Abstract: Method and apparatus for storing and managing encrypted electronic information, which enables on-demand access to a data owner's encrypted electronic information only to the data owner or to authorized data recipients, and only so long as the authorization is not rescinded by the data owner. The authorized data recipient's access to the data owner's information is limited solely to those portions of the data owner's encrypted electronic information designated by the data owner. Moreover, the authorized data recipient's limited access to the encrypted electronic information is accomplished without ever revealing or exposing the data owner's secret or private encryption key(s) to the authorized data recipient. The data owner can also immediately disable this access at any time by rescinding the access authority, if so desired, thereby terminating the authorized recipient's access to any existing information on the system, or any additional information yet to be uploaded, encrypted and stored on the system.

Abstract: A method of controlling an information processing apparatus and an information processing apparatus are provided. The information processing apparatus detects whether or not a control program stored in a storage has been falsified, updates the control program to a valid control program in accordance with a detection of the detecting unit that the control program has been falsified, and initializes setting data set in the information processing apparatus in accordance with an update of the control program.

Abstract: A system includes a first server and a second server. The second server receives a value from a first device, possibly via the first server, and stores the value. In response to a request from a second device, the second server then determines the value and sends the value to the second device. In this fashion, verification can be made that the first device is in communications with the first server.

Abstract: Methods, systems, and apparatus, including computer-readable media, for verified boot and key rotation. In some implementations, a device extracts a public key from a secure data storage area of the device. The device extracts a first certificate for an intermediate key and a second certificate for a signing key, the first certificate and the second certificate being extracted from a system image. The device verifies a signature of the first certificate using the public key. After verifying the signature of the first certificate, the device verifies the second certificate using a public key in the first certificate. In response to verifying the second certificate, the device loads the system image during a boot process of the device.

Abstract: There is provided methods and apparatuses for secure updating of firmware/software. The methods and apparatus can be enabled by making use of the Online Certificate Status Protocol (OCSP) to request the revocation status of certificates in the certificate chain. In particular, a method called ‘OCSP stapling’ can ensure the validity of the certificates or verify authenticity of the software/firmware. By virtue of features of the OCSP stapling, the user device does not need to contact CAs directly for the purpose of verifying the status of the certificates that ensure authenticity and integrity of the delivered software/firmware and thus is not required to open an extra communication channel to obtain status of certificates. This process can also reduce the burden on CAs because the CAs are neither required to keep a large volume of CRLs nor to maintain connection with user devices for which the CAs are responsible.

Abstract: In accordance with embodiments within, a securable independent electronic document apparatus is taught. With an authenticable and tamper detectable electronic container, elements and sections supporting platform, vendor and authentication independence, data sections and elements supporting, if user desired, digital signatures, data automation and nested embedding, graphical image data, and/or other types of data elements and sections supporting perceptual integrity and authenticity verification, and/or other free formatted data elements and sections supporting a plurality of types of data processing operations, and, if user desired, imaging representation comprised within a container using a securable and independent system. The securable independent electronic document apparatus presents solutions for the personal unique and interwoven creation and enhancement of user and document security and confidence in electronic data information's digital distribution, commerce, trade, publishing and/or exchange.

Abstract: A system and method are disclosed in which a node of a peer-to-peer (P2P) network supporting a blockchain is able to restart following network or power disruption (or is able to initially join the blockchain network) by bootstrapping information from one or more peer nodes in the P2P network. The bootstrapping operation involves communication between the Trusted Execution Environments (TEEs) of the two or more nodes. The system and method ensure that the retrieval of data related to the blockchain state are not from untrusted parts of the peer node(s) and the data has not been tampered with (avoidance of replay attacks).

Abstract: The present invention relates to the technical field of computer software analysis and discloses an RFC-directed differential testing method of certificate validations in a SSL/TLS implementations which includes: extracting rules from RFC and updating the rules, classifying the rules, further classifying consumer rules and shared rules into breakable rules and unbreakable rules, expressing the rules as variables, and generating a symbolic program; generating low-level test cases by applying the dynamic symbolic execution technique to the symbolic program; assembling high-level test cases i.e. digital certificates according to the low-level test cases; and employing the assembled digital certificates to the differential testing of the certificate validation in SSL/TLS implementations.

Abstract: This disclosure is related to devices, systems, and techniques for automatically generating software packages to provide Secure Computation as a Service (SCaaS). For example, a computing device includes processing circuitry configured to receive a set of information comprising an indication of a first party and an indication of a second party. Additionally, the processing circuitry is configured to generate, based on the set of information, a first software package corresponding to the first party, the first software package configured to implement a secure computation, and generate, based on the set of information, a second software package corresponding to the second party, the second software package configured to implement the secure computation. Additionally, the processing circuitry is configured to export the first software package and export the second software package, enabling the first party device and the second party device to perform the secure computation.

Abstract: A computing device is provisioned to be remotely managed by a current owner. The device has an initial cryptographic basis of trust, and an owner identifier that facilitates establishment of communication with the current owner of the device. The ownership may change one or more times while the device may remain inoperative. Later, the device receives a transfer-of-ownership indication, which it verifies against the initial basis of trust to establish a new current owner. The device may then communicate with a device management service of the new current owner based on the transfer-of-ownership indication.

Abstract: Disclosed herein are system, method, and computer program product embodiments for certificate tracking. An embodiment operates by a computer implemented method that includes receiving, by at least one processor of a certificate manager, a first request from a client device and sending a second request for a root certificate to a certificate authority. The method further includes receiving the root certificate from the certificate authority and sending a third request to the certificate authority for one or more additional certificates. The method further includes receiving the one or more additional certificates from the certificate authority and storing the root certificate and the one or more additional certificates. The certificate manager and the certificate authority can be located on different networks.

Abstract: A non-transitory computer readable storage medium including instructions that, when executed by a computing system, cause the computing system to perform operations. The operations include collecting, by a processing device, raw data regarding a user action. The operations also include converting, by the processing device, the raw data to characteristic test data (CTD), wherein the CTD represents behavior characteristics of a current user. The operations also include identifying, by the processing device, a characteristic model corresponding to the behavior characteristics represented by the CTD. The operations also include generating, by the processing device, a predictor from a comparison of the CTD against the corresponding characteristic model, wherein the predictor comprises a score indicating a probability that the user action came from an authenticated user.

Abstract: A method and system for embedded personalized communication have been disclosed. According to one embodiment, a computer-implemented method comprises providing software code to be embedded in a webpage. The webpage is loaded including the software code. A configuration file is fetched from a configuration server in response to the software code. A first instant messaging user interface is rendered on the webpage. A request is sent to a web-based instant messaging server, the request initiating an instant messaging session with a second instant messaging user interface.

Abstract: It is provided a method, including checking if an indication is received that a certificate installed in a communication entity is to be revoked at a revocation time in the future; preparing, if the indication is received, a first revocation list, wherein the first revocation list includes an identifier of the certificate and the revocation time; providing the first revocation list to the communication entity.

Abstract: An embodiment herein provides a processor implemented method for blockchain-based authentication of a user using a user device, that includes (i) obtaining an identify information associated with an identity document of the user; (ii) storing the identity information, and a set of credentials, with a blockchain to link the identity information with the set of credentials for the user; (iii) obtaining a cryptographic challenge from a relying party device when a record that includes a user identity information of the user and the set of credentials associated with the user identity information for the user device is found to be stored with the blockchain; and (iv) transmitting a response to the cryptographic challenge to the relying party device. The relying party device checks whether the response matches with a predetermined correct response or not. The relying party device authenticates the user only if the response matches with the predetermined correct response.

Abstract: A computer-implemented method for information protection comprises: committing a transaction amount of a transaction with a first commitment scheme to obtain a transaction commitment value, committing a change of the transaction with a second commitment scheme to obtain a change commitment value, the first commitment scheme comprising a transaction blinding factor, and the second commitment scheme comprising a change blinding factor; encrypting a first combination of the change blinding factor and the change with a first key; transmitting the transaction blinding factor, the transaction amount, and the transaction commitment value to a recipient node associated with a recipient for the recipient node to verify the transaction; in response to that the recipient successfully verifies the transaction, obtaining an encrypted second combination of the transaction blinding factor and the transaction amount encrypted with a second key.

Abstract: According to a first aspect of the present disclosure, an electronic device is provided, comprising: an attack detection unit arranged to detect one or more attacks on the electronic device; a countermeasure unit arranged to apply countermeasures against the attacks detected by the attack detection unit; a threat level determination unit arranged to determine a threat level corresponding to the attacks detected by the attack detection unit; wherein the countermeasure unit is further arranged to activate one or more specific ones of said countermeasures in dependence on the threat level determined by the threat level determination unit. According to a second aspect of the present disclosure, a corresponding method of protecting an electronic device is conceived. According to a third aspect of the present disclosure, a corresponding computer program product is provided.

Abstract: In some examples, with respect to zone based key version encoding, data that is to be encrypted may be ascertained, and a key, including a key version, that is to be used to encrypt the ascertained data may be ascertained. Encrypted data may be generated by encrypting the ascertained data based on the ascertained key, and a zone representing the key version may be determined. Further, encrypted zoned data may be generated by applying the determined zone to the encrypted data to encode the key version, and the encrypted zoned data including the encoded key version may be stored.

Abstract: Techniques are disclosed relating to authenticate a user with a mobile device. In one embodiment, a computing device includes a short-range radio and a secure element. The computing device reads, via the short-range radio, a portion of credential information stored in a circuit embedded in an identification document issued by an authority to a user for establishing an identity of the user. The computing device issues, to the authority, a request to store the credential information, the request specifying the portion of the credential information. In response to an approval of the request, the computing device stores the credential information in the secure element, the credential information being usable to establish the identity of the user. In some embodiments, the identification document is a passport that includes a radio-frequency identification (RFID) circuit storing the credential information, and the request specifies a passport number read from the RFID circuit.

Abstract: A data generation apparatus includes a processor that executes a process including obtaining target data sequentially from time-series data, the target data including n (n being an integer greater than or equal to 2) data items in a predetermined section of the time-series data, calculating parameter information satisfying a (k?1) order polynomial based on the target data, the (k?1) order polynomial including k random values, k being an integer greater than or equal to 1 and less than n, associating the target data to the parameter information, outputting the target data and the parameter information associated to the target data, attaching a signature to secret information based on a secret distributed protocol. The secret information is calculable by using k pairs of data including the target data and the parameter information associated to the target data, and outputting the secret information attached with the signature.

Abstract: The embodiments herein relate to discrete data containers and, more particularly, to management of data stored in discrete data containers. Embodiments herein disclose methods and systems to update data present within a data container, when a user accessing the data, present within the data container, has updated the data. Embodiments herein disclose a method and system for enabling modifications of data present in data containers, wherein de-containerized data associated with a data container can be modified by at least one user and the modifications by the user can be reflected in real-time to the data in the data container.

Abstract: A method of authenticating a consumable or detachable element of a continuous inkjet printer comprising: the controller of the printer generating a 1st item of random information that is dispatched to an authentication circuit of the element; encrypting the 1st item of information by the authentication circuit using a 1st encryption algorithm and a 1st secret key to form a 1st item of encrypted random information; dispatching the 1st item of information to the controller; encrypting the 1st item of information by the controller using a 2nd encryption algorithm and a 2nd secret key to form a 2nd item of encrypted random information; comparing the 1st item of encrypted random information with the 2nd encrypted item of random information to authenticate the consumable element; and if the consumable element is authenticated, dispatching at least one part of a 3rd key, termed the shared key, by the element to the printer.

Abstract: Various embodiments of a system and method for authenticating a call request header including identity information that is lightweight and deployable in VoIP and PSTN systems are disclosed.

Abstract: In a general aspect, a digital certificate can be used with multiple cryptography systems (“cryptosystems”). In some cases, the digital certificate includes a public key field, which contains a first public key of an entity associated with a first cryptosystem. The digital certificate includes a signature value field, which contains a first digital signature of a certificate authority associated with the first cryptosystem. The digital certificate includes an extension. The extension contains a second public key of the entity, a second digital signature of the certificate authority, or both, associated with a second cryptosystem. The extension contains a policy field that includes instructions for processing the fields associated with the second cryptosystem.

Abstract: Systems, methods, and software are disclosed herein for facilitating deployment of a decision service for sharing application data among multiple isolated applications executing on one or more application platforms. In an implementation, a method of deploying applications conforming to a platform schema for facilitating sharing of the application data among isolated applications executing on one or more application platforms is described. The method includes receiving a request to submit a third party application to an application deployment system, identifying a validation manifest associated with a platform schema responsive to receiving the request, and automatically verifying that the third party application to conforms to the platform schema by performing a set of pre-defined validation checks. The request identifies the platform schema and platform capability information associated with the third party application. The validation manifest includes the set of pre-defined validation checks.

Abstract: A method and apparatus is provided for managing the eligibility of data signing in an online code signing system. The method is used by a plurality of data publishers in an online code signing system. The method includes defining, by an administrator of the system, a hierarchy of a plurality of entities, and managing, by an administrator of the system, eligibility to designate at least one of a plurality of users to access the at least one configuration entity to sign the data via a plurality of accounts and eligibility to designate at least one of a plurality of managers via owner account to manage user access to sign data for at least one model entity.

Abstract: A communication apparatus displays connection information for an external device to perform wireless connection with the communication apparatus, determines whether a wireless connection based on the connection information is established, and hides the connection information according to establishment of the wireless connection.

Abstract: The disclosed computer-implemented method for detecting vulnerabilities on servers may include (i) sending requests to servers for information about services potentially executing on the servers, (ii) receiving, in response to requests, messages from the servers that comprise the information about the services, wherein the set of messages use different formats for transmitting the information, (iii) creating, by analyzing the set of the messages, at least one heuristic that is capable of automatically extracting, from a message, an identifier of a service that executes on a server that sent the message, (iv) extracting, from the message, via the heuristic, the identifier of the service executes on the server that sent the message, and (v) determining, based on the identifier of the service, that the service contributes to a vulnerability on the server that sent the message. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Disclosed herein are a method and a system for discrete data containerization for Information Rights Management. The system identifies based on a user request, data to be containerized. Further, the system receives at least one rule based on the data and attributes, which is to be used for containerizing the data. Further, using the rule, the system containerizes the data, wherein the data is containerized at individual data level.

Abstract: In one embodiment, a method includes receiving at an enforcement node, a request to access a network from an endpoint, transmitting at the enforcement node, the access request to a policy server, receiving at the enforcement node from the policy server, a dynamic authorization comprising a plurality of ranks, each of the ranks comprising a policy for access to the network by the endpoint, assigning the endpoint to one of the ranks and applying the policy associated with the rank to traffic received from the endpoint at the enforcement node during a communication session between the endpoint and the network, assigning the endpoint to a different rank, and applying the policy associated with the rank to traffic received from the endpoint during the communication session. An apparatus and logic are also disclosed herein.

Abstract: The present invention relates to a system and method for facilitating access to secure network sites, such as sites providing secure financial information. An active software agent is utilized to fetch passwords and user identifiers from a user computing system and to use the passwords and identifiers to extract required information from the secure site. The password sites and identifiers are encrypted and an encryption key is stored at a network mode remote from the user's computer and is fetched in order to enable the passwords and identifiers to be decrypted so that the active agent can use them to obtain the required information.

Abstract: Certificate management method for a plurality of clients, the method including: receiving a first certificate for a subject including a public key, an issuer field with an issuer and a serial number field with a serial number, wherein the first certificate for the subject is signed by a first certificate for the issuer; generating a second certificate for the subject including the public key, an issuer field with the issuer and a serial number field with the serial number, wherein the second certificate for the subject is signed by a second certificate for the issuer being different to the first certificate for the issuer; and transmitting the second certificate for the subject to one of the plurality of clients; and performing an action on the basis of the public key of the second certificate for the subject.

Abstract: Example embodiments disclosed herein relate to update a rating of threat submitters. Information is received of threat observables from threat submitters. Information about the threat observables is provided to one or more entities. Feedback about a threat observable is received from one of the entities. A rating of the threat submitter associated with the feedback is updated.

Abstract: A verifiable, redactable log, which, in some embodiments, may contain multiple hash values per entry in order to sever confidentiality of a log from verifiability. Logs may be verified using recalculation of hashes and verification of trusted digital signatures. In some embodiments, the log may be divided into segments, each signed by a time server or self-signed using a system of ephemeral keys. In some embodiments, log messages regarding specific objects or events may be nested within the log to prevent reporting omission. The logging system may receive events or messages to enter into the log.

Abstract: A system performs secure storage of certificate keys. The system receives a user password and a certificate that is locked by the user password. The certificate is configured to be used for signing binaries of an application. The system sends, to a build server, the user password and the certificate that is locked by the user password. The system then receives, from the build server, a first portion of a certificate key and the certificate that is locked by the certificate key, and stores the first portion of the certificate key and the certificate that is locked by the certificate key.

Abstract: Systems and methods are provided for authorizing a user to access an access-controlled environment. The system includes a system server platform that communicates with fixed PC's, servers and mobile devices (e.g., smartphones) operated by users. The systems and methods described herein enable a series of operations whereby a user attempting to access an access-controlled environment is prompted to biometrically authenticate using the user's preregistered mobile device. Biometric authentication can include capturing images of the user's biometric features, encoding the features as a biometric identifier, comparing the biometric identifier to a previously generated biometric identifier and determining liveness. In addition, the authentication system can further authorize the user and electronically grant access to the access-controlled environment.

Abstract: A fact checking system utilizes social networking information and analyzes and determines the factual accuracy of information and/or characterizes the information by comparing the information with source information. The social networking fact checking system automatically monitors information, processes the information, fact checks the information and/or provides a status of the information.

Abstract: Aspects of the present invention provide systems and methods that facilitate communicating a message, independent of a centralized resource, to be retrieved at a future time. In embodiments, a computing device receives a configuration-related message via a block chain maintained by a plurality of decentralized nodes. In embodiments, upon verification of the authenticity of the message, the device will execute the deferred instructions indicated in the message. In embodiments, the instructions may be add functionality or not allow functionality in the device. In embodiments, the instructions may indicate that a smart package should allow the end user to access contents of the package or to not allow access to the contents.

Abstract: Aspects of the present invention provide systems and methods that facilitate the communicating of messages to a vastly scalable number of devices, independent of a centralized resource. In embodiments, a computing device, or a number of devices, may receive from a managing entity one or more messages via a block chain that is maintained by a plurality of decentralized nodes in a peer-to-peer network. In embodiments, the device or devices execute the instructions identified in the message, and if appropriate, return results.

Abstract: One or more computer processors identify a first certificate that is used to establish a secure Internet connection. One or more computer processors identify a stored second certificate that shares at least one attribute with the first certificate. One or more computer processors determine a policy action based, at least in part, on a result of a comparison between an attribute of the first certificate and an attribute of the second certificate.

Abstract: Various methods and systems for securing communications with enhanced media platforms, are provided. In particular, an enhanced media platform is authenticated using a trusted location. The authenticated enhanced media platform establishes a bidirectional trust with an enhanced remote location, the enhanced media platform being stored in the enhanced remote location. Upon authentication and establishing the bidirectional trust, the enhanced media platform may securely communicate media content in a media content distribution service infrastructure while supporting custom functionality. The method for securing communications with enhanced media platforms includes communicating authentication credentials to an internal security component at the trusted location. The method further includes receiving validation credentials from the internal security component. The method also includes authenticating the enhanced remote location based on at least a portion of the validation credentials received.

Abstract: A method includes: establishing a telecommunication link between a device and a service provider system via a telecommunication network; receiving a device public key via the telecommunication network from the device at the service provider system, the device public key predating the establishment of the telecommunication link; verifying, at the service provider system, that the device stores a device private key in a secure storage area of the device, the device private key corresponding to the device public key, the device public key and the device private key being a cryptographic key pair; and authorizing, by the service provider system, sign-up of the device for service enrollment in response to verifying that the device stores the device private key in the secure storage area of the device.

Abstract: A system includes a first server and a second server. The second server receives a value from a first device, possibly via the first server, and stores the value. In response to a request from a second device, the second server then determines the value and sends the value to the second device. In this fashion, verification can be made that the first device is in communications with the first server.

Abstract: Information processing system includes a first certification device which executes a first temporary certification, creates a first temporary certificate, transmits it to an external device, carries out a first formal certification and creates the first formal certificate, a second certification device which executes a second temporary certification based on the first temporary certification, creates a second temporary certificate, transmits it to the external device, carries out a second formal certification and creates the second formal certificate, and a processing device which verifies a validity of the first formal certificate corresponding to the first temporary certificate and a validity of the second formal certificate corresponding to the second temporary certificate from the user, in response to a information processing request from the user and determines to execute the information processing corresponding to the information processing request based on the verification result.

Abstract: A computer uses the information included within a digital certificate to obtain a current date and time value from a trusted extrinsic trusted source and the computer compares the obtained current date and time value to a validity period included in the digital certificate to determine if the digital certificate is expired. The information included within the digital certificate specifying an extrinsic source for the current date and time value can be included in an extension of the digital certificate, and the information can specify a plurality of extrinsic sources.

Abstract: Techniques are disclosed for authenticating transactions conducted over computer networks, e.g., online banking transactions or other transactions performed by a financial institution at a customer's request. After receiving a transaction request (and associated transaction details), the transaction signing service signs the transaction data and sends the resulting blob to the user requesting the transaction. After being transmitted to the user, the signed transaction data itself is then signed using PKI credentials of the user, which then returns the twice-signed bundle to the financial institution. Rather than rely on the cryptographic signature of the client, the financial intuition (or other replying party) validates that the transaction data signed using its own highly trusted key has not been altered prior to being signed and returned by the client.

Abstract: A method for secure data storage in a cloud storage infrastructure comprises providing a set of first upload files to be stored in the cloud storage infrastructure, providing a set of first random noise files, splitting each file of the two sets into a group of fragments, recombining the fragments by randomly intermixing fragments from different groups thus generating a set of second upload files, encrypting each second upload file with a first encryption key and storing each first encryption key in a secure storage location, storing reconstruction information about the set of first upload files, the splitting, the recombining and the first encryption keys in the secure storage location, uploading each second upload file to a respective temporary cloud storage location, repeatedly moving each uploaded second upload file to a new temporary cloud storage location in predetermined intervals of time.

Abstract: Mechanisms for controlling access to credentials are disclosed. A computing device receives, at a first time, a request associated with a user to initiate a plurality of actions against a computing resource of a plurality of computing resources, the request including a credential identifier that identifies a credential. A memory is accessed, based on the credential identifier, to retrieve the credential identified by the credential identifier that was stored in the memory at a time prior to the first time, the credential comprising authentication information configured to authenticate the plurality of actions to the computing resource. The computing device communicates the request and the authentication information to an orchestration engine for execution of the plurality of actions against the computing resource.

Abstract: A resource owner or administrator submits a request to a permissions management service to create a permissions grant which may include a listing of actions a user may perform on a resource. Accordingly, the permissions management service may create the permissions grant and use a private cryptographic key to digitally sign the created permissions grant. The permissions management service may transmit this digitally signed permissions grant, as well as a digital certificate comprising a public cryptographic key for validating the permissions grant, to a target resource. The target resource may use the public cryptographic key to validate the digital signature of the permissions grant and determine whether a user is authorized to perform one or more actions based at least in part on a request from the user to perform these one or more actions on the resource.

Abstract: A system and method is disclosed for allowing content providers to protect against widespread copying of their content, while enabling them to give their customers more freedom in the way they use the content. In accordance with one embodiment, content providers identify their content as protected by watermarking the content. Consumers use compliant devices to access protected content. All of a user's compliant devices, or all of a family's devices, can be organized into an authorized domain. This authorized domain is used by content providers to create a logical boundary in which they can allow users increased freedom to use their content.