Abstract: A data transmission method to transmit data contained in k independent data streams to k receivers with a data transmission device, wherein specific data stream identifiers are attached to the independent data streams and then multiplexed into I multiplexed data streams. The multiplexed data streams are then transmitted via I UARTs to k microcontrollers which demultiplex the multiplexed data streams and select one of the contained independent data streams via an allocation protocol. The allocation protocol is identical on all microcontrollers and utilizes the specific data stream identifiers to allocate the k independent data streams to exactly one of the k receivers. The microcontrollers then send their selected independent data stream to an allocated receiver.

Abstract: The present disclosure relates to a privacy preserving data storing method, in particular for analyzing a travel behavior of one or more users of mobility-as-a-service (MaaS) transportation services. The method comprises storing at least one user identification, user ID, identifying the one or more users on a trip together with a trip identification, trip ID, identifying the trip in a database entry of a first database and storing trip information on the trip with the trip ID in a database entry of a separate second database. The method further provides for associating the database entries of the first and second databases associated with the same trip ID for an analysis of the travel behavior of the users based on the associated database entries of the first and the second database.

Abstract: A technology is disclosed for the browser side capturing of user interaction session data and replay of the session data for a high-fidelity reconstruction of the experience the user perceived. In addition to capturing central structuring and markup documents and browser side updates thereof, additional resource documents that are loaded and used by the browser to render the central documents are captured and added to the session recording data. Identification information is created for resource documents, based on the content of those documents, which allows the capturing system to distinguish different versions of those content documents that share the same name but have different content. The captured session data contains data to identify the correct versions of resource documents during replay. Various measures to reduce the amount of transferred resource content data are applied, that consider already captured resource document versions or the usage frequency of a monitored application.

Abstract: Systems and methods for provisioning secure programmable logic devices (PLDs) are disclosed. An example secure PLD provisioning system includes an external system comprising a processor and a memory and configured to be coupled to a secure PLD through a configuration input/output (I/O) of the secure PLD. The external system is configured to generate a locked PLD comprising the secure PLD based, at least in part, on a request from a secure PLD customer, wherein the request from the secure PLD customer comprises a customer public key; and to provide a secured unlock package for the locked secure PLD. The external system may also be configured to provide an authenticatable key manifest comprising a customer programming key token and a corresponding programming public key associated with the locked secure PLD, wherein the authenticatable key manifest is signed using a programming private key generated by the locked secure PLD.

Abstract: A computer-implemented method and a computer system are provided for selecting active or passive decryption mode when observing network traffic between a downstream client and an upstream server. The method includes selecting a decryption mode in an initial stage of setting up a secure session based on a determination of a most probable decryption mode based on decryption modes used for similar and/or past secure sessions, wherein the initial stage is when the client initiates a transport layer connection before the transport layer connection or the secure session is established. The method further includes validating the selected decryption mode at least once during the secure session based on whether the selected decryption mode is actually and/or is probably supported based on security algorithms supported by the client and/or server, and switching the decryption mode based on a result of validating the selected decryption mode.

Abstract: A method for data exchange on a communication network, operating according to a protocol, and including a transmission bus, a first node and a second node. The first node carries out the steps of: constructing a first and a second data frame which transport first and second information data; calculating a first message authentication code as a function of the first and the second information data; constructing a third data frame which transports the first message authentication code; transmitting all of the data frames thus constructed. The second node carries out the steps of: receiving the first, the second and the third data frames; extracting the first and the second information data and the first message authentication code; calculating a second message authentication code as a function of the first and the second information data extracted; comparing the message authentication code extracted with the message authentication code calculated in order to verify the identity thereof.

Abstract: Described herein are complete lifecycle management processes for IoT/M2M devices. In an example, devices are commissioned and de-commissioned in a given system without requiring a user/human administrator. A delegated life-cycle management process is described, wherein devices rely upon a delegatee, which may have more computing and battery resources than the devices, to perform complete or partial lifecycle management operations on behalf of the devices. The delegatee may be a trusted entity that may belong to the same domain as the devices. Further, a Trust Enabling Infrastructure (TEI) is described herein, which may belong to a different trusted domain than the given device and its delegatee.

Abstract: Systems and methods are described for generating and storing immutable blockchain records with respect to authorized derivative works based on content associated with a non-fungible token (NFT). For example, a first NFT stored on a blockchain may be owned by a first blockchain address, and that owner may cryptographically sign a message indicating or representing that the individual approves of a created or to-be-created second NFT that is based at least in part on content of or associated with the first NFT. The cryptographic signature may be authenticated, and then a system may generate new data for storage in a new blockchain record. The new blockchain record may identify both the first NFT and the second NFT, and also include data proving that the owner of the first NFT approved of the second NFT.

Abstract: A system receives an operation by a trusted node on a blockchain, simulates an execution of the operation, and captures endorsement policy information related to the execution of the operation.

Abstract: The present disclosure is directed to systems and methods for dynamic firewall discovery on a service plane. The method includes the steps of identifying a source data packet for transmission from a source machine at a source site to a destination machine at a destination site, wherein the source data packet corresponds to a request for connection between the source machine and the destination machine over a WAN, inspecting the source data packet at a first firewall associated with the source site, marking the source data packet with a marker to indicate inspection by the first firewall, transmitting the marked source data packet to the destination site, determining at the destination site that the source data packet has been inspected based on the marker, and forwarding the source data packet to the destination machine at the destination site, without inspection of the source data packet by a second firewall associated with the destination site.

Abstract: The present disclosure relates to authenticating a first device to a second device, including at least two successive verification operations comprising the following successive steps. The second device generates a first data, and sends the first data to the first device. The first device generates a third data and a fourth data used by the following verification operation and sends the third data to the second device. The second device checks the third data indicating whether the check was successful or not.

Abstract: Embodiments include performing a host-initiated link reset in a storage area network (SAN). Aspects include identifying, by a host in communication with the SAN, each link in the SAN, wherein each link is defined by a pair of ports. Aspects also include obtaining, by the host, a buffer credit balance for each port in the SAN and obtaining, by the host, a buffer credit for each port in the SAN and causing a reset of a link associated with the port by transmitting a link reset record from the host to a control device of the link based on a determination that the buffer credit of a port in the SAN is below a threshold value.

Abstract: Devices and methods for accessing and for controlling access of a node, called “challenged node”, that has already been authenticated and is provisionally connected to a network of nodes, the network including at least one node, called “challenging node”. The method for controlling access, implemented by a challenging node, includes: defining a personalized test that must be executed by the challenged node; sending the test to the challenged node; receiving, from the challenged node, at least one result of the execution of the test; and authorizing or refusing the access of the challenged node to the network, at least on the basis of the result.

Abstract: Provided are a method and device employing a smart contract to realize identity-based key management. The method comprises: running a smart contract, and executing a key management process, wherein the key management process comprises: when a key of a target user requires an update and the target user is not a supervised user, generating a master public key and a master private key pertaining to the target user; acquiring, from a blockchain, identity information of the target user; generating a first target private key according to the master public key and the master private key pertaining to the target user and the identity information of the target user; and replacing a current private key of the target user with the first target private key.

Abstract: A method in a VPN environment, including determining, by a VPN infrastructure device, first and second VPN protocols that are available for providing VPN services to a user device, the first VPN protocol being different from the second VPN protocol; transmitting, by the VPN infrastructure device to the user device, a list indicating first VPN servers that utilize the first VPN protocol and second VPN servers that utilize the second VPN protocol; and establishing, by the user device at substantially the same time, a first parallel VPN connection with a first VPN server from among the first plurality of VPN servers, the first VPN connection configured to utilize the first VPN protocol, and a second parallel VPN connection with a second VPN server from among the second plurality of VPN servers, the second VPN connection configured to utilize the second VPN protocol is disclosed. Various other aspects are contemplated.

Abstract: Cryptographic systems, methods and communication network comprising thereof are disclosed, including numerous industry applications. Embodiments of the present invention can generate and regenerate the same symmetric key. The cryptographic systems and methods include a key generator configured to use two or more inputs to reproducibly generate the symmetric key and a cryptographic engine configured to use the symmetric key for encrypting and decrypting data.

Abstract: Provided is an image display apparatus that projects an image with high contrast by use of a phase modulation technology. An image display apparatus includes a trained neural network model that estimates a phase modulation distribution corresponding to an output target image, a phase modulation section that performs phase modulation on incident light in reference to the phase modulation distribution estimated by the trained neural network model, a luminance modulation section that performs luminance modulation on phase modulated light output from the phase modulation section, and a control section that outputs, to a predetermined position, the incident light subjected to the phase modulation and the luminance modulation.

Abstract: An automatic teller machine includes a controller and a cash dispenser unit. The controller is in electronic communication with dispense authorization parties. The controller is configured to generate a requested transaction in response to a manual entry of a requested cash value, and send a withdrawal request to a given dispense authorization party. The withdrawal request includes a unique nonce. The controller is configured to receive a withdrawal authorization from the given dispense authorization party. The withdrawal authorization includes a secure dispense token and a dispense nonce. The cash dispenser unit is configured to generate the unique nonce in response to the requested transaction, verify that the secure dispense token and the dispense nonce are valid, and dispense a currency matching the requested cash value in response to the secure dispense token and the dispense nonce being valid.

Abstract: A communication device may comprise: a controller; wherein the controller may be configured to: receive a first request from a first terminal device via a first-type communication path; in a case where the first request is received from the first terminal device, execute user authentication using a first authentication method; receive a second request from a second terminal device via a second-type communication path different from the first-type communication path; in a case where the second request is received from the second terminal device, execute the user authentication using a second authentication method different from the first authentication method; and in a case where the user authentication is successful, execute a predetermined process.

Abstract: Provided are a method and an apparatus for data processing in an equity incentive system, which are applied in an equity incentive system, such as an Employee Stock Ownership Plan (ESOP) system. A first device obtains a mapping relation that includes a correspondence between at least one data type and at least one encryption scheme, determines a first encryption scheme corresponding to a data type of first data based on the mapping relation, generates a first data packet based on the first encryption scheme, and transmits the first data packet to a second device. In this way, the first device uses different encryption schemes based on different data types, and the second device obtains the first data by decryption based on an encryption identifier That is, according to the present disclosure, different encryption schemes are used for different data types, thereby improving data security without affecting normal use.

Abstract: To enhance tampering detection performance by rendering decipherment of a secret key for electronic signature difficult. A cipher key generation apparatus according to the present technology includes a key generation section adapted to generate a secret key for electronic signature on the basis of a photoelectric random number which is a random number acquired on the basis of photoelectric conversion in an array sensor in which multiple pixels each having a visible or invisible light reception element are arranged one-dimensionally or two-dimensionally.

Abstract: A center device includes: a consent request unit that is configured to make a consent request to a plurality of devices for data distribution to a vehicle; a consent determination unit that is configured to judge a consent response from each of the plurality of devices; a distribution control unit that is configured to control the data distribution to the vehicle according to a determination result by the consent determination unit; and a necessity determination unit that is configured to determine whether the consent request to the plurality of devices is needed before the consent request are made to the plurality of devices. The consent request unit is further configured to determine whether to make the consent request to the plurality of devices according to a determination result by the necessity determination unit.

Abstract: The service layer may leverage the access network infrastructure so that applications on a device may bootstrap with a machine-to-machine server without requiring provisioning beyond what is already required by the access network.

Abstract: Provided is a computer implemented method for performing mutual authentication between an online service server and a service user, including: (a) generating, by an authentication server, a server inspection OTP; (b) generating, by an OTP generator, a verification OTP having the same condition as the server inspection OTP and using the same generation key as an OTP generation key and a calculation condition different from a calculation condition is applied or a generation key different from the OTP generation key is used and the same calculation condition as the calculation condition used for generating the server inspection OTP is applied to generate a user OTP; and (c) generating, by the authentication server, a corresponding OTP having the same condition as the user OTP and comparing whether the generated corresponding OTP and the user OTP match each other to authenticate the service user.

Abstract: Disclosed are various embodiments for managing security credentials for an authentication management client on a client device. In one non-limiting example, a computing device is configured to receive an authentication request from an authentication management client of a client and determine an affinity of the authentication management client based at least in part on the authentication request. The computing device is configured to determine that the authentication management client is supported based at least in part on the affinity. The computing device is configured to generate a session for the authentication management client based at least in part on a security credential being received from the authentication management client.

Abstract: A method, device, and non-transitory computer-readable medium are provided. Responsive to the device determining that a first user is not registered in a node registry upon startup, a public key of the first user and private key of the first user are generated, and the public key is registered in the node registry. Responsive to receiving a lookup request from a securely connected computing device, a public key lookup request for a public key of a second user is sent to the node registry by the device. The device receives the public key of the second user responsive to the sending of the public key lookup request. Responsive to receiving a message for the second user and an encryption request from the computing device, the device encrypts the message using the public key of the second user to produce an encrypted message that is transmitted to the computing device.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: A system and method are provided which include receiving, from a first application on a user device, an indication that a user has been authenticated and receiving, from a second application on the user device, an indication that the user is detected. The user device receives the indication that the user is detected from a wearable device on the user. Based on receiving the two indications within a time period, a trust token is generated or maintained for the user.

Abstract: A system for automatic recognition of security incidents includes a processor coupled to a memory storing instructions, the processor being configured to implement the instructions for an automatic incident generator (AIG) with at least one type of events related to the system, and access to a repository of information about previously recorded incidents with the events related to these previously recorded incidents, to monitor a plurality of events, identify sequences of events including suspected signatures that are capable of constituting an incident, calculate a degree of variance (DoV) of the suspected signatures and at least one signature related to a previously recorded incident, compare the DoV to at least one threshold and, if the DoV is less (or less or equal) to the threshold, identify the incident and optionally initiate the workflow related to the identified incident.

Abstract: A method for verification of a data value via a Merkle root includes: storing, in a memory of a processing server, a Merkle root; receiving at least a data value, a nonce, and a plurality of hash path values; generating a combined value by combining the data value and the nonce; generating a first hash value via application of a hashing algorithm to the combined value; generating a subsequent hash value via application of the hashing algorithm to a combination of the first hash value and a first of the plurality of hash path values; repeating generation of the subsequent hash value using a combination of the next hash path value of the plurality of hash path values and the most recent subsequent hash value; and verifying the data value based on a comparison of the Merkle root and the last generated subsequent hash value.

Abstract: A system receives an authentication request from a requestor system for a token to access one or more computing resources associated with a computing resource service provider. The system analyzes information included with the authentication request and, based on the information included with the authentication request, selects an authentication provider from a plurality of authentication providers without additional input from the requestor system. The requestor system is redirected to the selected authentication provider such that the token is provided in response to the authentication request. The requestor system then presents the token to obtain an identity assertion that can be used to access the one or more computing resources.

Abstract: The technology disclosed herein enables consumer devices to verify the integrity of services running in trusted execution environments. An example method may include: acquiring, by a broker device, integrity data of a first trusted execution environment of a first computing device and integrity data of a second trusted execution environment of a second computing device, wherein the first trusted execution environment executes a first service and the second trusted execution environment executes a second service; storing the integrity data of the first trusted execution environment and the integrity data of the second trusted execution environment in a data storage device as stored integrity data; correlating integrity data of the first trusted execution environment with the first service and the integrity data of the second trusted execution environment with the second service; and providing, by the broker device, the stored integrity data to a plurality of consumer devices.

Abstract: Techniques are described for performing multi-factor authentication of a user during a service session, based at least partly on a code conveyed using an audio file. A code is generated that corresponds to the user and/or their user device. A playback device that is registered to the user can be used to output a playback of an audio file that encodes the code. The playback of the audio file is conveyed through the service session by the user device and received by a backend server, which analyzes the playback of the audio file to extract the code. The user can be authenticated based at least partly on verifying the code that is extracted from the playback of the audio file, by comparing the extracted code to the code that was generated and sent to the playback device.

Abstract: The invention encompasses systems and methods for identification, verification, and authentication of an individual by obtaining a biometric feature (e.g., facial recognition) of an individual using a mobile device (e.g., a mobile device camera). The system and method includes receiving from a mobile device biometric data of an individual captured by the mobile device (e.g.

Abstract: A system and method for facilitating the provision of accessible files over a communications network includes a web server for polling an entity to determine whether a files for a particular company have been published, downloading said plurality files, identifying inaccessible XML-based files, and remediating them using a predefined accessible template, thereby generating accessible files, identifying a non-XML-based inaccessible files and remediating them using a rules engine, thereby generating accessible files, and generating and publishing a web page that is publicly available over the communications network, wherein the web page includes a separate link to each particular file of the accessible files, wherein said web page is located on a web site of the particular company.

Abstract: According to various embodiments, a data processing device is described comprising a memory configured to store data words in the form of at least two respective shares, a logic circuit configured to receive the at least two shares of at least one of the data words and to process the shares to generate at least two shares of a result data word, a remasking circuit configured to receive at least two shares of at least one of the data words and refresh the shares and an output circuit configured to store the at least two shares of the result data word or to store the refreshed at least two shares depending on a control sequence specifying a sequence of real operations and dummy operations.

Abstract: A method for transferring data from a first network to a second network using a gateway includes setting, by a security monitor, a state of the gateway to a first state indicating to a destination agent that access is granted to trusted memory and denied to the second network and untrusted memory. The destination agent is configured, while the gateway is in the first state, based on parameters stored in the trusted memory, to transfer data received from a source agent to the second network. The state of the gateway is changed to a second state indicating to the destination agent that access is denied to the trusted memory and granted to the second network and the untrusted memory. Transfer of the data from the source agent of the first network to the destination agent of the second network is controlled, while the gateway is in the second state.

Abstract: A device includes a computer readable memory storing a plurality of one-time signature (OTS) keypairs and a processor that is configured to execute a hash function on a message using a first private key of a first OTS keypair of the plurality of OTS keypairs to determine a message signature, execute the hash function to calculate a leaf node value of a hash tree using the first OTS keypair, determine a plurality of authentication path nodes in the hash tree, retrieve, from the computer readable memory, values of a first subset of the plurality of authentication path nodes, calculate values for each node in a second subset of the plurality of authentication path nodes, and store, in the computer readable memory, the values for each node in the authentication path and the value of the leaf node.

Abstract: A method for detecting identity theft or identity change in managed computing systems is disclosed. An apparatus and computer program product also perform the functions of the method. The method includes identifying that a unique identifier of a first computing device assigned a first IP address matches a unique identifier of a second computing device assigned a second IP address and, in response to identifying that the unique identifier of the first computing device matches the unique identifier of the second computing device, sending a test message to the first computing device using the first IP address. The method includes sending an alert of a possible malicious event in response to receiving a response to the test message and sending an alert of a possible misconfiguration in response to a failure to receive a response to the test message.

Abstract: A physical object having a programmable, electronically readable tag can be identified and tracked in a given third party system with the aid of an identity services platform. When the owner of the object is about to place it in the custody of a third party system, the owner can use a client device to instruct the identity services platform to generate a nonce, for programming into the object's tag. Devices in the third party system read and use the nonce to identify and track the object and to make decisions about how it is handled. When the object exits from the control of the third party system for return to the owner, the identity services platform is asked to provide a proof of ownership to the third party system, which enables accurate return of the object to its proper owner.

Abstract: The subject matter described herein provides systems and techniques for adding an identity (ID) header to IP packets associated with a VoIP call. This ID header may be used to authenticate the source provider/originator of a VoIP call, may be used to traceback to the source provider/originator of the VoIP call, and may be used to create a relationship between the source provider/originator and the destination provider/destination of the VoIP call. Such steps may be performed by a public proxy/platform. The ID header may include a certificate and/or a public encryption key, from a public certificate authority (CA) infrastructure, which assists in authenticating the source provider/originator of the VoIP call. The public proxy/platform may directly route authenticated VoIP calls through a VoIP network towards its destination, bypassing a public switched telephone network (PSTN).

Abstract: A computer implemented method for storing and retrieving data elements in a computer memory comprises configuring, by a processor, the computer memory according to a data structure, the data structure including: a data element array including a plurality of sorted data elements, each data element associated with a position in the data element array; and a cluster element array including one or more cluster elements, each cluster element defined by one of one data element from the data element array or a plurality of continuous data elements from the data element array, wherein each cluster element is associated with a cluster code for determining the position of one or more data elements in the data element array, the cluster code correlating each data element defining the cluster element with the position of the data element in the data element array.

Abstract: Systems and methods for using ring usage certificate extensions are described. Some implementations described limit the ability of signers using a ‘ring signature’ from using public key certificates to create the ring signatures without the permission of the creators of those respective public key certificates. An implementation may describe receiving a request to validate, receiving a plurality of digital certificates associated with the request to validate, determining the request to validate requires validation of a ring signature using the plurality of digital certificates, determining one or more of the plurality of digital certificates comprises a ring usage certificate extension, analyzing the ring usage certificate extension to retrieve a value associated with the ring usage certificate extension, and failing validation of the request based on determining the request to validate requires validation of the ring signature and based on the value associated with the ring usage certificate extension.

Abstract: A communication device may obtain second security information in a case where a first instruction for establishing a second wireless connection with a second parent station is accepted under a state where a first wireless connection with a first parent station is established, and determine whether a second security level indicated by the second security information is lower than a first security level indicated by first security information in a memory. The communication device may execute at least one process of a notification process or an acceptance process in a case where it is determined that the second security level is lower than the first security level and establish the second wireless connection with the second parent station without executing the at least one process in a case where it is determined that the second security level is not lower than the first security level.

Abstract: An image forming apparatus which is capable of effectively preventing leakage of confidential information from an application program while reducing effects on the performance of the image forming apparatus. The application program includes a plurality of control codes and a plurality of data. Each of the control codes is loaded so as to be executed. The control codes include encrypted control codes and unencrypted control codes. In a loading process, it is determined whether or not key information for use in decryption in a case where the control code to be loaded is encrypted has integrity, and it is determined whether or not the control codes including the control code to be loaded have integrity. When it is not determined that the control codes have integrity, the encrypted code to be loaded is not loaded or decrypted even if it is determined that the key information has integrity.

Abstract: Aspects of the subject disclosure may include, for example, a system that manages reuse of mobile subscriber identity information. Further aspects may include mobile subscriber identity information used in a device having multiple device profiles indexed, directly or indirectly, by multiple ki (e.g. shared secret keys). Other embodiments are disclosed.

Abstract: Information processing system includes equipment and server that communicates with equipment. Equipment includes first board that is replaceable and configured to store equipment information unique to equipment, second board that is replaceable and configured to store a digital certificate, and second controller that transmits, to server, equipment information and certificate information that is unique to the digital certificate. Server includes server controller that receives equipment information and certificate information that are transmitted from equipment, and server storage that stores equipment information and certificate information that are received by server controller, in association with each other.

Abstract: A method of generating a shared augmented reality payment authentication entry interface includes detecting a first consumer device and a second consumer device; prompting a display of a first augmented reality payment authentication interface at the first consumer device; and prompting a display of a second augmented reality payment authentication interface at the second consumer device.

Abstract: This application discloses a method and an apparatus for accessing a gateway, and pertains to the field of communications technologies. A service level agreement (SLA) level may be obtained based on user information of a terminal, and further a user plane (UP) device corresponding to the terminal is determined based on the SLA level of the terminal. Thus, terminals with different SLA levels may be allocated to different UP devices for bearing, so that a specific terminal may access a specified UP device. This resolves a problem in a related technology that a terminal relatively randomly accesses a UP device. In addition, because an SLA level may be used to indicate a level of quality of service of a terminal, after terminals with different SLA levels access different UP devices, differentiated services may be provided on the different UP devices. Therefore, user requirements are met, and revenues are increased.

Abstract: Techniques for orchestration of directory management updates across regions of a provider network are described. A method for orchestration of directory management updates across regions may include receiving a request at a service in a home region of a provider network to perform a cross-region service update, executing a cross-region workflow corresponding to the cross-region directory service update, and updating one or more resources of the service in each of a plurality of regions of the provider network based on the cross-region workflow.