Abstract: Methods, systems, and computer-readable media for auto-tuning permissions using a learning mode are disclosed. A plurality of access requests to a plurality of services and resources by an application are determined during execution of the application in a learning mode in a pre-production environment. The plurality of services and resources are hosted in a multi-tenant provider network. A subset of the services and resources that were used by the application during the learning mode are determined. An access control policy is generated that permits access to the subset of the services and resources used by the application during the learning mode. The access control policy is attached to a role associated with the application to permit access to the subset of the services and resources in a production environment.

Abstract: Systems, computer program products, and methods are described herein for secure access and initiation using a remote terminal.

Abstract: Cooperative session orchestration includes devising a crypt for pre-distribution of tokens, distributing the tokens to member nodes of the network, based on a request from a delegate node of the network for brokerage of a session between the delegate node and a supplier node of the network, creating and sending, for each of a plurality of potential supplier nodes of the network, a respective individual puzzle, receiving, from each of one or more potential supplier nodes of the plurality of potential supplier nodes, a respective result obtained by the potential supplier node from solving the individual puzzle using the token distributed to the potential supplier, identifying, based on the receiving, candidate supplier node(s) of the one or more potential supplier nodes as a potential supplier for the session with the delegate node, and identifying to the delegate node the candidate supplier node(s) for the session with the delegate node.

Abstract: A system and control method of managing tasks and organizations is provided herein.

Abstract: An apparatus and method for cyber risk quantification calculated from the likelihood of a cyber-attack on the target enterprise and/or cyber ecosystem based on its security posture. The cyber-attack likelihood can be derived as a probability-based time-to-event (TTE) measure using survivor function analysis. The likelihood probability measure can also be passed to cyber risk frameworks to determine financial impacts of the cyber-attacks. Embodiments of the present invention also relate to an apparatus and method (1) to identify and validate application attack surfaces and protect web applications against business logic-based attacks, sensitive data leakage and privilege escalation attacks; and/or (2) that protects web applications against business logic-based attacks, sensitive data leakage and privilege escalation attacks. This can include implementing an intelligent learning loop using artificial intelligence that creates an ontology-based knowledge base from application request and response sequences.

Abstract: A near field communication (NFC) router of a telecommunication device has communication pipes between gates of the NFC router. The pipes include a set of communication pipes to implement NFC transactions, which are coupled between radio-frequency gates of the NFC router and physical gates of the NFC router assigned to a security circuit. An attempt to use a pipe, other than one of the set, to implement an NFC transaction is detected by, in response to receiving a message in a NFC communication format via a pipe, comparing bits associated with the pipe with stored bits associated with the set of communication pipes. In response to the comparing indicating the pipe is not one of the set of communication pipes, implementation of the NFC transaction is blocked.

Abstract: Various embodiments of the present invention relate to a method and an electronic device for authenticating a user by using a voice command. Here, the electronic device may comprise a memory, an input apparatus, and a processor, wherein the processor is configured to: receive a voice command from the input apparatus; acquire user identification information and voice print information from the voice command; search reference voice print information of each of multiple users stored in the memory, for reference voice print information corresponding to the acquired user identification information; and perform authentication on the basis of the acquired voice print information and the reference voice print information. Other embodiments are also possible.

Abstract: A user device may invoke, for a user associated with an unavailable user device, a guest mode, and may connect the user device with a network device based on invoking the guest mode. The user device may provide credentials of the user and a secure input of the user to the network device based on invoking the guest mode, and may receive an identity service and an emergency service for the user when the secure input is authenticated by the network device. The user device may associate, via the identity service, the user with the user device to enable the user to utilize the emergency service, and may provide, via the emergency service, one or more emergency notifications. The user device may receive an indication of the user exiting the guest mode, and may remove the credentials of the user from a memory based on the indication.

Abstract: A method of transmitting an encrypted data packet includes, with a processor, in response to receiving the encrypted data packet, executing an extended Berkeley packet filter (eBPF) application at an express data path (XDP) hook point located within a kernel space, determining whether the encrypted data packet is to be processed via a trusted application (TA) within a trusted execution environment (TEE) based on an analysis by the eBPF application, and identifying application intelligence data defining packet forwarding decisions based on a manner in which the encrypted data packet is processed.

Abstract: According to an example aspect of the present invention, there is provided method, comprising: generating a first key based on a first input specific to a mobile device, wherein the first input comprises measurement of mutable code of the mobile device and a unique device secret, generating a symmetric second key on the basis of the first key and a second input specific to the mobile device, and generating authentication credentials on the basis of the second key for authenticating the mobile device to a mobile communications network.

Abstract: A method for controlling access to process data includes encrypting process data of a process; receiving a request to access the process data; requesting a security code to access the encrypted process data; receiving the security code; authenticating the received security code; and granting access to the encrypted process data if the received security code is successfully authenticated and denying access to the encrypted process data if the received security code is not successfully authenticated.

Abstract: A system for enhanced internet of things digital certificate security is provided. The system includes a computer device. The computer device is programmed to store, in a database, a plurality of statuses associated with a plurality of digital certificates. The computer device is also programmed to receive, from a first computer device, a status update for the first digital certificate. The computer device is further programmed to update the first status based on the status update. Subsequently to updating the first status, the computer device is programmed to receive a request for a connection from the first device. Subsequently to updating the first status, the computer device is also programmed to deny the request for a connection based on the first status.

Abstract: Some embodiments of the invention provide a method for transmitting data messages via secure tunnels in a network. The method is performed at a gateway device. The method determines that a data message received at the gateway device should be sent via a secure interface of the gateway device. The method matches the data message to a firewall rule that maps to a particular secure tunnel used by the secure interface, with multiple different firewall rules mapping to multiple different secure tunnels used by the secure interface. The method encapsulates the data message with a header that comprises an indicator value specifying the particular secure tunnel and forwards the encapsulated data message to a destination interface.

Abstract: Aspects of the present disclosure involve a method and a system to support execution of the method to obtain a first N cryptographic key, receive a key diversification information comprising a first plurality of bits, obtain an expanded key diversification information (EKDI) comprising a second plurality of bits, wherein a number of bits in the second plurality of bits is greater than a number of bits in the first plurality of bits, and wherein a value of each bit of the second plurality of bits is deterministically obtained in view of values of the first plurality of bits, and apply, by the processing device, a key derivation function to the first cryptographic key and the EKDI to obtain a second cryptographic key.

Abstract: One example method includes providing temporary access to a computing system and to providing temporary access as a service. The features of a temporary access can be defined by an entity and a user may be able to obtain a token that includes these features, which may be embedded in the token as claims. The user's access is then controlled in accordance with the embedded claims. The temporary access as a service can be federated. The token may include trust levels and tolerance limits. Further, aspects of the temporary access can be monitored and/or changed. Adjustments to trust levels can be automated or manually performed. Further trust for specific users can be gained or lost over time based on at least previous accesses.

Abstract: A method is disclosed. The method comprises transmitting, by an access device to a communication device, a resource provider certificate and an access device certificate. Then, establishing a secure channel between the access device and the communication device using data from the resource provider certificate and the access device certificate. Then, transmitting to or receiving data from the communication device using the secure channel.

Abstract: A computer system is provided for protecting access to one or more hardware devices with a hardware device password that is invisible to a user, the system comprising a mobile device and the hardware device, the mobile device including: a memory, the memory storing one or more invisible passwords; an application in the memory; a wireless interface for communicating with the hardware device; and a processor coupled to the memory, the application and the wireless interface, the hardware device including: a memory; a wireless interface for communicating with the mobile device; and a processor coupled to the memory and the wireless interface; wherein the processor in the mobile device is configured to receive a hardware device identifier from the processor in the hardware device; wherein the application in the mobile device is configured to select, based upon the hardware device identifier, the invisible password for the hardware device; and the processor in the hardware device is configured to authenticate the a

Abstract: A computing device may authenticate a user of the computing device as an authorized user. The computing device may, in response to authenticating the user of the computing device as the authorized user, transition from a locked state to an unlocked state. The computing device may, in response to authenticating the user of the computing device as the authorized user, determine one or more computing devices that are proximate to the computing device. The computing device may, in response to determining the one or more computing devices that are proximate to the computing device, send to each of the one or more computing devices an indication of successful user authentication by the computing device to enable each of the one or more computing devices to transition from the locked state to the unlocked state without performing user authentication.

Abstract: An example system includes a processor to receive a graph-based masking policy and a composite payload containing a data object to be masked. The processor is to instantiate a masking engine based on the graph-based masking policy. The processor is to execute the masking engine on the composite payload to generate a masked payload comprising a masked data object. The data object to be masked is masked in place such that the resulting composite payload type is maintained. The processor is to output the masked payload.

Abstract: Various embodiments are generally directed to providing authentication and confidentiality mechanisms for message communication over an in-vehicle network. For example, authentication data associated with a communicating node may be transmitted over the network by encoding different predefined voltage levels on top of the message bits of the message being communicated. Different voltage levels may represent different encodings, such as a bit-pair or any bit combination of the authentication data. In a further example, messaging confidentiality between at least two communicating nodes may be achieved by pseudo-randomly flipping, or scrambling, the dominant and recessive voltages of the entire message frame at the analog level based on a pseudo-random control bit sequence.

Abstract: Aspects of the subject disclosure may include, for example, transmitting a first message to a server. The first message includes a request for a service and a first timeout associated with the service. The request causes generation of a blocking call associated with the service on the client computing device. Further embodiments can include receiving, prior to the first timeout expiring, a second message from the server indicating that the service is in-progress, and transmitting a third message to the server. The third message comprises one of a first instruction to continue with the service as the blocking call or a second instruction to convert the blocking call to a non-blocking call associated with the service. Other embodiments are disclosed.

Abstract: Aspects of the present disclosure involve a system comprising a computer-readable storage medium storing a program and method for presenting cross-sell products. The program and method provide for receiving indication of a user selection to display cross sell data for at least one product made available for purchase by a website; determining a set of cross-sell products for the at least one product, each cross-sell product in the set of cross-sell products having been previously sold together with the at least one product in association with website; determining, for each cross-sell product in the set of cross-sell products, a set of metrics that relate the cross-sell product to the at least one product; and causing, for each cross-sell product in the set of cross-sell products, display of the respective set of metrics that relate the cross-sell product to the at least one product.

Abstract: A computer-implemented method for securely transferring a secret from a source computing component to a target computing component, wherein the source computing component and the target computing component are part of a secure computing environment is disclosed. The method comprises upon the source computing component receiving from the target computing component a signed attestation document, verifying, by the source computing component, an authenticity and content of the attestation document, and upon a successful verification of the authenticity and the content, transferring, by the source computing component the secret to the target computing system. Thereby, the attestation document is attesting that the target computing component is compliant to an update governance rule.

Abstract: In some embodiments, a method stores domain name system (DNS) resolution mappings from a domain name to an address in a first table. The DNS resolution mappings are intercepted from DNS responses being sent by a DNS server. The first table is sent to a manager for validation of the DNS resolution mappings. Then, a second table is received from the manager that contains validated DNS resolution mappings. The method intercepts a DNS response that includes a domain name to address resolution mapping from the DNS server and validates the domain name to address resolution mapping using a validated DNS resolution mapping in the second table.

Abstract: A secure cloud-based node-locking service with built-in attack detection to eliminate fuzzing, cloning and other attacks is disclosed. White-box base files are securely stored on the cloud service and are not vulnerable to accidental leakage. A secure cloud-based dynamic secret encoding service reduces the risk of exposure of unprotected secrets and other sensitive data.

Abstract: A digital content distribution system uses a Digital Rights Management Controller that performs a set of arbitrary tests against the transfer request from one user to another such as user A to user B. Assuming these tests are successful, the DRM sends an encryption key to transferring user A. This encryption key E is taken from a table of encryption key/hash pairs which have been provided to the DRM Controller by an external authority such as the content rights holder. User A encrypts the content using they key provided by the DRM controller and then optionally calculates a hash over the encrypted form of the content E(X) and returns this value to the DRM Controller. On checking the returned hash against the hash from the table the DRM controller knows that user A does indeed have the digital content X in good condition. The DRM Controller then instructs both users A and B that the transfer may proceed. The encrypted form of the content E(X) is transferred from A to B.

Abstract: One or more embodiments described herein disclose methods and systems that are directed at providing enhanced privacy and security to distributed ledger-based networks (DLNs) via the implementation of zero-knowledge proofs (ZKPs) in the DLNs. ZKPs allow participants of DLNs to prove ownership of accounts on the DLNs without having to necessarily reveal private information such as the private key of the account publicly. As such, the disclosed methods and systems directed at the ZKP-enabled DLNs provide privacy to participants of the DLNs while still allowing the DLNs to remain as consensus-based networks.

Abstract: A computer-implemented method for seamlessly processing transactions using distributed ledger technology. The method may comprise: linking one or more conventional accounts hosted in a conventional banking infrastructure to one or more DLT-based client accounts hosted on a distributed ledger, wherein the DLT application comprises a routing address configured to be used in conventional transaction infrastructure using conventional communication protocols; storing one or more wallet identifications for the one or more DLT-based client accounts and a mapping of the one or more wallet identifications to the one or more conventional accounts hosted in the conventional banking infrastructure; exchanging a sequence of messages to execute an asset transfer and complete a transaction lifecycle, the sequence of messages based on the first asset type; updating the distributed ledger based on the asset transfer; and sending appropriate messages to clients.

Abstract: In some embodiments, a method includes in response to an integration tag included in a webpage at a first user interface being executed at a mobile device, receiving a mobile device identifier and a request to retrieve a purchase identifier. The method includes sending a first signal causing a frame to be provided within the webpage at the first user interface. The method includes in response to a first user input, receiving a Hyper Text Transfer Protocol (HTTP) POST request and determining a uniform resource identifier (URI). The method includes retrieving purchase information and sending a HTTP response message including the URI of the second user interface and the purchase information to deeplink to the second user interface and to cause the second user interface to be rendered at the mobile device with the purchase information pre-populated in an input field of a text message.

Abstract: For categorizing encrypted data files, a processor determines a block cipher key length for a data file based on data file contents. The processor encrypts the data file with an encryption cipher using the block cipher key length. The processor further determines a data type for the encrypted data file from macroscopic artifacts of the encrypted data file.

Abstract: A communication terminal capable of preventing a reduction in security level that is caused at the time of establishing multiple connections via 3GPP Access and Non-3GPP Access. A communication terminal according to the present disclosure includes: a communication unit configured to communicate with gateway devices disposed in a preceding stage of a core network device via an Untrusted Non-3GPP Access; and a key derivation unit configured to derive a second security key used for security processing of a message transmitted using a defined protocol with the gateway device, from a first security key used for security processing of a message transmitted using a defined protocol with the core network device.

Abstract: Technologies for providing secure utilization of tenant keys include a compute device. The compute device includes circuitry configured to obtain a tenant key. The circuitry is also configured to receive encrypted data associated with a tenant. The encrypted data defines an encrypted image that is executable by the compute device to perform a workload on behalf of the tenant in a virtualized environment. Further, the circuitry is configured to utilize the tenant key to decrypt the encrypted data and execute the workload without exposing the tenant key to a memory that is accessible to another workload associated with another tenant.

Abstract: Embodiments may be generally directed to methods, techniques and devices to utilize a contactless card to perform a series of operations.

Abstract: A method, apparatus, and system are provided for verifying a location of data stored on at least one storage device within at least one cell area served by at least one network node of a wireless communication network. In one embodiment, a location assurance gateway is provided with a communication interface and processing circuitry, the processing circuitry configured to cause the communication interface to communicate with the at least one network node of the wireless communication network for location information associated with the at least one cell area, the location information associated with the at least one cell area being used to verify a location of the data stored on the at least one storage device.

Abstract: A communication system includes a user plane function (UPF) configured to receive a domain name system (DNS) query from a user equipment (UE). The DNS query includes a first destination address of a first DNS server. The DNS query is for determining an address of a data server in proximity to the UE. According to the first destination address of the first DNS server, the UPF obtains, from a session management function (SMF), a second destination address of a second DNS server for providing the address of the data server. The SMF is configured to provide, to the UPF, the second destination address of a second DNS server.

Abstract: Systems, apparatuses, methods, and computer program products are disclosed for securing communications between devices. An example method includes obtaining a quantum random number (QRN) from a remote QRN source using a secure communication channel between the initiating device and the remote QRN source. The QRN may be a true random number. The example method may also include using the QRN to participate in computer implemented services with the participating device that received the QRN from the remote QRN source.

Abstract: In a method of generating a secret key according to an embodiment, a share of each of a user and a plurality of other users for a secret key of the user are generated, the share of each of the plurality of other users is provided to a user terminal of each of the plurality of other users, a share of the user for a secret key of each of the plurality of other users is received from the user terminal of each of the plurality of other users, and a new secret key of the user is generated using the share of the user for the secret key of the user and the shares of the user for the secret key of each of the plurality of other users.

Abstract: Certain exemplary embodiments relate to techniques for processing PIN-inclusive transactions in connection with an electronic device or terminal, e.g., where PIN code encryption keys are not necessarily stored on the electronic device or terminal, and/or where payment instrument data is maintained in a separate system from PIN code data at least until certain elements are combined in a highly secure system for submission to an electronic funds transfer network. One or more separate or physically separated systems may be used in this regard, e.g., taking advantage of more prevalent computer networks such as the Internet. Similarly, the ability to provide less expensive terminals or electronic devices at a point-of-sale, point-of-purchase, etc., may be advantageous. The interchange rate is not necessarily driven up in certain example instances.

Abstract: An apparatus comprising: a unit configured to verify whether a first region that specifies a verification range of a first boot code and a second region that specifies a verification range of a second boot code have been altered; a unit configured to, when the first region has not been altered, verify whether the first boot code has been altered; a unit configured to, when the first boot code has been altered and the second region has not been altered, verify whether the second boot code has been altered; and a unit configured to, when the second boot code has not been altered, restore the first boot code using the second boot code, wherein the first and second regions are regions that are not rewritten after a start of the apparatus.

Abstract: A machine has a network interface circuit to provide connectivity to networked machines. A processor is connected to the network interface circuit. A memory is connected to the processor and the network interface circuit. The memory stores instructions executed by the processor to record the purchase of a digital asset by a user at a client machine from a data source machine in network communication with the client machine. The location of the digital asset on one or more machines of the networked machines is archived. The location is separate from the data source machine. The digital asset is associated with a data access policy. A request for the digital asset is received. The data access policy is enforced through programmatic control utilized by one or more of the networked machines to form a consent state. Distribution of the digital asset to a networked machine is authorized in response to the consent state.

Abstract: An apparatus and method for scannable non-fungible token generation, the apparatus including at least a processor and a memory communicatively connected to the processor. The memory containing instructions configuring the processor to receive a creative work datum, determine a creative work class as a function of the creative work datum, generate a creative work token as a function of the creative work datum, and store the creative work token in an immutable sequential listing, where storing the creative work token includes generating a smart contract associated with the creative work datum, the smart contract also including the creative work class. The processor further configured to generate a machine-readable code as a function of the creative work token and the creative work class and transmit the machine-readable code to an output device.

Abstract: A constraint system enforces projection constraints on data values stored in specified columns of a shared dataset when queries are received by a database system. A projection constraint identifies that the data in a column may be restricted from being projected (e.g., presented, read, outputted) in an output to a received query, while allowing specified operations to be performed on the data and a corresponding output to be provided. For example, the projection constraint may indicate a context for a query that triggers the constraint, such as based on the user that submitted the query. Enforcing projection constraints on queries received at the database system allows for data to be shared and used anonymously by entities to perform various operations without the need to tokenize the data.

Abstract: Techniques for determining whether HTTP/2 or HTTP/3 is a preferred protocol for communication between a client device and a server over a network are described. A change associated with a network interface of a client device is detected. Based at least in part on detecting the change, a determination is made to identify a preferred communication protocol for a network over which the client device communicates using the network interface. A HTTP/2 probe is transmitted over the network and to a server. A HTTP/3 probe is transmitted over the network and to the server. In response to not receiving a HTTP/3 probe response, the preferred communication protocol is determined to be HTTP/2. In response to receiving the HTTP/2 probe response and the HTTP/3 probe response, the preferred communication protocol is determined to be HTTP/3. The client device communicates with the server over the network using the preferred communication protocol.

Abstract: A Bluetooth communication system includes: a Bluetooth host device; and a Bluetooth device set which including a first member device and a second member device. The Bluetooth host device controls a display device to display a candidate device list, and to display a single device item in the candidate device list to represent the Bluetooth device set, but does not simultaneously display two device items in the candidate device list to represent the first member device and the second member device. The Bluetooth host device generates a first cypher key according to an instruction from the first member device and a device information of the first member device after receiving a selection command. The first member device establishes a connection with the Bluetooth host device, and generates a second cypher key corresponding to the first cypher key according to a device information of the Bluetooth host device.

Abstract: Systems, methods, and computer-readable media for assessing reliability and trustworthiness of devices operating within a network. A recipient node in a network environment can receive a neighbor discovery (ND) message from an originating node in the network environment that are both implementing a neighbor discovery protocol. Trustworthiness of the originating node can be verified by identifying a level of trust of the originating node based on attestation information for the originating node included in the ND message received at the recipient node. Connectivity with the recipient node through the network environment can be managed based on the level of trust of the originating node identified from the attestation information included in the ND message.

Abstract: Embodiments provided herein relate to enforcing a device restriction policy. A device restriction policy may be stored that maps one or more portions of a household with particular household occupants of a plurality of household occupants. A request may be received to activate the device restriction policy on a household occupant. The device restriction policy may be activated against the household occupant based on the received request. One or more electronic devices may be disabled that are located in a portion of the household linked with the household occupant based on the received request and the device restriction policy.

Abstract: Aspects of the present disclosure involve systems, methods, devices, and the like for user authentication. In one embodiment, the user authentication occurs using a multi-provider platform. The multi-provider platform enables the use and retrieval of user information from the given provider for the use and assessment of information associated with the user. User information may also be received over a web link communicated at least in part by a risk checkpoint component to a user device, wherein the user information received and that retrieved may be jointly used for determining user authentication.

Abstract: Various aspects of the subject technology relate to systems, methods, and machine-readable media for providing an encryption key exchange. Various aspects may include identifying a database of cryptographic keys configured for encryption. Aspects may also include sending a request for a private key for decryption of content. Aspects may also include receiving the private key from a client. Aspects may also include determining a visibility parameter for content posts of the content based on the private key and database. Aspect may include providing the content posts to the client at a visibility according to the visibility parameter.

Abstract: Payment methods and systems for processing a payment using a Central Bank Digital Currency (CBDC) without a double payment in an offline situation (e.g., in a situation in which a terminal of a user is unable to be connected) to a server through a network may be provided.

Abstract: In a general aspect, risks associated with cryptography usage in network communication between computing nodes are identified. In some aspects, a network packet capture agent obtains cryptography usage data by examining network traffic communicated by computing nodes in the computing environment. A cryptography usage analysis agent identifies cryptography usage risks based on the cryptography usage data. A cryptographic risk identification agent identifies one or more applications associated with the cryptography usage risks.