing device, a predictor from a comparison of the CTD against the corresponding characteristic model, wherein the predictor comprises a score indicating a probability that the user action came from an authenticated user.

Abstract: A system and method are described in which a document transaction management platform coordinates performance of trust actions across a plurality of trust service providers. For example, a method can include operations executing on a connector module in communication with a digital transaction management platform and a trust service provider, such as the following. Receiving, from the digital transaction management platform, a transaction request including a token and a requested trust action. Accessing user information for a recipient involved in the requested trust action using the token. Obtaining, from the digital transaction management platform, transaction data associated with the requested trust action. Coordinating, with the trust service provider, performance of the trust action on at least a portion of the transaction data. Transmitting, to the digital transaction management platform, a proof received from the trust service provider confirming performance of the trust action.

Abstract: A block chain defining authority and access to confidential data may not be encrypted, and the access to the block chain can be regulated by the block chain itself and an access control server operating in an enterprise information technology (IT) environment. To incorporate authority defined in multiple sources, such as the block chain and the access control server, a token can be created containing multiple layers of permissions, i.e. constraints, coming from multiple sources. Each additional permission attenuates the authority granted by the token. When a processor controlling the access to the block chain receives the token, the processor can check the validity of the token and the authority granted by the token to determine whether the requester is authorized to access at least a portion of the block chain.

Abstract: A method consistent with embodiments of the present disclosure may begin with retrieving a message to be electronically transmitted. The method may proceed with digitally securing the message by generating a first digital signature for the message. The first digital signature may be added to a list of digital signatures for inclusion in the message. A list of allowed anticipated changes may be retrieved. In accordance to embodiments disclosed herein, the message may be pre-signed for the allowed anticipated changes. Pre-signing the message may comprise editing the message with each allowed anticipated change, generating a subsequent digital signature for the message edited with the allowed anticipated change, and adding the subsequent digital signature to the list of digital signatures for inclusion in the electronic message. This process may be repeated for each allowed anticipated change in the allowed anticipated changes.

Abstract: Consistent with the present disclosure, a method and related system for secure autonomic optical transport networks are disclosed. The method includes steps for adding a network element in an optical network. The method includes an initial step of verifying, with a new network element, a first identifier certificate from a proxy network element. In a further step, a second identifier certificate from the new network element is verified with the proxy element. A registrar is used for verifying the second identifier certificate from the proxy network element and sending domain specific parameters to the proxy network element for forwarding to the new network element Next, a local certificate is generated on the new network element. The local certificate is derived from a secure module and sent to the proxy network element for forwarding to the registrar. Further, the new network element in the autonomic domain is enrolled, with the registrar.

Abstract: There is provided mechanisms for certificate revocation check during a subscription related procedure for a subscriber entity. A method is performed by the subscriber entity. The method comprises receiving a message from a subscription management entity during the subscription related procedure for the subscriber entity. The message comprises a certificate and an OCSP response for the certificate. The OCSP response indicates a revocation state of the certificate. The method comprises determining whether the certificate has been revoked or not by checking the revocation state as indicated in the OCSP response.

Abstract: A computer implemented method includes determining a first level of risk based on a context of source code as stored. A second level of risk is determined based on a change history of the source code. A third level of risk is determined by assessing a nature of changes to the source code. The first, second, and third levels of risk are combined to generate an indication of trust in the source code.

Abstract: An information processing device includes: a storage configured to store an electronic certificate used for authentication for using a network; a detector configured to detect whether a time to renew the electronic certificate has arrived; and a communication unit having a first communication mode in which the communication unit communicates with an external device via the network and a second communication mode in which the communication unit communicates with a certificate renewal device without using the network. The communication unit connects with the certificate renewal device in the second communication mode and receives an electronic certificate for renewing the electronic certificate from the certificate renewal device, on a basis of the detection by the detector.

Abstract: A computer platform includes a security processor; at least one hardware processor; and a memory. The security processor stores data representing a private platform key. The private platform key is part of an asymmetric pair of keys, and the asymmetric pair of keys includes a public platform key. The memory stores a firmware image. The firmware image includes data representing a root certificate of a public key infrastructure that signs a second certificate that is associated with the computer platform. The second certificate includes the public platform key and binding information binding the second certificate to the computer platform. The firmware image includes instructions that, when executed by the hardware processor(s), cause the hardware processor(s) to access data representing the second certificate and determine whether the second certificate is valid based on the root certificate and the binding information.

Abstract: A first semiconductor device includes a processor configured to generate a random number at initial test of a second semiconductor device after fabrication of the second semiconductor device in a supply chain related to the second semiconductor device, and send the generated random number to the second semiconductor device. The processor is further configured to receive a first signature that is signed over the sent random number by the second semiconductor device using a first private key that is stored in the second semiconductor device, among a first private and public key pair, and test the received first signature, using a first public key that is stored in the first semiconductor device, among the first private and public key pair, to determine whether the second semiconductor device is authenticated.

Abstract: A method for performing fact verification includes receiving a document for verification; identifying and extracting, on the computer network, at least two named entities from the document for verification and associated information as metadata; identifying, off-chain, identifiers of relevant documents corresponding to each of the at least two named entities, the relevant documents being authenticated documents including one or more of the at least two named entities; identifying a predetermined number of relevant documents among the identified relevant documents based on a number of the at least two named entities present and a number of occurrences for each of the named entities; and determining whether the document to be verified is supported by the predetermined number of relevant documents.

Abstract: Disclosed are methods, apparatus, systems, and computer readable storage media for providing access to a private resource in an enterprise social networking system. One or more servers may receive a request for access to a private resource to be granted to a user from a publisher. The publisher may be configured to publish a message as a feed item to one or more feeds, where the message includes a user identification identifying the user. The user does not have access to the private resource. The feed item may be provided to display in the one or more feeds. Access may be granted to the user via the one or more feeds. In some implementations, access may be granted in response to a user input from the feed item associated with a moderator or owner, the moderator or owner having a privilege to control user access to the private resource.

Abstract: A secure executable container executed by an endpoint device receives a request by an originating entity for initiating a secure peer-to-peer transfer of a data object to at least a second network entity via a second network device in a secure data network. The secure executable container establishes a two-way trusted relationship between the originating entity and the endpoint device, and between the endpoint device and the second network device. The secure executable container generates a root data object containing metadata identifying the data object and comprising a list identifying message objects containing respective data chunks of the data object, and causes the second network device to execute a secure autonomic synchronization of the root data object via the secure data network, enabling the second network entity to execute the secure peer-to-peer transfer of at least a selected portion of the data object as a hyperlinked hypercontent object.

Abstract: Systems, devices, and methods are discussed for providing ZTNA control across multiple related, but independently provisioned networks.

Abstract: Aspects of the invention are directed towards methods and systems for managing access of an application. One or more embodiments of the invention describe receiving an indication from a user to access an application. One or more embodiments of the invention further describe determining whether a user device is in an offline mode and if the user device is in the offline mode, prompting the user to input user credentials. Furthermore, the embodiments of the invention also describe receiving the user credentials from the user and validating the user credentials of the user with pre-stored user credentials. Accordingly, access of the application to the user is controlled based on said validation.

Abstract: A secure peer-to-peer streaming media session is initiated in a secure data network based on a secure executable container executed by an endpoint device receiving a request, by an originating entity, for initiating the session with a second network entity having a two-way trusted relationship with the endpoint device in the secure data network via a second network device. The secure executable container: generates a conversation object identifying the second network entity as a participant in the session, and causes secure autonomic synchronization of the conversation object with the second network device; generates a message object and adds a reference to the conversation object; and updates a hypercontent body in the message object with streaming media data received from an executable media source in the endpoint device. The updating causes the second network device to retrieve each update of the streaming media data in the hypercontent body during the session.

Abstract: A system includes a device and a payload warehouse. The device receives a user request to initiate a feature of the device. In response to receiving the request, device information is provided to a payload warehouse. The payload warehouse stores an inventory which includes a digital payload. The digital payload includes data, such as a digital certificate, which may be used by the device to implement the user-requested feature. The payload warehouse receives the device information provided by the device and determines an encryption vector based at least in part on the received device information. Using the encryption vector, the digital payload is encrypted. The encrypted digital payload is provided to the device.

Abstract: Examples disclosed herein relate to performing a security action based on a comparison of digital signatures. An intrusion detection mode is initiated by a baseboard management controller. A first digital signature of hardware devices is calculated during the activation of the intrusion detection mode. The first digital signature is stored. Upon detection of a trigger, a second digital signature is calculated for the current hardware devices. The digital signatures are compared. A security action is performed based on the comparison.

Abstract: The techniques disclosed herein provide an enhanced single sign-on flow for secure computing resources, such as a virtual machine or hosted applications. In some configurations, the techniques process different types of security data, e.g., credentials, tokens, certificates, and reference objects at specific computing entities of a system to provide a single sign-on flow for providing access to secure computing resources from a client computing device. In one illustrative example, a select type of security data, such as a certificate, is generated from a token and a claim at a particular computing resource, such as an agent operating on a virtual machine. In another example, a signed version of the certificate can be stored and verified at the virtual machine. By generating certificates at such particular computing resources, the computing resource can verify a person's credentials using a secure single sign-on flow without requiring the person to provide credentials multiple times.

Abstract: A computer-implemented method for supplementing measurement results of automated analyzers is presented. The method includes obtaining, at a computer device, a result of a measurement performed by an automated analyzer, the computer device and the automated analyzer being located within a privileged computer network, obtaining a context related algorithm associated with the result of the measurement defining one or more triggering conditions and context related information from a computer device residing outside of the privileged computer network at the computer device and processing the result of the measurement by using the context related algorithm to generate a context specific supplement to the result of the measurement at the computer device.

Abstract: A method for data deduplication and compression in untrusted storage system is provided for storing large amount of data more efficiently and in a secure manner and by maintaining the integrity of the data. Such data deduplication and compression in untrusted storage system is achieved by utilizing by a system comprising a set of trusted servers, which are configured to trust each other and to share common encryption keys.

Abstract: Example embodiments include a method for receiving, at a user device from a home access point, a first digital certificate for a residential wireless roaming mode, wherein the residential wireless roaming mode provides the user device remote access to a wireless local area network corresponding to the home access point, and wherein the first digital certificate is issued by a certificate authority of a service provider associated with the home access point; transmitting at least one probe request message to at least one public access point, wherein the probe request message includes at least the first digital certificate; receiving from the at least one public access point a probe response message including information for remotely accessing the wireless local area network via a virtual private network connection established between the public access point and the home access point.

Abstract: Systems and methods for creating a consistent blockchain including block commitment determinations are disclosed herein. An example method includes receiving a request for blockchain data from an application or a user, receiving proposed canonical heads from a plurality of blockchain nodes, receiving votes to determine a correct state for a consistent blockchain that includes a canonical head, the blockchain data being included in the consistent view of a blockchain, determining the canonical head based on the votes, determining a commitment level for at least one block in the consistent view of the blockchain, providing the consistent view of the blockchain to the application or the user, and exposing the commitment level for the at least one block.

Abstract: At least one non-transitory computer readable medium, that at least one non-transitory computer readable medium stores instructions for (a) generating master keys by a keys security entity (KSE) that is established within a KSE; (b) generating one-time connection session keys, by the KSE, based on the master keys; (c) outputting, by the KSE, the one-time connection session keys to a Connection Security Entity (CSE) enclave in which a CSE is established, over a secure communication link; and (d) preventing access, by the KSE, to the master keys.

Abstract: Techniques are disclosed for providing backup protection. A first subnet is established for replication in a first cluster that includes a plurality of host devices. Each of the host devices includes a respective controller virtual machine, which together form a virtual local area network for replication. Each of the controller virtual machines is assigned an Ethernet interface. A replication Internet Protocol address is assigned to each of the Ethernet interfaces of the controller virtual machines. Route tables and firewall rules of the controller virtual machines are modified to allow communications between nodes of the first subnet. The first subnet is configured with information related to a second subnet for replication in a second cluster. A dedicated communication channel is generated for replication between the first cluster and the second cluster based on the configuring.

Abstract: A method of tenant user management in cloud database operation can be implemented. The method can receive an original job request from a user for a database service, wherein the original job request can include a login credential of the user. The method can authenticate the login credential of the user by a scheduler, verify the user has privileges for the original job request by the scheduler, create a modified job request from the original job request by the scheduler based on a predefined role corresponding to the privileges of the user, send the modified job request from the scheduler to a database service platform, and allocate an instance of database service to the user in response to the modified job request.

Abstract: The present disclosure provides systems, methods, and computer readable storage devices for validating that a software release has successfully completed multiple development stages of a development process without alteration. To illustrate, as software (e.g., one or more files or artifacts) completes at least a portion of a development process including the development stages, data components are generated. Digital signatures are generated based on the data components and a private key, and the digital signatures are stored in a secure data structure, such as a blockchain or a tree structure. Upon receipt of the data components (e.g., as validation data of a software release) by a node device, the node device generates validation signatures based on the data components and a public key and compares the validation signatures to the digital signatures stored in the secure data structure to validate the software before processing the software.

Abstract: This disclosure relates to systems and methods for management of information, including environmental information, obtained by a variety of sensors associated with one or more distributed mobile sensor platforms. In certain embodiments, the geographically transitory nature of a mobile sensor platform may be leveraged to facilitate collection of environmental information over a larger geographic area than that of a fixed sensor platform. Embodiments disclosed herein provide for information consistency and/or quality checking of information obtained by mobile sensor platforms. Further embodiments may be used to incentivize the collection and/or acquisition of certain data via point and/or credit-based compensation.

Abstract: Systems and methods for protected verification of user information are provided. Multiple computing systems may transmit or receive communications from one or more other computing systems as part of the protected user information verification. For example, a user may utilize a verification service to independently verify the user's information to third-party systems without the verification service actually storing, receiving, accessing, or otherwise coming into contact with the user-specific information that it is verifying. In this way, the system can protect a user's personal information while streamlining the user's verification with one or more third parties.

Abstract: A method of a local bundle assistant (LBA) negotiating a certificate with a secondary platform bundle manager (SPBM) in a wireless communication system including: transmitting a request message requesting information of certificates supported by a secondary secure platform (SSP) to a secondary platform bundle loader (SPBL) of the SSP; receiving the information of certificates supported by the SSP including information of certificate issuers corresponding to a family identifier from the SPBL; transmitting the information of certificates supported by the SSP to the SPBM; and receiving a certificate of the SPBM for key agreement, information of public key identifiers of certificate issuers to be used by the SSP, and information of the family identifier from the SPBM.

Abstract: Systems and methods for obfuscating data. The technology herein can be used to produce an obfuscated output that exhibits no easily discernible pattern, making difficult to identify or to filter using regular expressions, signature matching or other pattern matching. The output nevertheless can be reversed and the original data recovered by an intended recipient with a relatively low-cost of processing, making it suitable for low-powered devices. The obfuscation is stateless and does not require encryption.

Abstract: This application relates to a graph data processing method performed by a distributed computer node cluster including a plurality of computer devices, each computer device distributed on a respective computing node of the distributed computer node cluster, the method including: obtaining subgraph data divided from to-be-processed graph data; performing a computation task on the subgraph data to obtain corresponding global data and local data; writing the global data to a blockchain network, the global data of the blockchain network being updated by the distributed computing node cluster; obtaining latest global data from the blockchain network; and iteratively performing, according to the obtained latest global data and the local data, the computation task on the subgraph data without obtaining a computation result until an iteration stopping condition is met.

Abstract: A method to generate a trusted certificate on an endpoint appliance located in an untrusted network, wherein client devices are configured to trust a first Certificate Authority (CA) that is administered by the untrusted network. In this approach, an overlay network is configured between the endpoint appliance and an origin server associated with the endpoint appliance. The overlay comprises an edge machine located proximate the endpoint appliance, and an associated key management service. A second CA is configured in association with the key management service to receive a second certificate signed by the first CA. A third CA is configured in association with the edge machine to receive a third certificate signed by the second CA. In response to a request from the appliance, a server certificate signed by the third CA is dynamically generated and provided to the appliance.

Abstract: Systems and methods for improving reliability in blockchain networks using sharding are disclosed herein. An example method includes assigning a unique identifier to a user, applying a deterministic function, such as a consistent hashing algorithm, to the unique identifier to select a unique set of nodes that are assigned to a shard for the user, wherein the nodes are a subset of available nodes, receiving a request for blockchain data from the user, generating a response to the request using a consistent view of a blockchain obtained from the unique set of nodes, and transmitting the response to the request to the user.

Abstract: A communication system includes a transmitting device configured to transmit information, and a receiving device configured to receive the information, the receiving device includes a determination unit configured to determine whether or not an electronic certificate of the transmitting device used for a communication with the transmitting device is an EV certificate, and a process that is performed is varied according to a determination result of the determination unit.

Abstract: A method of authenticating a network device may include receiving an authentication message from a third party server, the authentication message identifying a network device. The method may also include receiving a zero touch provisioning request comprising a certificate from the network device. The method may additionally include, determining the network device is associated with a third party that manages the third party server based on the certificate. The method may include transmitting a redirect message comprising a root certificate chain indicating that the network device is to send the zero touch provisioning request to the third party server.

Abstract: One or more computing devices, systems, and/or methods for data fragmentation and reconstruction are provided. Random number generation information, indicating a number of fragments into which data stored by a client device is to be fragmented, is received. The data is fragmented according to the number of fragments as a set of fragments. Authentication data is incorporated with the set of fragments. A set of entities capable of storing the set of fragments with the authentication data is identified. The set of fragments with the authentication data are stored across the set of entities.

Abstract: A system and a method are disclosed for enabling pictorial content to be added to a secure document. In an embodiment, a secure document tool receives a request, from an administrator of the secure document, to enable modification of a region of the secure document with an addition of pictorial content, the secure document configured to prevent modification of contents of the secure document by a signer, the secure document enabled to accept a signature on the secure document by the signer. The secure document tool receives, from the signer, a command to add pictorial content to the region, and responsively adds the pictorial content to the region. The secure document tool receives from the signer, a signature on the secure document, and responsively disables the secure document from accepting further modifications.

Abstract: Systems and methods for managing a compromised autonomous vehicle server are described herein. A processor may obtain an indication of a first server configured to control an autonomous vehicle being compromised. The autonomous vehicle may have previously been provisioned with a first public key. The first public key may be paired with a first private key. A processor may compile command information. The command information may include a command for the autonomous vehicle and a digital certificate of a second server configured to control the autonomous vehicle in the event of the first server being compromised. The digital certificate may include a second public key and may be signed with the first private key. The command may be signed with a second private key associated with the second server. The second private key may be paired with the second public key.

Abstract: A method of registering a person as an authorized user of a portable device includes acquiring biometric data or a combination of pieces of biometric data of a person, encrypting the acquired biometric data or the combination of pieces of biometric data of the person, generating a code from the encrypted biometric data or the combination of pieces of biometric data of the person, inserting the code in an extension field of a public key certificate stored in the portable device, generating a private key and a public key that corresponds to the private key, based on the public key certificate, wherein the private key contains the code, transmitting the public key to a remote entity that is in communication with the portable device, thereby enabling the remote entity to register the person as an authorized user of the portable device, and modifying the public key to generate a modified public key configured to be used in case that the remote entity is disconnected from a service providing server.

Abstract: A method of registering a person as an authorized user of a portable device includes acquiring biometric data or a combination of pieces of biometric data of a person, encrypting the acquired biometric data or the combination of pieces of biometric data, generating a code from the encrypted biometric data or the combination of pieces of biometric data, inserting the code in an extension field of a public key certificate stored in the portable device, generating a private key and a public key that corresponds to the private key, based on the public key certificate, wherein the private key contains the code, and transmitting the public key to a remote entity, thereby enabling the remote entity to register the person as an authorized user of the portable device. The extension field of the public key certificate further contains a code associated with identification information of the person.

Abstract: A method of authenticating a user includes: logging into a first system that includes a token-based authentication system (TBAS); creating, at the TBAS, a cookie based on a token from the TBAS; requesting access, by the user, to a second system that includes at least one windows-hosted web application (WHWA); and decoding and validating the token, thereby granting the user access to the second system based only on the user logging into the first system.

Abstract: A certificate management system includes an electronic device and a server. The electronic device is configured to transmit a certificate application request. The server is configured to sign a device certificate corresponding to the electronic device through an intermediate certificate device after receiving the certificate application request, and transmit the device certificate and the Internet address of the server to the electronic device. The electronic device stores the device certificate and the Internet address of the server to complete the certificate issuance operation.

Abstract: Methods, apparatus, systems and articles of manufacture are disclosed to reduce false crediting of exposure to video-on-demand media assets. Example apparatus disclosed herein include a signature matcher to compare a sequence of monitored media signatures to sequences of reference signatures representative of corresponding reference media assets, the sequence of monitored media signatures included in monitoring data reported by a media device meter, the sequences of reference signature stored in a library of reference signatures. Disclosed example apparatus also include a matched assets counter to determine a count of ones of the reference media assets represented by corresponding ones of the sequences of reference signatures determined to match the sequence of monitored media signatures. Disclosed examples further include a credit determiner to determine whether to credit media exposure to a first one of the reference media assets based on the count.