Abstract: A method of managing messages in a messaging system, the method including: identifying a policy associated with the messaging system, the policy including directives associated with the privacy and integrity of messages; applying the policy to a message, the policy including configuration data that determines when the message should be expired; sending the message to the messaging system; using the configuration data to calculate the expiry of the message and passing the calculated expiry of the message to the messaging system; determining whether the expiry has been reached; responsive to the expiry being reached, sending a report message to the message producer; and responsive to the expiry not being reached, attempting to deliver the message to the message consumer.

Abstract: Methods, systems, and apparatus, including medium-encoded computer program products, for secure storage and retrieval of information, such as private keys, useable to control access to a blockchain, include, in at least one aspect, a method including: identifying for an action an associated private-keys group out of different private-keys groups, each having an associated cryptographic group key; decrypting, at a first computer, a first level of encryption of a private key associated with the action using the associated cryptographic group key; decrypting, at a second computer distinct from the first computer, a second level of encryption of the private key associated with the action using a hardware-based cryptographic key used by the second computer; using, at the second computer, the private key associated with the action in a process of digitally signing data to authorize the action; and sending the digitally signed data to a third computer to effect the action.

Abstract: For each server under consideration for container migration, whether the server has a value for a first parameter that precludes the server from being migrated to a container is determined. Each server having a value that precludes the serve from being migrated to a container is removed from further consideration. For each server remaining under consideration, a value of the server for each second parameter of a number of second parameters is determined, and the values of the server for the second parameters are weighted to yield a weight for the server. The servers remaining under consideration for migration are ranked based at least on the weights for the servers, yielding an order in which the servers are to migrated.

Abstract: A method of providing a plurality of controller certificates for a plurality of controllers within a Building Management System (BMS) includes downloading project information defining the BMS and using the downloaded project information to solicit a Certificate Signing Request (CSR) from each of the plurality of controllers of the BMS. The received CSRs are uploaded to a remote server so that the remote server can generate a corresponding controller certificate for each of the plurality of controllers of the BMS. The generated controller certificates are then downloaded to the corresponding one of the plurality of controllers of the BMS.

Abstract: Techniques are disclosed for accelerating online certificate status protocol (OCSP) response distribution to relying parties using a content delivery network (CDN). A certificate authority generates updated OCSP responses for OCSP responses cached in the CDN that are about to expire. In addition, the certificate authority pre-generates cache keys in place of CDNs generating the keys. The certificate authority sends the OCSP responses and the cache keys in one transaction, and the CDN, in turn, consumes the new OCSP responses using the cache keys.

Abstract: A method of limiting data usage for certified purposes by using functional encryption, comprising: receiving from a software publisher an application code and declared privacy information, the declared privacy information specifies at least one declared usage for at least one data type; analyzing the application's usage of data collected by the application, to identify an actual usage of the at least one data type by a function; identifying when the actual usage is compliant with the at least one declared usage according to the analysis; in response to the identification, creating a pair of a public key and a master private key; creating a function private key for the function using the master private key; and sending the function private key to the software publisher to be used for operating the function on data which is encrypted using the public key.

Abstract: To revoke a digital certificate (160p), activation of the digital certificate is blocked by withholding an activation code from the certificate user (110). The certificates are generated by a plurality of entities (210, 220, 838) in a robust process that preserves user privacy (e.g. anonymity) even in case of collusion of some of the entities. The process is suitable for connected vehicles, e.g. as an improvement for Security Credential Management System (SCMS).

Abstract: A method at a computing device within an Intelligent Transportation System (ITS), the method including: receiving a first message, the first message including at least tailoring information for a first ITS endpoint and intended journey details for the first ITS endpoint; storing all or a subset of data from the first message; obtaining a full certificate revocation list; creating a tailored certificate revocation list based on data in the first message and the full certificate revocation list, the tailored certificate revocation list containing certificates or identifiers of certificates for ITS endpoints that may be encountered by the first ITS endpoint when navigating a route provided in the intended journey details; and providing the tailored certificate revocation list to the first ITS endpoint.

Abstract: Systems and methods are disclosed for online authentication of online attributes. One method includes receiving an authentication request from a rely party, the authentication request including identity information to be authenticated and credential information to be authenticated; determining whether a user account is associated with the received identity information by accessing an internal database; accessing user data of the user account determined to be associated with received identity information; determining authentication data to obtained from a user associated with the user account based on the user data of the user account and the credential information to be authenticated; transmitting a request for authentication data; receiving authentication data associated with the user; transmitting authentication data associated with the user; and receiving an authentication result from the verification data source server for the user associated with authentication data.

Abstract: Implementations of the subject technology provide for receiving a registration request for registering and associating phone numbers for at least one service on a particular device, where the registration request includes information related to a phone authentication certificate (PAC) that was generated for the particular device. The PAC authenticates that each of the phone numbers is associated with the particular device. The subject system performs an authentication of user identifiers associated with the particular device based at least on the PAC. The subject system performs a registration of at least one service for the particular device using the authenticated user identifiers, in which the registration includes at least one respective handle for accessing the at least one service via each respective user identifier. The subject system transmits to the particular device, information related to the at least one respective handle for accessing the service via each respective user identifier.

Abstract: Techniques are described for automatically distributing validated user safety alerts from a networked computing device. The networked computing device may be configured to operate as an autonomous agent to perform actions on behalf of a user without receiving direct instructions from the user. For example, the autonomous agent computing device may be configured to make certain purchases, send alerts or reminders, or perform other functions in accordance with preprogrammed rules. According to the disclosed techniques, the autonomous agent computing device is configured to automatically generate and send an alert to one or more computing devices associated with the user upon detecting a safety concern for the user. The autonomous agent also uses a signing key associated with its digital certificate, which verifies the identity of the autonomous agent, to sign the alert such that a third-party server may validate the alert prior to distribution to the destination computing devices.

Abstract: An example system may include one or more application platforms (e.g., VMs) that run a registration authority and are communicatively connected to one or more compute engines that perform cryptographic computations required by the registration authority. The system may also include one or more application platforms that run an enrollment certificate authority and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the enrollment certificate authority. It may further include one or more application platforms that run a pseudonym certificate authority and that are communicatively connected to one or more compute engines that perform cryptographic computations required by the pseudonym certificate authority. It may also include one or more load balancers communicatively connected to the one or more compute engines, the one or more load balancers to perform operations comprising distributing at least one request to the one or more compute engines.

Abstract: Apparatus and methods pertaining to a Certified Approval Service (CAS) are disclosed and enabled. The apparatus may include a Personal Computing Device (PCD) implementing a CAS Device to interact with an end user and a server implementing a CAS provider. The various embodiments operate without the end user and the CAS provider to engage in an authenticated login session between themselves.

Abstract: Systems, apparatuses and methods may provide for infrastructure node technology that conducts a mutual authentication with a vehicle and verifies, if the mutual authentication is successful, location information received from the vehicle. The infrastructure node technology may also send a token to the vehicle if the location information is verified, wherein the token includes an attestation that the vehicle was present in a location associated with the location information at a specified moment in time. Additionally, vehicle technology may conduct a mutual authentication with an infrastructure node and send, if the mutual authentication is successful, location information to the infrastructure node. The vehicle technology may also receive a token from the infrastructure node.

Abstract: Systems and methods for maintaining chain of custody for assets offloaded from a portable electronic device. One exemplary system includes an electronic processor configured to receive, from the portable electronic device, an asset manifest including an asset identifier, a fixed-length unique identifier associated with the asset identifier, and a manifest digital signature. The electronic processor is further configured to transmit to the portable electronic device a storage message based on the asset manifest; receive, from the portable electronic device, an upload completion message; retrieve, from a data warehouse an asset file; and determine, for the asset file, an asset file fixed-length unique identifier.

Abstract: Methods, systems, and apparatus, including medium-encoded computer program products, for secure storage and retrieval of information, such as private keys, useable to control access to a blockchain, include, in at least one aspect, a method including: identifying for an action an associated private-keys group out of different private-keys groups, each having an associated cryptographic group key; decrypting, at a first computer, a first level of encryption of a private key associated with the action using the associated cryptographic group key; decrypting, at a second computer distinct from the first computer, a second level of encryption of the private key associated with the action using a hardware-based cryptographic key used by the second computer; using, at the second computer, the private key associated with the action in a process of digitally signing data to authorize the action; and sending the digitally signed data to a third computer to effect the action.

Abstract: This invention relates to systems and methods for authenticating transactions using a mobile device based primarily on the introduction of a layer of middleware and wherein the Payment Networks, Merchants, Issuing Banks, Credit Reporting Bureaus, Insurance Companies, Healthcare Providers may customize the implementation of the services based on individual strategy and consumer preferences.

Abstract: Methods and systems for managing facility access credentials for two or more facilities are disclosed. The method may include electronically receiving a user request to gain access to a designated facility of the two or more facilities and electronically receiving user information related to a user that is making the user request. A facility access credential from a group of facility access credentials that are assigned by a third-party credential issuer may be obtained and linked to the user information and the designated facility. The obtained facility access credential for use in gaining access to the designated facility may be activated resulting in an activated facility access credential and a notification transmitted to the user notifying the user of the activated facility access credential.

Abstract: Systems and methods for securely exchanging cryptographically signed records are disclosed. In one aspect, after receiving a content request, a sender device can send a record to a receiver device (e.g., an agent device) making the request. The record can be sent via a short range link in a decentralized (e.g., peer-to-peer) manner while the devices may not be in communication with a centralized processing platform. The record can comprise a sender signature created using the sender device's private key. The receiver device can verify the authenticity of the sender signature using the sender device's public key. After adding a cryptography-based receiver signature, the receiver device can redeem the record with the platform. Upon successful verification of the record, the platform can perform as instructed by a content of the record (e.g., modifying or updating a user account).

Abstract: Provided are methods and systems for invalidating user security tokens. An example method may include providing, by one or more nodes in a cluster, a list of revoked security tokens. The method may include receiving, by the one or more nodes, an indication of invalidating a user security token associated with a user device. The indication may include a request from the user to invalidate the user security token. The method may further include, in response to the receiving, adding, by the one or more nodes, the user security token to the list of revoked security tokens. The user security token can be added to the list of revoked security tokens prior to the expiration time of the user security token. The method may further include replicating, by the one or more nodes, the list of revoked security tokens between further nodes of the cluster.

Abstract: Techniques are disclosed for securing data stored on a minimally trusted third-party data store. The techniques include directing all messages for storing data and retrieving stored data through a security server. The security server can be configured to receive encrypted data for storage at a remote data store, decrypt the encrypted data, generate index information for the decrypted data, encrypt the index information, encrypt the decrypted data to produce re-encrypted data, digitally sign the re-encrypted data, and cause transmission of the re-encrypted data and the encrypted index information to the remote data store. To access stored data, the security server can be configured to receive a query for stored data, encrypt the query, cause transmission of the encrypted query to the remote data store, receive a copy of the stored data, process the copy of the stored data, and cause transmission of the stored data to the requesting computer.

Abstract: Embodiments provided herein identify a certificate issuer (CI) to be relied on as a trusted third party by an electronic subscriber identity module (eSIM) server in remote SIM provisioning (RSP) transactions with an embedded universal integrated circuit card (eUICC). In an RSP ecosystem, multiple CIs may exist. Parties rely on public key infrastructure (PKI) techniques for establishment of trust. Trust may be established based on a trusted third party such as a CI. Parties need to agree on the CI in order for some PKI techniques to be useful. Embodiments provided herein describe approaches for an eUICC and an eSIM server to arrive at an agreed-on CI. Candidate or negotiated CIs may be indicated on a public key identifier (PKID) list. A PKID list is distributed, in some embodiments, by means of a discovery server, via an activation code (AC) and/or during the establishment of a profile provisioning session.

Abstract: A computerized method of evaluating authenticity of automotive devices, comprising a local authorization entity (AE) adapted to manage identity authentication for a group of automotive devices located in an associated geographical area. The local AE provides, to a first automotive device of the group, an AE identity certificate comprising an encryption key of the local AE and signed with a higher level AE's encryption key. The first automotive device uses the higher level AE's encryption key to decrypt the AE identity certificate and retrieve the local AE's encryption key. The first automotive device uses the local AE's encryption key to verify an identity certificate created by the local AE for a second automotive device of the group. The first automotive device establishes a session with the second automotive device according to an identity posture score extracted from the identity certificate of the second automotive device.

Abstract: A patrol tracking system is disclosed, comprising an NFC carrier, a handheld device and a cloud server equipment, wherein the NFC carrier can be placed at a patrol location such that an administrator can scan the NFC carrier by means of the control unit of the handheld device, accordingly establish an NFC device setup file, and then upload it to the cloud server equipment; afterwards, when a patroller arrives at the patrol location, it is possible to use the handheld device to scan the NFC carrier, and, upon completing the scanning operation, create a patrol record file including relevant GPS coordinates, and then upload it to the cloud server equipment such that the back-end administrator can exactly manage and control the actual patrol location of the patroller thereby achieving the purpose of precise and credible patrol inspections.

Abstract: A first communication request including a digital certificate of a first node sent from the first node in a blockchain is received at a second node in the blockchain, where the digital certificate of the first node is stored in the blockchain. Certificate validity information stored in the blockchain and associated with the nodes in the blockchain is accessed by the second node based on the first communication request, where the certificate validity information reflects the validity status information of digital certificates of the nodes in the blockchain. A verification of whether the digital certificate of the first node is valid is performed by the second node based on the first communication request and the accessed certificate validity information. A communication connection to the first node is established by the second node in response to verifying that the digital certificate of the first node is valid.

Abstract: A system and method for ensuring digital integrity of a blockchain is presented. The blockchain is initiated with one or more digital certificates presented in one of an initial set of blocks of the blockchain. One or more of the digital certificates may subsequently be used to sign a hash of a sequence of blocks in the blockchain at regular or semi-regular intervals. If a sequence of consecutive blocks is longer than a predetermined number and does not contain a signature from one or more of the digital certificates of a hash or one or more of the blocks in the sequence, the sequence may be considered not to comprise a part of the blockchain. In other embodiments side blocks may be signed and added to the blockchain.

Abstract: A first communication request including a digital certificate of a first node sent from the first node in a blockchain is received at a second node in the blockchain, where the digital certificate of the first node is stored in the blockchain. Certificate validity information stored in the blockchain and associated with the nodes in the blockchain is accessed by the second node based on the first communication request, where the certificate validity information reflects the validity status information of digital certificates of the nodes in the blockchain. A verification of whether the digital certificate of the first node is valid is performed by the second node based on the first communication request and the accessed certificate validity information. A communication connection to the first node is established by the second node in response to verifying that the digital certificate of the first node is valid.

Abstract: A technique for verifying an origin of a digital object in a digital object architecture is described. The technique includes the steps of receiving, from a handle registry, handle information for a digital object that includes an attestation that references the handle identification value for the handle and origin identification information; verifying the authenticity of the attestation; after verifying the authenticity of the attestation, using the origin information in determining authorizations applicable to the digital object.

Abstract: A set of cryptographic keys are synchronized across a set of HSMs that are configured in an HSM cluster. The set of cryptographic keys is maintained in a synchronized state by HSM cluster clients running on client computer systems with corresponding client applications. If the HSM cluster becomes unsynchronized, an HSM cluster client attempts to lock the HSM cluster and reestablish synchronization of the cryptographic keys across the HSM cluster. HSMs within the HSM cluster are able to establish an encrypted communication channel to other HSMs without revealing the contents of their communications to their respective host computer systems. Individual HSMs in the HSM cluster may include features that assist the HSM cluster client in determining whether each HSM is up-to-date, identifying particular keys that are not up-to-date, and copying keys from one HSM to another HSM within the HSM cluster.

Abstract: A biometric certification request authentication (BCRA) computing device is provided for authenticating a requestor undergoing a certificate signing request process. The BCRA computing device is communicatively coupled to a memory device.

Abstract: A method for training an analytics engine hosted by an edge server device is provided. The method includes determining a classification for data in an analytics engine hosted by an edge server and computing a confidence level for the classification. The confidence level is compared to a threshold. The data is sent to a cloud server if the confidence level is less than the threshold. A reclassification is received from the cloud server and the analytics engine is trained based, at least in part, on the data and the reclassification.

Abstract: A first communication request including a digital certificate of a first node sent from the first node in a blockchain is received at a second node in the blockchain, where the digital certificate of the first node is stored in the blockchain. Certificate validity information stored in the blockchain and associated with the nodes in the blockchain is accessed by the second node based on the first communication request, where the certificate validity information reflects the validity status information of digital certificates of the nodes in the blockchain. A verification of whether the digital certificate of the first node is valid is performed by the second node based on the first communication request and the accessed certificate validity information. A communication connection to the first node is established by the second node in response to verifying that the digital certificate of the first node is valid.

Abstract: A first communication request including a digital certificate of a first node sent from the first node in a blockchain is received at a second node in the blockchain, where the digital certificate of the first node is stored in the blockchain. Certificate validity information stored in the blockchain and associated with the nodes in the blockchain is accessed by the second node based on the first communication request, where the certificate validity information reflects the validity status information of digital certificates of the nodes in the blockchain. A verification of whether the digital certificate of the first node is valid is performed by the second node based on the first communication request and the accessed certificate validity information. A communication connection to the first node is established by the second node in response to verifying that the digital certificate of the first node is valid.

Abstract: Technologies for cache side channel attack detection and mitigation include an analytics server and one or more monitored computing devices. The analytics server polls each computing device for analytics counter data. The computing device generates the analytics counter data using a resource manager of a processor of the computing device. The analytics counter data may include last-level cache data or memory bandwidth data. The analytics server identifies suspicious core activity based on the analytics counter data and, if identified, deploys a detection process to the computing device. The computing device executes the detection process to identify suspicious application activity. If identified, the computing device may perform one or more corrective actions. Corrective actions include limiting resource usage by a suspicious process using the resource manager of the processor. The resource manager may limit cache occupancy or memory bandwidth used by the suspicious process.

Abstract: One embodiment of the present application sets forth a computer-implemented method for establishing trust for handles used to identify digital objects in a digital object architecture (DOA) by associating a first attester identifier with a first attester from a trusted public key infrastructure (PKI), identifying a first digital object public key for a first digital object, generating, by the first attester, a first digital object identity attestation that associates the first digital object public key with a handle identifier for the first digital object, wherein the handle identifier is external to the trusted PKI, and generating a first attester identity attestation attesting that the first attester is authentic, where the first attester identity attestation includes the first attester identifier.

Abstract: Systems, methods, and software can be used to provide inter-enterprise data communications between enterprise applications on an electronic device. In some aspects, a method comprises: receiving, by a bridge application executing on an electronic device, an interoperation request for a first enterprise, wherein the interoperation request includes a first token and a second token; sending, from the bridge application to an application of the first enterprise, the first token, wherein the application of the first enterprise executes on the electronic device; receiving, by the bridge application from the application of the first enterprise, a certificate in response to the first token, wherein the certificate is encrypted by the second token; decrypting, by the bridge application, the certificate by using the second token; and validating, by the bridge application, the application of the first enterprise based on the decrypted certificate.

Abstract: Techniques for securely binding a software application to a communication device may include sending a set of device identifiers associated with the computing device to a server, receiving a server-generated dynamic device identifier that is generated based on the set of device identifiers; and storing the server-generated dynamic device identifier during initialization of the application. During runtime execution of the application, the application may receive a request to execute an application specific task.

Abstract: A printing apparatus stores a user credential and updates a certificate by using the stored user credential information to reduce the time and effort required by a user to update the certificate.

Abstract: Certain embodiments described herein are generally directed to a first host machine exchanging a Security Parameter Index (SPI) value with a second host machine by storing the SPI in an options field of an encapsulation header of an encapsulated packet.

Abstract: Systems and methods for a multitenant computing platform. Original data is generated through operation of a computing platform system on behalf of an account of the computing platform system, and the original data is moderated according to a data retention policy set for the account. The moderated data is stored at the computing platform system. The computing platform system moderates the generated data by securing sensitive information of the generated data from access by the computing platform system, and providing operational information from the generated data. The operational information is accessible by the computing platform system during performance of system operations.

Abstract: A computer-readable recording medium storing an update program is disclosed. An issuing request of a second public key certificate is sent to a server under a secure connection to the server using a first public key certificate. The second public key certificate is received from the server. A connection confirmation using the second public key certificate is conducted, when a validity date of the first public key certificate lapses.

Abstract: An information processing apparatus is provided. Assume that a user has signed into a first cloud service of operation source. In a case where the user signs in to a second cloud service of operation destination, and in a case where an account registered in the second cloud service is permitted to be cooperated with another account, the information processing apparatus allows the user to sign in to the second cloud service.

Abstract: A method for improving information security for vehicle-to-X communication, wherein the vehicle-to-X communication is protectable by at least one certificate, wherein the certificate for protecting the vehicle-to-X communication has a validity period of defined length and is provided for storage in a memory of a vehicle, wherein the method is additionally distinguished in that the vehicle uses a communication link for wireless data interchange between the vehicle and a backend system, before expiry of the validity period of the certificate and a change to a validity period of defined length for an updated certificate, to ask the backend system to provide an up-to-date piece of time information for the vehicle. In addition, the invention relates to a corresponding communication apparatus for vehicle-to-X communication.

Abstract: The present disclosure is directed to a wireless communication device for wireless communication in a wireless communication system which comprises a base station and a plurality of wireless communication devices arranged in clusters, wherein a unique cluster signature is assigned to each cluster and its wireless communication devices, wherein the wireless communication device is allocated to one of said clusters, and comprises receiving means adapted to receive a unique cluster signature assigned to said one cluster from the base station, storing means adapted to store said received unique cluster signature, and transmission means adapted to transmit said unique cluster signature when the wireless communication device switches into an active state, wherein wireless communication device is adapted to access resources on the basis of resource allocation information received in response to the transmission of said unique cluster signature.

Abstract: A supplier network device is provided and includes a supplier processor and memory that stores a credential package including information for a chip or a vehicle control module (VCM). The supplier processor: receives ID and signature public keys from the chip, where the ID and signature public keys correspond respectively to private keys stored in the chip; transmit the ID and signature public keys to a certificate authority processor of a vehicle manufacturer data center; and receive the credential package including signing certificates from the certificate authority processor prior to assembling the VCM. The supplier processor: reads the ID public key from the VCM subsequent to incorporating the chip in the VCM; identifies the credential package based on the ID public key; and based on the identifying of the credential package, programs the VCM with the signing certificates prior to installation of the vehicle control module in a vehicle.

Abstract: Provided are a communication system for an in-vehicle communication apparatus mounted in a vehicle, and the in-vehicle communication apparatus included in said communication system. The in-vehicle communication apparatus communicates with a certificate information issuing system which creates electronic certificate information, and acquires certificate information from a sub-server apparatus. The in-vehicle communication apparatus makes a request to the sub-server apparatus to create the certificate information, and the sub-server apparatus creates the certificate information in response to the request. The in-vehicle communication apparatus then makes an inquiry to the sub-server apparatus regarding the creation status of the certificate information.

Abstract: A sensing recognition method and device based on wireless communication signals are disclosed. The method comprises the steps of obtaining channel state information from a received wireless communication signal; extracting a channel state feature value from the channel state information; and outputting a sensing result mapped with the channel state feature value according to the channel state feature value. The disclosed method and device can improve the accuracy of sensing recognition and achieve better recognition effect.

Abstract: Certain embodiments described herein are generally directed to methods and apparatus for providing a security parameter index (SPI) value for use in establishing a security association between a source tunnel endpoint and a destination tunnel endpoint. In some embodiments, utilization of the SPI bit space is optimized to allow the scaling of key policies within a network. In some embodiment, using an SPI derivation formula, a server in the network is able to generate SPI values whose bit spaces are optimized to allow key policies to scale out.

Abstract: An identity authentication method includes sending, by a third-party application client, an operation request to a third-party application server, in response to receiving a first operation indication for requesting to perform a target operation, the operation request requesting the third-party application server to perform the target operation, and receiving, by the third-party application client, to-be-signed information from an authentication server via the third-party application server, in response to the operation request being sent, the to-be-signed information comprising a challenge random number.

Abstract: Methods for composable user journeys for user authentication via an identity experience framework are performed by systems and apparatuses. Initiating a user authentication process for an application triggers application calls for dynamic invocation of a specific identity policy, required by the application, of a number of identity policies managed by a host of the identity experience framework. User interfaces defined by the identity policies are provided from the host to the application for interaction by the user and entry of identity information needed to authenticate the user according to specified verification providers. Identity claims and token requests are provided from the application to the host which then authenticates the identity claims via the verification providers and mints a token that includes the claims required by the application, according to the identity policy. The application consumes the token to complete the token request and allow the user access to the application.