Abstract: A medical device of a medical system is configured for communicating with an external programmer over a wireless communications link. The medical device comprises a wireless communications module configured for receiving a first unencrypted version of a random number and a first encrypted version of the random number from the external programmer over the wireless communications link. The medical device further comprises control circuitry configured for performing an authentication procedure on the external programmer based on the first unencrypted version of the random number and the first encrypted version of the random number, and preventing the external programmer from commanding the medical device to perform an action unless the authentication procedure is successful.

Abstract: A system and method described below prevents exploitation of a client's PKI station using the a token installed on other host (attackers') processors. This is accomplished by binding the token to the approved PKI client station (host) using the a software development kit installed in the PKI client station. Once a token is bound to a PKI client station, the token can no longer be used on another station unless permitted by authorized personnel.

Abstract: In embodiments of the present disclosure, a method is provided for managing a mesh point. A request is transmitted from a mesh point to a mesh portal, and the request indicates that Reduced Neighbor Report (RNR) information is required. A beacon with the RNR information is received from the mesh portal. A mesh link is established with a target mesh portal based on the beacon with the RNR information. Therefore, the time cost and the data communication of a scanning procedure of the mesh point may be greatly reduced. Further, communications in the scanning procedure are lowered, such that conflicts in the air may be alleviated.

Abstract: A network system that includes a first set of network hosts in a first domain and a second set of network hosts in a second domain. Within each of the domains, the system includes several edge switching elements (SEs) that each couple to the network hosts and forward network data to and from the set of network hosts. Within the first domain, the system includes (i) an interior SE that couples to a particular edge SE in order to receive network data for forwarding from the edge SE when the edge SE does not recognize a destination location of the network data and (ii) an interconnection SE that couples to the interior SE, the edge SE, and the second domain through an external network. When the edge SE receives network data with a destination address in the second domain, it forwards the network data directly to the interconnection SE.

Abstract: When personally identifiable information (PII) is to be stored or updated, a system first seeks consent from the user for the PII store or update. If the user grants consent, then the system stores the PII in the user's personal device or updates the PII stored in the user's personal device. The system then retrieves that PII and generates a token representing that PII. Even if the token were taken by a malicious user, it would not be possible for the malicious user to determine the user's actual PII from the token. In this manner, the security of the PII is improved over conventional systems.

Abstract: A method for fast access to a data resource in a blockchain network is provided. The method includes opening a dedicated socket in a server to receive a datum from a data source and authenticating a signature of the data source to verify that the data source is a reliable data source. The method also includes storing the data in a dedicated memory space in the server, allowing a blockchain application to access the data in the dedicated memory space using a function that has accessibility to the dedicated memory space, and writing the data in a blockchain block when a block producer reads the data from the blockchain application. A system and a non-transitory, computer-readable medium storing instructions to perform the above method are also provided.

Abstract: Techniques are described for performing multi-factor authentication of a user during a service session, based at least partly on a code conveyed using an audio file. A code is generated that corresponds to the user and/or their user device. A playback device that is registered to the user can be used to output a playback of an audio file that encodes the code. The playback of the audio file is conveyed through the service session by the user device and received by a backend server, which analyzes the playback of the audio file to extract the code. The user can be authenticated based at least partly on verifying the code that is extracted from the playback of the audio file, by comparing the extracted code to the code that was generated and sent to the playback device.

Abstract: A multiclass classifier generates a probability vector for individual data units of an input data stream. The probability vector has prediction probability values for classes that the multiclass classifier has been trained to detect. A class with the highest prediction probability value among the classes in a probability vector is selected as the predicted class. A confidence score is calculated based on the prediction probability value of the class. Confidence scores of the class are accumulated within a sliding window. The class is declared to be the detected class of the input data stream when the accumulated value of the class meets an accumulator threshold. A security policy for an application program that is mapped to the class is enforced against the input data stream.

Abstract: Establishing a diagnostic OS for an information handling system platform performing a UEFI BIOS boot to place the platform in a pre-OS state. Upon detecting a particular POST error and/or a platform configuration policy, an embedded OS kernel may be launched into a DRTM-authenticated measured launch environment (MLE). Additional objects for the diagnostic OS may be downloaded. The additional objects may include an initial ramdisk (initrd) module and one or more applications specific to the particular diagnostic OS. The diagnostic OS may be launched as follows: for each diagnostic OS application, launching the application and extending a measurement of the application into a DRTM PCR. Launching the diagnostic OS may include launching an initrd module and extending a measurement of the initrd module into the DRTM PCR. A measurement of embedded OS kernel may be extended into the TPM and the embedded OS kernel may validate the UEFI BIOS sequence.

Abstract: Multi-link device (MLD) devices and transitions are described. The MAC addresses of the AP MLD and non-AP MLD are used to generate keys for different fast transitions (FT) between a non-AP MLD and an AP MLD. In an FT initial mobility domain operation, the AP MLD MAC address is used as the R1KH-ID and the non-AP MLD MAC address is used as the S0KH-ID and S1KH-ID. The MAC addresses are exchanged in Authentication Request/Response or Association Request/Response messages and the GTK/IGTK/BIGTK are delivered in a single FT 4-way handshake. In a fast MLD transition to an AP MLD in the same ESS, the other AP MLD MAC address is used as the R1KH-ID and the non-AP MLD MAC address is used as the S1KH-ID. The MAC addresses are exchanged in Authentication Request/Response or Association Request/Response messages and the GTK/IGTK/BIGTK are delivered in an FTE.

Abstract: An in-vehicle encryption system for use in a vehicle comprising a plurality of vehicle subsystems. The system comprises a security ECU module that communicates with a remote cryptographic module, the security ECU module comprising a processor and a per vehicle master secret (PVMS) value stored in the security ECU module. The security ECU module uses the PVMS value to authenticate with the remote cryptographic module and to establish an external encrypted communication link with the remote cryptographic module. The system further comprises a first subsystem ECU module that generates a first globally unique identifier (GUID) and a second subsystem ECU module that generates a second GUID. The security ECU module uses the first GUID value to establish a first encrypted communication link with the first subsystem ECU module.

Abstract: Baseboard management controller (‘BMC’) group administration includes: receiving, by a member BMC from a leader BMC, a leader certificate and a request to join a group of the leader BMC, where the request is signed by the leader BMC and the leader certificate is signed by a certificate authority; authenticating, by the member BMC, the leader certificate and the request; and sending, by the member BMC, an acknowledgement to the leader BMC to join the leader BMC's group.

Abstract: The invention relates to a method and system for key distribution and encryption/decryption. An encryption key (Kenc) is derived in a terminal. The encryption key is applied by the terminal for encrypting at least a part of data included in an application message for an application server transmitted over a network. The terminal and the network both have access to a first key (K1). The terminal and the server both have access to a second key (K2). The encryption key is derived at the terminal using the first key and the second key. The first key or the derivative thereof is received at the server. The encryption key for decrypting the application message encrypted by the terminal is derived in the server using the shared second key and the received first key of the derivative thereof.

Abstract: An image processing apparatus includes a communicator that performs wireless communication with a terminal device; and a controller. The controller performs pairing with the terminal device, establishes wireless communication with the paired terminal device via the communicator, acquires information on a transmission destination of an image from the terminal device, disconnects the wireless communication after acquiring the information on the transmission destination, and releases the pairing with the terminal device by disconnecting the wireless communication.

Abstract: Various embodiments of the present disclosure provide systems and methods for securing electronic devices, such as financial payment terminals, to protect sensitive data and prevent unauthorized access to confidential information. In embodiments, this is achieved without having to rely on the availability of backup energy sources. In certain embodiments, tampering attempts are thwarted by using a virtually perfect PUF circuit and PUF-generated secret or private key within a payment terminal that does not require a battery backup system and, thus, eliminates the cost associated with common battery-backed security systems. In certain embodiments, during regular operation, sensors constantly monitor the to-be-protected electronic device for tampering attempts and physical attack to ensure the physical integrity.

Abstract: A method of operating a user equipment, UE, includes establishing a radio resource control, RRC, connection with a base station, following establishment of the RRC connection, sending an indication of a security capability of the UE to the base station, receiving a non-access stratum, NAS, message, from the base station, wherein the NAS message identifies a selected security algorithm, and generating the access stratum security key to be used with the selected security algorithm.

Abstract: A communication system may include a first radio frequency (RF) device configured to generate a Bluetooth Low Energy (BLE) advertisement responsive to an input event, transmit the BLE advertisement in a BLE advertisement burst comprising a number of transmissions in at least one BLE advertising channel, and discontinue transmission of the BLE advertisement after transmission of the BLE advertisement burst. The system may further include a second RF device configured to scan for the BLE advertisement in the at least one BLE advertising channel, and communicate with the first RF device over a BLE data channel responsive to receiving the BLE advertisement.

Abstract: Exemplary methods for facilitating secure communication between a mobile network subscriber and various service providers (SPs), the subscriber being associated with a plurality of entities comprising any combination of devices and profiles. Some embodiments can include: obtaining a security identifier associated with the subscriber; based on the security identifier, establishing an identity hierarchy comprising the plurality of entities associated with the subscriber; based on the security identifier, establishing consents for SPs to access data generated by the entities of the identity hierarchy; in response to a request comprising the security identifier, receiving a public key usable to encrypt data for sending to a particular SP, the data being decryptable using a corresponding secret key associated with an established consent for the particular SP; and encrypting the data using the public key and the identity hierarchy.

Abstract: A system is provided for implementing a data processing transaction for a home processor located within a home region. The system is configured to receive a query from a user device of a user, search a list of partner processors located within a foreign region based on the query and transmit to the user device information relating to one or more partner processors determined as a result of the search. The system receives a request to authenticate the data processing transaction at a selected partner processor, verifies an identity of the user based on the request and transmits an indication of successful authentication. The system transmits at least a portion of data relating to a registration of the user at the home processor to the selected partner processor, wherein the data processing transaction is processed by the partner processor based on the transferred data.

Abstract: Systems for communicating over a network and between two or more network connected devices. In particular, the disclosure reveals systems which may utilize multicast communication protocols to facilitate secure communication among one or more network connected devices. A system for secured messaging may include a network system including a first server, a second server and a first node. Further, the first server is configured to authenticate the first node for secure multicast messaging, and the second server is configured to authenticate the first node for secure multicast messaging.

Abstract: A method for electing a representative node device is performed at a blockchain system, including: obtaining voting transaction data from the node devices, the voting transaction data being used for voting for one or more node devices of the blockchain system as representative node devices; generating and storing the voting transaction data into a target blockchain of the blockchain system when a plurality of node devices of the blockchain system verify the voting transaction data by consensus; and when a quantity of blocks in the target blockchain generated using the voting transaction data reaches a preset quantity, determining an election result according to quantities of votes of the node devices determined from the voting transaction data, the election result identifying a plurality of representative node devices in the blockchain system being configured to generate new blocks for the target blockchain and perform verification on the new blocks by consensus.

Abstract: Various embodiments of apparatuses and methods for multi-cast, multiple unicast, and unicast distribution of messages with time synchronized delivery are described. In some embodiments, the disclosed system and methods include a reference timekeeper providing a reference clock to one or more host computing devices. The one or more host computing devices host compute instances, and also contain respective isolated timing hardware outside the control of the compute instances. The isolated timing hardware of the one or more host computing devices then receive respective packets, and obtain the same time to deliver the respective packets. Each isolated timing hardware provides either the packet, or information to access the packet, to its respective destination compute instance subsequent to determining that the same specified time to deliver the packet has occurred. Thus, the respective packets are delivered near simultaneously to the one or more destination compute instances.

Abstract: A key sharing system that generates a shared key that is used to perform encrypted communication between a first device and a second device according to an authenticated key sharing protocol, at least one device of the first device and the second device including: calculation means for calculating a shared value ?j of shared values ?i (i=1, . . . , n) that are used to generate the shared key, the shared value ?j being calculated through pairing computation, using a private key DA,1 as an input; entrusting means for entrusting an information processing apparatus that is connected to the device via a network, with calculation of a shared value ?k (k?j) of the shared values ?i (i=1, . . . , n), the shared value ?k being calculated through pairing computation, using a private key DA,2 as an input; and key generation means for generating the shared key, using the shared value ?j calculated by the calculation means and the shared value ?k calculated by the information processing apparatus.

Abstract: An onboard communication network of a vehicle is monitored to detect a plurality of available messages that include respective cipher-based message authentication codes (CMAC) and that were identified as eligible messages based on having an information entropy greater than a specified threshold. A first message is selected from the plurality of available messages. The CMAC of the selected message is input into a random number generator that outputs a random number seeded by the CMAC of the selected message. Then the random number is provided.

Abstract: The present invention discloses methods and systems for communicating at a cellular router between a first wireless communication module and a first subscriber identity module (SIM). The cellular router receives a first request from a first wireless communication module and encapsulates the first request in a first modified request. The cellular router then sends the first modified request to a first SIM card in a first communication apparatus and waits for a first modified reply. While waiting for the first modified reply the cellular router sends at least one halt message to the first wireless communication module after a first time threshold. After receiving the first modified reply, the cellular router decapsulates the first modified reply to retrieve a first reply and sends the first reply to the first wireless communication module where the first modified reply is a reply to the first modified request.

Abstract: An information processing device includes a processor programmed to: receive an instruction from a user; and select, based on the received instruction, between: a first mode that receives a selection of a workflow to process target data before the target data is received; and a second mode that receives a selection of a workflow to process target data after the target data is received.

Abstract: A system for identifying email messages associated with phishing threats accesses an email message sent to a receiving computing device, where the email message is associated with a sender's email address. The system determines whether the sender's email address is associated with a token from a plurality of tokens stored in a token-email address mapping table. The system determines that the email message is associated with a phishing threat, in response to determining that the sender's email address is not associated with a token from a plurality of tokens from among a token-email mapping table.

Abstract: An electronic device and a method, to control permission associated with annotations in an online conference, is provided. The electronic device receives profile information associated with each of a plurality of participants associated with the online conference to be hosted by a host of the electronic device. The electronic device grants, to a first set of participants of the plurality of participants, a permission to annotate media content to be shared during the online conference based on the profile information. The electronic device receives, from a set of electronic devices associated with the first set of participants, annotations related to the media content, based on the permission. The electronic device controls display of the received annotations and the media content on each of a first display device associated with the first electronic device and on a second display device associated with each of the set of electronic devices.

Abstract: An authenticated, ID-based private/public key pair, with a self-certified public key, is generated using Kummer arithmetic without bilinear pairings. Two or more parties can generate such key pairs and use them as their respective long-term key pairs which, when combined with the parties' short-term key pairs, can allow the parties to establish an authenticated, short-term shared key. Some embodiments are suitable for connected vehicles communicating with each other and/or with other systems. Other features are also provided.

Abstract: Presented herein are techniques to facilitate delivering standalone non-public network (SNPN) credentials from an enterprise authentication server to a user equipment (UE) using an Extensible Authentication Protocol (EAP) process. In one example, a method may include determining, by an authentication server of an enterprise, that a UE for the enterprise is to receive credentials to enable the UE to connect to a SNPN of the enterprise in which the determining is performed based, at least in part, on connection of the UE to an access network that is different than the SNPN for the enterprise; and performing an authentication process with the UE by the authentication server in which the authentication process includes providing the credentials to the UE via a first authentication message and obtaining confirmation from the UE via a second authentication message that indicates successful provisioning of the credentials for the UE.

Abstract: A user device is provided. The user device is configured to detect that a user is in a foreign region outside a home region of the user, wherein the user is registered with a home processor located within the home region of the user. The user device provides a recommendation to the user of one or more partner processors located within the foreign region, wherein each of the one or more partner processors has a predetermined association with the home processor. The user device receives a selection of a partner processor selected by the user from the one or more partner processors. The user device authenticates a data processing transaction at the selected partner processor by verifying an identity of the user and initiates the data processing transaction at the selected partner processor after the authentication.

Abstract: Dynamic segmentation of network traffic through the use of Pre-Shared Keys (PSKs). Each defined network segment uses a different pre-shared key and a message authentication code (MAC)-signing algorithm to sign data packets with segment-specific MACs. As such, only those computer hosts/nodes that are in the network segment (i.e., have been assigned the same pre-shared key for generating and decoding the MAC signed data packets) are capable or reading the segment's network traffic. By implementing segment-specific MAC signed data packets, the present invention allows for confidential data transmission absent the need to encrypt the actual contents/data being transmitted.

Abstract: Techniques for packaging media content in a low latency encryption ready format for streaming are described herein. In accordance with various embodiments, one or more packagers that include create an intermediate unit including at least one data portion from media content. The packager(s) further determine a size for reformatting the intermediate unit, where the size can include a padding amount for the at least one data portion. The packager(s) also package the intermediate unit to a reformatted partial segment according to the size without encrypting the at least one data portion, including injecting into the partial segment at least one encryption specific box and injecting padding into the at least one data portion according to the padding amount. The packager(s) then package the reformatted partial segment for streaming while maintaining the size, including generating a manifest for streaming the media content specifying the size of the reformatted partial segment.

Abstract: In a system, computer-readable media and methods for secure ledger assurance tokenization (SLAT), a block content of a first blockchain is audited, which includes accessing, by a request circuit of a SLAT computing system, a retrievably stored cross-reference content and generating an audit result. Generating an audit result includes evaluating, by a SLAT circuit of the SLAT computing system, the cross-reference content such that the audit result is informed at least by the cross-reference content. The audit result is included in a secure ledger assurance token generated by a SLAT generation circuit of the SLAT computing system and stored relationally to the block content of the first blockchain.

Abstract: One-time-pad (OTP) encryption systems and methodologies are resistant to cracking, even by advanced quantum computers. In contrast to some purported solutions, the required elements of an unbreakable OTP system are preserved under Claude Shannon's mathematical proof. In alternative embodiments, the invention uses a secure network to reconstitute blockchain systems without the use of asymmetric encryption. Described extensions of these block chain systems are described which enable an entirely new set of applications for protecting privacy, sharing information, performing validations and analysis of data, and creating system actions that are constrained by complex data algorithms.

Abstract: A method for securely receiving a multimedia content by a client device operated by one or more operator(s) involving a dedicated provisioning server of a security provider managing symmetric secrets used by the client devices and operators license servers. The provisioning server provides to the client device one or more generations of operator specific unique device secrets, which are then exploited by the various operators' license servers to deliver licenses such that authorized client devices can consume protected multimedia contents.

Abstract: One-time-pad (OTP) encryption systems and methodologies are resistant to cracking, even by advanced quantum computers. In contrast to some purported solutions, the required elements of an unbreakable OTP system are preserved under Claude Shannon's mathematical proof. In alternative embodiments, the invention uses a secure network to reconstitute blockchain systems without the use of asymmetric encryption. Described extensions of these block chain systems are described which enable an entirely new set of applications for protecting privacy, sharing information, performing validations and analysis of data, and creating system actions that are constrained by complex data algorithms.

Abstract: A communication device may obtain second security information in a case where a first instruction for establishing a second wireless connection with a second parent station is accepted under a state where a first wireless connection with a first parent station is established, and determine whether a second security level indicated by the second security information is lower than a first security level indicated by first security information in a memory. The communication device may execute at least one process of a notification process or an acceptance process in a case where it is determined that the second security level is lower than the first security level and establish the second wireless connection with the second parent station without executing the at least one process in a case where it is determined that the second security level is not lower than the first security level.

Abstract: Systems, computer program products, and methods are described herein for securely managing device communication. The present invention may be configured to provide, to another system, staging information including a digital certificate, a PIN, and a protocol for storing on a device, receive from the device a request to connect to an internal network after user input of the PIN, receive a digital certificate from the device, establish a wireless connection between the device and the internal network, and cause the device to delete the PIN. In some embodiments, the system is configured to permit communication from the device to the other system for a predetermined time window. In some embodiments, the system receives updates from the other system, via an external network, and the system sends the updates to the device, via the internal network.

Abstract: A system for tenant security control includes an interface and a processor. The interface is configured to receive a request to access shared services; provide a user interface for selecting a shared service of the shared services; and receive a selection of the shared service of the shared services. The processor is configured to determine data associated with the shared service of the shared services; store a shared-service tag indicating the data is associated with the shared service of the shared services and a tenant identifier tag indicating the data is associated with a contributing tenant; transfer the data to a model development system; determine a model using the data transferred to the model development system; and store the model.

Abstract: Disclosed are systems and methods for passively authenticating users of a native application running on a mobile communications device. The user may be applying for a service, product, access, etc. from a provider computing system. A unique device identifier of the device may be acquired and provided to a first computing system. A mobile telephone number associated with the device may be received at the device. User information may be accepted from the user via a user interface of the device for entry into a set of fields. The mobile telephone number may be verified by determining, via a second computing system that is different from the first computing system, that the mobile telephone number is associated with the user information. The service/product/access for the user may be approved in response to verification of the mobile telephone number. The user may be authenticated without challenge questions.

Abstract: A method for increasing the difficulty for attackers to launch keyword guessing attacks, which uses a time-delay encryption with a keyword search based on a public key that generates searchable ciphertexts and/or files ciphertexts for keywords of at least one file that uploaded by time-delay encryption from a cloud server. A system for implementing the method is also described.

Abstract: A computer implemented system and method for acquisition of advance consent for each instance of PII use includes the steps of receiving reference specimens for a user, electronically storing the reference specimens on a distributed block chain. When PII of the user is to be used, a consent session is electronically requested for the user. Consent-session specimens are electronically received from the user in response to the electronic request for the consent-session after completion of the consent session. The consent-session specimens include a video of the user making an affirmative consent statement, a photograph of fingerprints of the user, and a photograph of identification (ID) credentials of the user. A degree to which each of the consent-session specimens from the user match the reference specimens for the user is electronically determined and the transaction information is electronically stored on the distributed block chain.

Abstract: A system for detecting whether a device seeking communication with a server is a returning device that previously communicated with the server includes a database that stores groups of device attributes based on observable device characteristics and unique identifiers. The database is generally not accessible to the devices. Each attribute group and the associated device identifier (DID) can uniquely identify a particular device, and the associated DID is generally not derivable from the attributes. The database may satisfy a uniqueness property so that each attribute value in the database may also uniquely identify a device.

Abstract: An automated method and system are provided for comparing a source database and a target database that are intended to be kept in synchronization with each other. An application processes transactions that are posted to the source database and replicated to the target database. Before images of changes made to the source database resulting from transactions posted to the source database are collected into a first change log and then replicated to the target database. Before images of changes made to the target database resulting from replication are collected into a second change log. Representations of the before images of changes in the first change log are compared with representations of the before images of changes in the second change log that correspond to the same respective changes that were made to the source database and replicated to the target database.

Abstract: Encrypting data blocks by receiving blocks of compressed data, determining a size, in bytes, of the compressed data, appending a trailer to the compressed data, the trailer associated with the size in bytes of the compressed data, encrypting the compressed data and trailer, yielding encrypted data, where a header of the encrypted data comprises a number of complete encrypted data blocks, and providing the encrypted data to a user.

Abstract: Systems, methods, and computer-readable storage media utilized for event-based authentication. One method includes recognizing an event and receiving, from a device, a withdrawal request of a user, wherein the withdrawal request includes a captured feature by the device. The method further includes determining that the user is associated with the recognized event using at least a geographic proximity between the event and the withdrawal request, wherein the geographic proximity is a given radius around a location of the event, and wherein the device is within the given radius and adjusting authentication rules based on the determination that the user is associated with the recognized event, wherein the adjustment of the authentication rules includes adjusting a matching threshold between the captured feature and a reference feature. The method further includes processing the withdrawal request for the user based on the adjusted authentication rules.

Abstract: Systems and methods for a bifurcated self-executing program that wraps a first self-executing program (e.g., a first smart contract) on a blockchain within a second self-executing program (e.g., a second smart contract), in which the second self-executing program enforces the digital signature requirement. The bifurcated self-executing program comprises a single compiled self-executing program that combines the first self-executing program and the second self-executing program.

Abstract: A method of unlocking a locked device includes receiving a device identifier over a wireless communication protocol, determining if the device identifier is associated with a list of trusted devices, transmitting a request to generate an acoustic signal over the wireless communication protocol based on the determination, receiving the acoustic signal as an audio sound generated external to the locked device, estimating a distance between a source of the audio sound and the locked device, and unlocking the locked device based on the estimation.

Abstract: Various embodiments are discussed that provide systems and methods for identifying possible unsecured devices on a network. In some cases, embodiments discussed relate to systems and methods for identifying possible unsecured devices; clustering the identified devices with other similar devices, and/or determining default or simplified access processes for a given cluster of the identified devices.