Abstract: Systems and methods for a multitenant computing platform. Original data is generated through operation of a computing platform system on behalf of an account of the computing platform system, and the original data is moderated according to a data retention policy set for the account. The moderated data is stored at the computing platform system. The computing platform system moderates the generated data by securing sensitive information of the generated data from access by the computing platform system, and providing operational information from the generated data. The operational information is accessible by the computing platform system during performance of system operations.

Abstract: Systems and method of providing beacon-based notifications are provided. More particularly, an identifying signal can be received from a beacon device. A geographic location of a user device can be determined based at least in part on the identifying signal. At least a portion of time-based contextual beacon data can then be obtained based at least in part on spatial-temporal data associated with a user. One or more notifications associated with the contextual beacon data can then be determined. The one or more notifications can indicative of information corresponding to the beacon device, and can be provided for display on a user device.

Abstract: A tag generation method for generating tags used in data packets in a broadcast encryption system is provided. The method includes detecting at least one revoked leaf node; setting a node identification (node ID) assigned to at least one node among nodes assigned node IDs at a layer 0 and to which the at least one revoked leaf node is subordinate, to a node path identification (NPID) of the at least one revoked leaf node at the layer 0; generating a tag list in the layer 0 by combining the NPID of each of the at least one revoked leaf nodes at the layer 0 in order of increment of node IDs of the corresponding at least one revoked leaf nodes; and generating a tag list in a lowest layer by repeatedly performing the setting and generation operation down to the lowest layer.

Abstract: Methods and apparatus to certify digital signatures are disclosed. An example method includes retrieving, from a first database, a first geographical location associated with an identification number associated with a network device and identified in a request to certify a digital signature, comparing the first geographical location associated with the identification number to a second geographical location to verify the second geographical location, and in response to the verification of the second geographical location and to a comparison of (a) biometric information associated with a user associated with the request and (b) stored biometric information, instructing a certificate issuer to certify the digital signature to indicate an authenticity of the digital signature.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for using embedded function with a deep network. One of the methods includes receiving an input comprising a plurality of features, wherein each of the features is of a different feature type; processing each of the features using a respective embedding function to generate one or more numeric values, wherein each of the embedding functions operates independently of each other embedding function, and wherein each of the embedding functions is used for features of a respective feature type; processing the numeric values using a deep network to generate a first alternative representation of the input, wherein the deep network is a machine learning model composed of a plurality of levels of non-linear operations; and processing the first alternative representation of the input using a logistic regression classifier to predict a label for the input.

Abstract: Methods and systems for validating online certificate status are provided. A method for validating online certificate status may include storing data associated with a first certificate beyond an expiration time of a second certificate. The second certificate was used to validate the first certificate. The method may further include validating the first certificate upon a host connection request or prior to expiration of a second certificate. A system for validating online certificate status may include a certificate data acquirer and a certificate validator. Another method for validating online certificate status may include obtaining a hostname and selecting a first certificate based upon an association between the hostname and data associated with the first certificate. The method may also include providing the first certificate data for validation. A system for validating online certificate status may include a speculator.

Abstract: Provided is a state with which each user is able to use information processing service of each user. A router (2) receives, from a terminal device, authentication information which authenticates a user of a cloud service, and executes a user authentication request upon an authentication server device (3). If the authentication server device (3) successfully authenticates the user, the authentication server device (3) transmits a first information and a second information which are defined for each user of the cloud service, the router (2) receives the first information and the second information. On the basis of the received first information, the router (2) transmits to a data center (DC_1) a first command which instructs a start of software, and, on the basis of the received second information, the router (2) establishes a tunnel to a communication network (Nt).

Abstract: A method for provisioning digital certificates in a compute service environment may include authorizing a customer entity for using and/or controlling a network resource in the compute service environment. Upon completing the authorization, a digital certificate may be issued to the customer entity. The digital certificate may be associated with the network resource and may be issued for a limited duration period. The use and/or control of the network resource by the customer entity may be monitored. Reissuance of the digital certificate may be conditioned on whether the customer entity is still using and/or controlling the network resource in the compute service environment. If the customer entity is still using and/or controlling the network resource in the multi-tenant environment, the digital certificate may be automatically reissued for another limited duration period. The automatically reissuing may take place without receiving a certificate reissue request from the customer entity.

Abstract: In one illustrative scenario, a mobile device receives configuration information which includes information for use in constructing a request message for obtaining a digital certificate from a certificate authority (CA). After receipt of the configuration information, the mobile device constructs the request message for the digital certificate and causes it to be sent to a host server of a communication network. In response, the host server requests and obtains the digital certificate from the CA on behalf of the mobile device, and thereafter “pushes” the received digital certificate to the mobile device. The mobile device receives the digital certificate and stores it for use in subsequent communications. The host server may be part of a local area network (LAN) which includes a wireless LAN (WLAN) adapted to authenticate the mobile device based on the digital certificate, so that the mobile device may obtain access to the WLAN.

Abstract: In a method, a secured link is established between a primary device and a secondary device, both of which are assigned to a user. The secondary device receives, on the secured link, a request for a derived certificate for the primary device and a public key generated by the primary device. The secondary device generates the derived certificate for the primary device based on an original certificate issued to the secondary device and transmits, on the secured link, the derived certificate to the primary device.

Abstract: A system for providing security services to a mobile device where the mobile device is in communication with a public network through a first network path that is subject to interference by a third party. The system includes a security server and a private network. The security server is operative to communicate with the mobile device through the private network. The security server is also operative to communicate with the public network through a second network path that is less susceptible to the interference by the third party than is the first network path. The security server communicates with the public network through the second network path to provide security services to the mobile device that are delivered over the private network.

Abstract: A certificate management method and a certificate management device are disclosed. The certificate management device includes a key collection computing unit, a certificate revocation unit, and a certificate revocation list broadcast unit. The certificate management method includes determining to at least revoke a first certificate in certificates that are recorded in a key tree and related to an entity, and determining whether a first root node only covers the first certificate and other revoked certificate in the key tree. When the first root node only covers the first certificate and the other revoked certificate, information about the first root node is added to a certificate revocation list. The certificate revocation list is sent to another entity at least.

Abstract: A server computing system initiates a first sub-system to generate a certificate revocation list (CRL) using resources that are separate from resources of a second sub-system that performs certificate authority (CA) management functions other than generating a CRL. The first sub-system receives a command from the second sub-system to update revocation data in a cache that is coupled to the first sub-system and generates a CRL using the updated revocation data in the cache. The first sub-system provides the CRL to the second sub-system.

Abstract: In one embodiment a controller comprises logic to receive, via a near field communication link, an identification packet generated by a remote authentication provider, associate an electronic signature with the identification packet, transmit the identification packet to a remote authentication provider, receive an authorization from the remote authentication provider, receive login information associated with the identification packet, and initiate a login procedure using the login information. Other embodiments may be described.

Abstract: Techniques are provided for controlling access to an application. A first request to use an application may be received from a first user and an application access rule associated with the first user may be accessed. Based on the application access rule, it may be determined that permission is required for the first user to use the application. In response, a second request may be sent to a second user requesting permission for the first user to use the application and a response to the second request may be received from the second user. The response may include authorization information used in determining whether the first user has permission from the second user to use the application. In response to receiving the response from the second user, the first request to use the application initiated by the first user may be handled based on the authorization information.

Abstract: Systems and methods are disclosed for providing a Web-centric authentication protocol. In one implementation, a processing device receives a user request to access a protected resource and determines that a digital certificate for accessing the protected resource is not stored locally. A processing device requests a first digital certificate from an authentication service. A processing device receives the first certificate from the authentication service. A processing device receives a certificate request from the authentication service. A processing device provides the first digital certificate to the authentication service in response to the certificate request. A processing device receives a second digital certificate from the authentication service. A processing device accesses the protected resource using the second digital certificate.

Abstract: Providing revocation status of at least one associated credential includes providing a primary credential that is at least initially independent of the associated credential, binding the at least one associated credential to the primary credential, and deeming the at least one associated credential to be revoked if the primary credential is revoked. Providing revocation status of at least one associated credential may also include deeming the at least one associated credential to be not revoked if the primary credential is not revoked. Binding may be independent of the contents of the credentials and may be independent of whether any of the credentials authenticate any other ones of the credentials. The at least one associated credential may be provided on an integrated circuit card (ICC). The ICC may be part of a mobile phone or a smart card.

Abstract: Systems, methods and apparatuses for revoking access to one or more applications for one or more individuals or users are provided. In some examples, revocation settings may be received from different business divisions or enterprises or business groups within an entity and may be compiled to form a standardized set of revocation settings that may be applied across the entity. Accordingly, upon receiving an item that may be associated with access and may include one or more applications to which access may be revoked and/or one or more users from which access may be revoked, the system may apply the standardized revocation settings to determine whether access should be revoked. If it is determined that access should be revoked, the system may revoke access to the one or more applications for the one or more users.

Abstract: Systems and methods for a multitenant computing platform. Original data is generated through operation of a computing platform system on behalf of an account of the computing platform system, and the original data is moderated according to a data retention policy set for the account. The moderated data is stored at the computing platform system. The computing platform system moderates the generated data by securing sensitive information of the generated data from access by the computing platform system, and providing operational information from the generated data. The operational information is accessible by the computing platform system during performance of system operations.

Abstract: A non-transitory computer-readable medium can include instructions for performing a method that includes docking a mobile device with a docking station using at least one physical connection and at least one wireless connection to provide communication between the mobile device and the docking station. One of the physical or wireless connections can be selected for providing a signaling channel for communication of signaling data between the mobile device and the docking station. Independently of the signaling channel, one of the physical or wireless connections can be selected for providing a media channel for communication of media data between the mobile device and the docking station.

Abstract: Provided is a revocation list generation device that can suppress an increase in the amount of data of a revocation list. A revocation list generation device that generates a revocation list includes an acquisition unit that acquires, for a content, a revocation identifier identifying a revoked public key certificate allocated to an apparatus related to use of the content, a revocation list generation unit that generates a revocation list including the acquired revocation identifier associated with the content, and an output unit that outputs the revocation list.

Abstract: A method and apparatus for verifying data for use on an aircraft. A plurality of digital certificates associated with the data are received by a processor unit. The processor unit determines whether one of the plurality of digital certificates is compromised. The processor unit selects a selected number of the plurality of digital certificates in response to a determination that the one of the plurality of digital certificates is compromised. The processor unit verifies the data for use on the aircraft using the selected number of the plurality of digital certificates.

Abstract: A method of generating a Personal Identification Number (PIN) between a first device and a second device in a network is provided. The method includes securely receiving information of input choices of the second device and random numbers assigned to the input choices at the first device. At the first device, the PIN is generated from the random numbers, and instructions are provided directing an entry of the input choices on the second device. At the second device, the input choices are entered. The second device is operable to generate the PIN from the input choices and the random numbers if the input choices are entered as instructed.

Abstract: The present invention refers to a method for tracking at least one mobile device onto a remote displaying unit through a mobile switching center connected to the mobile device by a wireless communication network and through a head-end linked to the mobile switching center and connected to the remote displaying unit by a second communication network different to the wireless communication network. The mobile device is identified by a mobile device identifier. The remote displaying unit is identified by a remote displaying unit identifier and is provided with a module for processing messages coming from the head-end identified by a head-end identifier. The mobile device is provided with a locating unit able to determine its current location and with a communication unit for supporting at least an instant messaging service.

Abstract: Provided is a method for managing an authorization of digital rights, the method performed by a first server and comprising: receiving from a second server a drop domain authorization trigger message for an initiation of an authorization protocol to cease creating a domain rights object (RO) for a domain for which the first server has an authorization to create the domain RO, the trigger message including information on the domain; the domain being managed by the second server and the authorization being obtained by the first server from the second server checking status of the authorization; transmitting to the second server, a drop domain authorization request message including the ID of the domain; and receiving from the second server, a drop domain authorization response message including a status element indicating a result of processing of the request message based on content included in the request message.

Abstract: A method and system for renewal of expired certificates is described. In one embodiment, a method, implemented by a computing system programmed to perform operations, includes receiving, at a certificate manager of a computing system from a requester, a certificate renewal request for an original digital certificate that has already expired, and renewing the expired certificate as a renewed certificate by the certificate manager when the certificate renewal request is approved. The renewed certificate comprises the same key pair as the original certificate, but includes a new expiration date, and wherein the renewed certificate is functionally identical to the original certificate.

Abstract: Methods and apparatus are provided for an asymmetric encryption scheme with expiring revocable certificates having a predefined validity period. Communications between two devices are secured by obtaining an expiring revocable certificate; and securing said communicating with said expiring revocable certificate using asymmetric encryption. A prior expiring revocable certificate can be revoked when a new expiring revocable certificate is issued to at least one device. The expiring revocable certificate has a predefined validity period (based, for example, on a longest expected connection drop-out duration). A new expiring revocable certificate is requested at least once for each predefined revocation period. The expiring revocable certificate is revoked after the predefined revocation period, for example, only if a connection between the two devices is maintained.

Abstract: A method of restoring confidential information items of a first device to a second device by using a set of servers. The method generates a public and private key pair and ties the private key to the hash of executable code of the servers at the time of generating the public and private keys. The method receives the encrypted confidential information items in a secure object which is encrypted with a user-specific key and the public key. The method only provides the confidential information to the second device when the second device provides the same user-specific key as the key that encrypts the secure object and the hash of the executable code of the servers at the time of accessing the private key to decrypt the secure object matches the hash of the executable code running on the servers at the time of generating the private key.

Abstract: A method for adjusting the frequency of updating certificate revocation list is provided. The method is used in a certificate authority. The method includes: receiving a first information indicating security levels from neighbor certificate authorities in a neighborhood or a central certificate authority; detecting whether the certificate authority has received a signal indicating that a user is using a revoked certificate and generating a second information of a security level; calculating an index value or a set of index values by the first information indicating the security levels of neighborhoods and the second information indicating its own security level; and adjusting the update frequency of updating the certificate revocation list according to the calculated index values or the set of index values.

Abstract: A system of authentication is provided including several personal authentication devices, one terminal including biometric means so arranged as to generate biometric information on the user, wireless communication means so arranged as to transmit biometric information without contact between each personal authentication device and the terminal, each personal authentication device including a memory so arranged as to store biometric data, processing means so arranged as to compare the biometric information and the biometric data, the wireless communication means being so arranged as to transmit biometric information to a plurality of personal authentication devices, each being arranged as to transmit, without contact, to the terminal, positive authentication data in the case of the authentication of the user and wherein the terminal being arranged as to open a transactional session only with the personal devices having transmitted the positive authentication data.

Abstract: A time check method and a base station are provided. The base station receives an authentication interaction message sent by an authentication interaction device; extracts time information in the authentication interaction message; and uses the time information to check local time. Before an Internet Key Exchange (IKE) connection is set up between the base station and a security gateway, relatively accurate time is obtained from an external authentication interaction device and is used for aligning the local time. Therefore, the cost of installing a clock component and a battery is saved, the time on the base station is trustworthy, and the security gateway is authenticated securely.

Abstract: Systems and methods are provided for generating subsequent encryption keys by a client device as one of a plurality of client devices across a network. Each client device is provided with the same key generation information and the same key setup information from an authentication server. Each client device maintains and stores its own key generation information and key setup information. Using its own information, each client device generates subsequent encryption keys that are common or the same across devices. These subsequent encryption keys are generated and maintained the same across devices without any further instruction or information from the authentication server or any other client device. Additionally, client devices can recover the current encryption key by synchronizing information with another client device.

Abstract: A communication apparatus may include a reception portion, a decision portion, and a transmission portion. The reception portion may receive a first data request transmitted through a first security level communication, and a second data request transmitted through a second security level communication, the second security level being more secure than the first security level. The decision portion may decide whether a specific data request is the first data request or the second data request. The transmission portion may transmit a specific data to an apparatus that is a transmission source of the specific data request if the specific data request is the second data request, and may transmit different data to the apparatus if the specific data request is the first data request. The different data contains display information for causing the apparatus to retransmit the specific data request through the second security level communication.

Abstract: Provided is a system and method for managing network access based on a history of a Certificate. The system includes an Authentication System structured and arranged to receive from a User a request for network access, the request including a Certificate and at least one associated Characteristic distinct from the Certificate. A validation system is in communication with the Authentication System and structured and arranged to receive a request for validation of the Certificate, the Validation System evaluating the at least one Characteristic against a History for the Certificate to provide a positive or negative evaluation. The Validation System updates the History for the Certificate to include the request for validation of the Certificate. In response to a positive evaluation validating the Certificate, the Authentication System permits network access to the user. In response to a negative evaluation the Authentication System blocking network access to the user and the Certificate being restricted.

Abstract: An information processing system including a medium where a content to be played is stored; and a playing apparatus for playing a content stored in the medium; with the playing apparatus being configured to selectively activate a playing program according to a content type to be played, to obtain a device certificate correlated with the playing program from storage by executing the playing program, and to transmit the obtained device certificate to the medium; with the device certificate being a device certificate for content types in which content type information where the device certificate is available is recorded; and with the medium determining whether or not an encryption key with reading being requested from the playing apparatus is an encryption key for decrypting an encrypted content matching an available content type recorded in the device certificate, and permitting readout of the encryption key only in the case of matching.

Abstract: A computer uses the information included within a digital certificate to obtain a current date and time value from a trusted source extrinsic to the computer. The computer requests and receives the trusted current date and time value and compares the trusted current date and time value to a validity period included in the digital certificate, to determine if the digital certificate is expired. The information included within the digital certificate specifying an extrinsic source for the current date and time value can be included in an extension of the digital certificate, and the information can specify a plurality of extrinsic sources.

Abstract: A system, apparatus, method, and machine readable medium are described for implementing a composite authenticator. For example, an apparatus in accordance with one embodiment comprises: an authenticator for authenticating a user of the apparatus with a relying party, the authenticator comprising a plurality of authentication components; and component authentication logic to attest to the model and/or integrity of at least one authentication component to one or more of the other authentication components prior to allowing the authentication components to form the authenticator.

Abstract: A set of certificate management methods designed to significantly reduce or eliminate reliance on infrastructure network connectivity after vehicles are sold uses techniques to support certificate management operations in order to reduce the frequency which vehicles need to communicate with the Certificate Authorities (CAs) and the amount of data that needs to be exchanged between vehicles and the CA. These methods include, for example, approaches to use one-way communications and vehicle-to-vehicle (V2V) communications to replace expired certificates, approaches to use one-way communications and V2V communications to replace revoked certificates, and use of a small subset of vehicles as proxies to help retrieve and distribute Certificate Revocation Lists (CRLs) and replacement certificates. The combination of these techniques leads to solutions that can eliminate the need for roadside infrastructure networks completely.

Abstract: An apparatus comprising a memory, a processor coupled to the memory, wherein the memory contains instructions that when executed by the processor cause the apparatus to receive an information centric network (ICN) name prefix announcement message comprising a message prefix specific to a publisher, a public key certificate specific to the content publisher, and a signature specific to the content publisher, verify the signature with a name registration service (NRS), and update internal data indicating that the content publisher is a trusted publisher, wherein the internal data comprises the prefix, the public key, and the signature.

Abstract: Systems and methods for authenticating a media device or other information handling system so as to be able to receive content from one or more media content providers. Authenticating the device includes determining what authentication information the media content providers require for access and then to generating and providing to the media device an authentication token that includes the required information. In some embodiments this may be accomplished by a service center, which removes the need for additional authentication steps to be performed by the media device or the media content providers. In addition, the service center may also determine when changes are made to the authentication information and may then ensure that the authentication token is changed or updated to reflect these changes. This ensures that the media device is at least partially immune to changes to authentication.

Abstract: A uniform certificate revocation list managing apparatus is provided for managing canceled register information of all believable groups in a believable anonymous register system. Canceled register information includes canceled member information of each believable group, list information of unbelievable groups, and list information of unbelievable register service institutions. The uniform certificate revocation list managing apparatus interacts with each believable group and each register system, so as to update a certificate revocation list of each believable group in real time.

Abstract: A wireless communication system includes a pager or similar device that communicates to a home terminal. The home terminal confirms the identity of the pager and attaches a certificate to the message for ongoing transmission. Where the recipient is also a pager, an associated home terminal verifies the transmission and forwards it in a trusted manner without the certificate to the recipient.

Abstract: The present invention provides methods and apparatus, including computer program products, implementing techniques for searching and ranking linked information sources. The techniques include receiving multiple content items from a corpus of content items; receiving digital signatures each made by one of multiple agents, each digital signature associating one of the agents with one or more of the content items; and assigning a score to a first agent of the multiple agents, wherein the score is based upon the content items associated with the first agent by the digital signatures.

Abstract: A method includes receiving a request for a device to replace a unique identifier associated with the device with a revocable identifier, generating a revocable identifier for the device, wherein the revocable identifier comprises at least a cryptographic representation of the unique identifier associated with the device and a counter value, checking the generated revocable identifier to determine that the generated revocable identifier has not previously been generated for the device and associating the generated revocable identifier with the device.

Abstract: A current version certificate is stored that includes a corresponding current version identifier. A current instance certificate is received from the certificate authority, wherein the current instance certificate includes the current version identifier of the current version certificate and a current instance public key corresponding to the current instance private key. The current instance certificate is sent to a local station, during a registration with the local station. A request is generated and sent to the local station. First encrypted data is received from the local station, wherein the first encrypted data includes a content key that is encrypted via the current instance public key.

Abstract: The current application is directed to computationally efficient attribute-based access control that can be used to secure access to stored information in a variety of different types of computational systems. Many of the currently disclosed computationally efficient implementations of attribute-based access control employ hybrid encryption methodologies in which both an attribute-based encryption or a similar, newly-disclosed policy-encryption method as well as a hierarchical-key-derivation method are used to encrypt payload keys that are employed, in turn, to encrypt data that is stored into, and retrieved from, various different types of computational data-storage systems.

Abstract: An apparatus for electronic signature verification, including a grouping unit to group, into at least one group, a plurality of kernels included in an application to which electronic signature verification is to be performed, and an electronic signature verification unit to perform electronic signature verification with respect to the at least one group.

Abstract: In a first embodiment of the present invention, a method for operating a presence server in a home network is provided, the method comprising: receiving a request for presence information; sending an event notification to all subscribed control points informing them of the request for presence information; receiving an action from one of the subscribed control points accepting or rejecting the request for presence information; and if the action received from the one of the subscribed control points accepts the request for presence information, causing presence information regarding the one of the subscribed control points to be sent to the entity that sent the request for presence information.

Abstract: Data is received that specifies at least one beacon associated with a first account and a first validity window specifying a time period during which the at least one beacon is to be associated with an additional account. Thereafter, a first key is generated which, when registered by a second account, causes the at least one beacon to be associated with the second account until expiration of the first validity window. Prior to registration of the first key and additionally outside the first validity window the at least one beacon is associated solely with the first account. After the registration of the first key, the at least one beacon is caused to be associated with the second account during the first validity window. Related apparatus, systems, techniques and articles are also described.

Abstract: An apparatus and method is provided for digital rights management. The method for digital rights management includes receiving encrypted content and a rights object representing use rights of the encrypted content, receiving a software module managing the rights object, and generating a new rights object using the software module.