Abstract: Disclosed herein is a system configured to collect and maintain user data within a first party silo while allowing third party data consumers to use the user data in accordance with explicit input from users. The system provides a user with transparency and control with regard to data use by displaying graphical user interfaces configured to receive input indicating whether the user allows or prevents third party data consumers to use his or her data. The system exposes an API that enables the third party data consumers to submit a data query. The system uses the data query to internally analyze a user data set. User data is included in the user data set in accordance with the input. The system is configured to provide, via the API, a result of the analysis to the third party data consumer that submitted the data query without providing the user data set.

Abstract: A method of a digital identity system generating a sharing token for authenticating a bearer to a validator, wherein a data store of the digital identity system holds a plurality of attributes of the bearer, the method comprising implementing by the digital identity system the following steps: receiving at the digital identity system from a bearer an electronic sharing token request, wherein the token request identifies at least one of the bearer's attributes in the data store selected for sharing with a validator; in response to the electronic token request, generating a sharing token, which is unique to that request, for presentation by the bearer to a validator; associating with the unique sharing token at the digital identity system the identified at least one bearer attribute; and issuing to the bearer the unique sharing token; and wherein later presentation of the unique sharing token to the digital identify system by a validator causes the at least one bearer attribute associated with the sharing token

Abstract: A mobile device responds in real time to media content presented on a media device, such as a television. The mobile device captures temporal fragments of audio-video content on its microphone, camera, or both and generates corresponding audio-video query fingerprints. The query fingerprints are transmitted to a search server located remotely or used with a search function on the mobile device for content search and identification. Audio features are extracted and audio signal global onset detection is used for input audio frame alignment. Additional audio feature signatures are generated from local audio frame onsets, audio frame frequency domain entropy, and maximum change in the spectral coefficients. Video frames are analyzed to find a television screen in the frames, and a detected active television quadrilateral is used to generate video fingerprints to be combined with audio fingerprints for more reliable content identification.

Abstract: One embodiment of the present invention provides an enhanced authentication system. During operation, the system can obtain, from a remote device of a client, an authentication request prior to the exchange of application layer web traffic associated with a piece of resource protected by the system. The system can then determine, in the authentication request, an indicator indicating whether certificate-based authentication is enforced for the client. If certificate-based authentication is enforced for the client, the system can initiate certificate-based authentication for the client. On the other hand, if certificate-based authentication is not enforced for the client, the system can send information associated with a user interface to the client. The user interface can allow the client to select an authentication method from a set of authentication methods supported by the system.

Abstract: Cryptographic systems and methods are disclosed, including numerous industry applications. Embodiments of the present invention can generate and regenerate the same symmetric key. The cryptographic systems and methods include a key generator configured to use two or more inputs to reproducibly generate the symmetric key and a cryptographic engine configured to use the symmetric key for encrypting and decrypting data.

Abstract: An access management system and method provisions credentials to access a resource, such as external web user accounts. Credentials are generated, encrypted and stored. To access the resource, encrypted credentials are decrypted, masked, and served to users, such that they are not visible to the user requiring access. The user is unaware of the credentials used to authenticate and unable to access the provisioned web resources outside set parameters.

Abstract: A sender device includes: a first sequence generator configured to generate a first sequence of bits having a bit pattern that incudes first bit values and second bit values; a first parsing processor configured to receive a first plurality of data blocks and the first sequence of bits, and select a first subset of data blocks and a second subset of data blocks from the first plurality of data blocks based on the bit pattern; an encryption processor configured to encrypt the selected first subset of data blocks received from the first parsing processor to generate encrypted data blocks and output the encrypted data blocks to an output terminal that is configured to output the encrypted data blocks and the selected second subset of data blocks as unencrypted data blocks from the sender device.

Abstract: A data processing method, an access network device, and a core network device are provided. The method comprises: the access network device receives first information sent by the core network device or a terminal device; the access network device determines, according to the first information, whether to perform security processing on data to be processed.

Abstract: A method for connecting an end device to a linkable computer infrastructure is provided. A device certificate is created and supplied to a user of the end device. The device certificate is input into the end device. A data link from the end device to an access zone connected upstream of functions of the linkable computer infrastructure is produced. The access zone may be selectively separated from the functions of the linkable computer infrastructure by this link. The end device is registered in the access zone using the device certificate. By access of a function from the linkable computer infrastructure to the end device registered in the access zone, this end device is identified for the linkable computer infrastructure. With successful identification of the end device, use of the linkable computer infrastructure is enabled for the end device.

Abstract: A method for integrity protection scheme by a mobile communication device or a core network entity according to a first exemplary aspect of the present disclosure includes configuring settings and parameters for integrity protection for user data with another party; receiving user plane data from the other party, calculating Message Authentication Code for Integrity (MAC-I) for a part of the data and checking integrity of the part of the data.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: A processing device of a memory sub-system is configured to receive, from a host system, host data to be stored at a memory sub-system in an encrypted form; determine that the host data exceeds a threshold size associated with an encryption operation; separate the host data into a plurality of segments based on the threshold size associated with the encryption operation; determine that a particular segment of the plurality of segments does not satisfy a size requirement of data associated with the encryption operation; modify the particular segment to satisfy the size requirement of data associated with the encryption operation; encrypt each of the plurality of segments based on the encryption operation; and store the encrypted plurality of segments at the memory sub-system.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: The present disclosure pertains to validation of runtime objects for a software deployment using a certificate. After creating the runtime objects during a build process, a certificate may be generated based on the runtime objects. The certificate may include a fingerprint of the runtime objects that may be used before deployment to determine whether the runtime objects have been changed. Before deployment, the runtime objects and the certificate may be obtained and the certificate may be validated. In addition, the runtime objects may be validated using the fingerprint included in the certificate. For instance, the fingerprint may be re-generating based on the runtime objects for deployment. The runtime objects may be validated by comparing the re-generated fingerprint to the fingerprint in the certificate. The runtime objects may be deployed if the certificate and the runtime objects are valid.

Abstract: The invention relates to a control System (2) for a motor vehicle (1), comprising a central vehicle Controller (3) for Controlling vehicle functions (4) and a plurality of driver assistance Systems (5). The driver assistance Systems (5) are set up to transmit a task key describing the particular assistance function thereof to the vehicle Controller (3) and to transmit a security key assigned to the particular assistance function to the vehicle Controller (3).

Abstract: In various embodiments, methods, systems, and vehicle apparatuses are provided. A method to selectively pair an in-vehicle display to a mobile device used by a passenger with an in-vehicle display system when seated in the vehicle, including receiving, by a processor of a vehicle, notification via a rideshare app of a request for a ride to a destination; in response, to the passenger entering the vehicle, initiating a pairing operation of a system of the vehicle with a passenger's mobile device based on the capture by the passenger using the passenger's mobile device of a QR code displayed in the vehicle; displaying a QR code for capture by the passenger's mobile device in the vehicle and initiating a wireless connection with the passenger's mobile device wherein the wireless connection is a secure connection based on an identification of the passenger and passenger location in the vehicle based on the QR code.

Abstract: Various embodiments described herein disclose an endpoint modeling and grouping management system that can collect data from endpoint computer devices in a network. In some embodiments, agents installed on the endpoints can collect real-time information at the kernel level providing the system with deep visibility. In some embodiments, the endpoint modeling and grouping management system can identify similarities in behavior in response to assessing the data collected by the agents. In some embodiments, the endpoint modeling and grouping management system can dynamically model groups such as logical groups, and cluster endpoints based on the similarities and/or differences in behavior of the endpoints. In some embodiments, the endpoint modeling and grouping management system transmits the behavioral models to the agents to allow the agents to identify anomalies and/or security threats autonomously.

Abstract: A system is provided for identification of secure wireless network access points using cryptographic pre-shared keys. In particular, the system may comprise a client-side application that may use a pre-shared key to generate a list of valid access point ID's in a pseudorandom manner. A server-side application may use the same pre-shared key to generate one or more access point ID's. Based on the pre-shared key, a client computing device may readily identify which wireless access points within the network are secure and trusted.

Abstract: A shared battery system includes a battery having unique identification information, a communication unit communication-connected with a user terminal to receive user information from the user terminal, and an authentication unit configured to perform user authentication based on the user information. A controller is configured to control the authentication unit to perform the user authentication when a communication connection with the user terminal is made, to control the battery to supply electrical energy to a shared mobility device based on a use approval of the shared mobility device when the battery is mounted to the mobility device, to acquire usage information of the shared mobility device therefrom when the electrical energy is supplied to the shared mobility device, and to control the communication unit to transmit the acquired usage information of the shared mobility device and status information of the battery.

Abstract: The present disclosure provides a consumable, a consumable chip, and a communication method between the image forming apparatus and the consumable chip. The consumable chip is capable of being installed on a consumable, and the consumable is capable of being detachably installed on an image forming apparatus. The consumable chip includes a storage unit and a chip control unit. The storage unit is configured to store identity authentication information of the consumable. The chip control unit is configured to receive an authentication request sent by the image forming apparatus and obtain second time information, generate a second code by performing a calculation using a preset algorithm according to the obtained second time information and the pre-stored identity authentication information of the consumable, and send the second code to the image forming apparatus. The second code is configured to determine whether the consumable meets expectation.

Abstract: Systems and methods for sharing information between a publisher and a subscriber are disclosed. The system includes a shared memory and a memory broker. The memory broker is configured to receive a request for writing a message relating to a topic from a publisher and determine whether a communication channel corresponding to the topic exists in the shared memory. If the communication channel corresponding to the topic exists, the memory broker then assigns a buffer ring on the communication channel to the publisher, transmits information relating to the buffer ring to the publisher, and transmits information relating to the buffer ring to one or more subscribers of the communication channel.

Abstract: One or more first servers can implement an example method including storing, at a memory accessible by the first one or more servers, a primary email address for a user. The method further includes detecting a request, from a client device associated with the user, to access a network resource hosted at a second one or more servers, wherein the network resource is associated with an online service. The method also includes automatically generating a secondary email address for the user that is unique to the online service; and transmitting the secondary email address to the second one or more servers such that the online service receives the secondary email address for the user without receiving the primary email address for the user, thereby enabling the online service to transmit emails to the user despite not receiving the primary email address for the user.

Abstract: Methods and systems for token transfer are described herein. A remote computing device may receive, from a mobile computing device, a public key of a public-private key pair. The public key may be associated with a first application of the mobile computing device. The first application may be configured to send credentials to a second application of the mobile computing device. The second application may be isolated from other applications executable on the mobile computing device. The remote computing device may receive, from the first application, a token. The token may have been previously issued to the first application and may have been encrypted, using the public key, by the first application. The remote computing device may send, to the second application, the token to enable the second application to authenticate with a plurality of services that interact with the second application.

Abstract: Aspects of the disclosure relate to extending single-sign-on to relying parties for federated logon providers. An enterprise identity provider server may receive a first authentication token previously issued to an enterprise server by the enterprise identity provider server. Subsequently, the enterprise identity provider server may retrieve, from a token store, a second authentication token associated with a federated identity service provided by a federated identity provider server. The enterprise identity provider server may refresh the second authentication token with the federated identity service provided by the federated identity provider server to obtain a refreshed authentication token. Finally, the enterprise identity provider server may send the refreshed authentication token to the enterprise server, which may enable user devices managed by the enterprise server to access one or more resources provided by a third party system using the federated identity service.

Abstract: A wireless device system employs short-range wireless communication to require the proximity of a user device to a defined area prior to communicating a request or notification to the wireless user device. The system authenticates a request and the proximity of the user to or within the defined area prior to transmitting a command, request, or notification to the user or a third party. Additionally, the system uses an access node configured to shape the radiation pattern of short-range wireless communications to better determine the position of a user proximate in or around a defined area.

Abstract: The present disclosure relates to methods and systems for contextual data masking and registration. A data masking process may include classifying ingested data, processing the data, and tokenizing the data while maintaining security/privacy of the ingested data. The data masking process may include data configuration that comprises generating anonymized labels of the ingested data, validating an attribute of the ingested data, standardizing the attribute into a standardized format, and processing the data via one or more rules engines. One rules engine can include an address standardization that generates a list of standard addresses that can provide insights into columns of the ingested data without externally transmitting the client data. The masked data can be tokenized as part of the data masking process to securely maintain an impression of the ingested data and generate insights into the ingested data.

Abstract: Technologies and techniques for anonymously providing data of a motor vehicle. A first dataset is generated by a motor vehicle, and the first dataset is anonymized using a vehicle computing unit. User related data and the anonymized first dataset are communicated to a first server system using the vehicle computing unit and the communicated user related data is deleted using the first server system. The anonymized first dataset is communicated to a second server system using the first server system after deletion of the user related data.

Abstract: The techniques herein are directed generally to providing access control and persona validation for interactions. In one embodiment, a method for a first device comprises: interacting with a second device on a communication channel; determining, over a verification channel with a verification service, that an identity of a user communicating on the second device is a verified identity according to the verification service; determining a persona of the user; querying a third-party entity to make a determination whether the persona is validated and to correspondingly determine a current privilege level; and managing interaction with the second device according to the determination whether the persona is validated and the corresponding current privilege level. Another embodiment comprises a verification server's perspective of facilitating the interaction between the first and second devices, where the verification server queries the third-party entity to validate the persona.

Abstract: A mobile application development environment may be maintained in association with a computing platform. A request to produce a binary of a first mobile application may be processed. The binary and a package configurable to cause the binary to have code-sign credentials associated with a first organization when the binary is uploaded to a mobile application provider may be produced. The binary and the package may be provided to the first organization.

Abstract: An access control apparatus and method for controlling a configuration of an automation apparatus. The method includes: reading authentication information from an electronic tag; transmitting the authentication information to a networked service; receiving access rights from the networked service; and controlling the configuration of the automation apparatus according to the access rights.

Abstract: A blockchain network management system implements an associated method comprising the steps of: a) providing a blockchain network configured for providing individual blockchain users with access to a blockchain; b) providing individual blockchain users with a smartphone having a GPS receiving unit associated with a communications network and with a biometric user identification technology coupled to the smartphone; c) identifying an individual blockchain user with the biometric user identification technology by obtaining biometric characteristics that are unique to each human via the communications network; d) authenticating the individual blockchain user's identity and geolocation in an authentication network coupled to the communications network; and e) providing access of authenticated individual blockchain users to the individual blockchain. The blockchain network management system further includes tokens issued to individual authenticated users for providing access to the individual blockchain.

Abstract: Systems and methods for peer-to-peer secure document exchange are disclosed. The system may allow a document provider to securely transmit a certified document to a document verifier using decentralized storage. The verifier system may generate a session key pair and transmit the session public key to a trusted API provider. The trusted API provider may generate a session nonce. The verifier system may transmit the session nonce to the provider system. The provider system may use the session nonce to retrieve the session public key. The provider system may encrypt a certified document using the session public key and store the encrypted certified document in the decentralized storage. The verifier system may retrieve the encrypted certified document by polling the trusted API provider based on the session nonce. The verifier system may decrypt the encrypted certified document using the session private key.

Abstract: In an example implementation, a print supply cartridge comprises a microcontroller to receive a timing challenge and enable authentication of the cartridge by providing a challenge response. The challenge response is provided in a challenge response time that falls within an expected time window.

Abstract: The present disclosure is generally directed a system to detect activation phrases within input audio signals transmitted over a low-bandwidth network. The system can use a two-stage activation phrase detection process. First a sensing device, which can include a plurality of microphones for detecting an input audio signal, can detect an input audio signal that includes a candidate activation phrase. Second, the sensing device can transmit the recordings of the input audio signal to a client device for confirmation that the input audio signal includes the activation phrase.

Abstract: A device and methods are described that comprise at least one host application and a rich execution environment. At least one interface is operably coupled to the REE for communicating with a remote server. A security sub-system comprises a security monitoring and control circuit coupled to the REE and connectable to the remote server via the REE and the at least one interface. The security monitoring and control circuit comprises an analytics circuit configured to detect an anomaly following a compromisation of the device. The security monitoring and control circuit is arranged to treat the REE as an untrusted component and in response to a detection of a compromisation of the REE or a component in the device that is accessible by the REE by the analytics circuit, the security monitoring and control circuit is configured to re-establish a secure connection to the remote server that tunnels through the REE and at least partially removes the compromisation from the device.

Abstract: At least one data file for backup can be received. The data file can be divided into a plurality of data blocks. A first portion of the plurality of data blocks can be allocated to a first data processing system for backup by the first data processing system. A second portion of the plurality of data blocks can be allocated to a second data processing system for backup by the second data processing system.

Abstract: A method includes requesting, by a first computing device having a first application and a first Transport Layer Security (TLS) library, a sequence of cryptographic keys obtained by a first agent, the sequence of cryptographic keys based on an agent key and provided from the first agent to the first TLS library, requesting, by a second computing device having a second application and a second TLS library, the sequence of cryptographic keys obtained by a second agent, the sequence of cryptographic keys based on the agent key and provided from the second agent to the second TLS library, and communicating between the first application of the first computing device to the second application of the second computing device using the sequence of cryptographic keys based on the agent key.

Abstract: The disclosed technology teaches safely attaching an access token to a browser-based request from a first app loaded by a webpage, without exposing the token to malicious code loaded by the webpage, providing an identity proxy that transparently determines which network requests to relay and a secrets management proxy that provides access tokens transparently to the requests. The identity proxy intercepts an access request from the first app to the resource server and relays the request via the secrets management proxy, which forwards the request to the resource server with an access token, receives a response from the resource server and forwards the response to the identity proxy for return to the first app. The secrets management proxy is implemented in an iFrame that has isolated storage subject to a browser-enforced same origin policy that makes the isolated storage used by the iFrame inaccessible to malicious code on the webpage.

Abstract: A method including receiving, by a first server from a second server, an encrypted authentication packet to enable the first server and the second server to conduct an authentication process, the encrypted authentication packet including a crypted code field indicating a type associated with the encrypted authentication packet and a crypted payload including one or more encrypted fields; and transmitting, by the first server to the second server, a response based at least in part on determining the type associated with the encrypted authentication packet and on decrypting the one or more encrypted fields. Various other aspects are contemplated.

Abstract: A system and method for identifying and authenticating a counterfeit article using digital fingerprints are disclosed. The system comprises a server with a processor and memory, and a database. The memory is configured to store a set of modules executable by the processor. The set of modules include, but not limited to, a digital image acquisition module, a comparison module, and a decision module. The digital image acquisition module is configured to extract analog identification indicium of the article from one or more images. The comparison module is configured to compare analog identification indicium with actual analog identification indicium of the article. The decision module detects the authenticity of the article based on the comparison results. The system further comprises an anti-counterfeiting network verification system in communication with the server, configured to securely protect the actual analog identification indicium of the article from unauthorized access and other potential crimes.

Abstract: A computer-implemented method, a computer program product, and a computer system for detecting, verifying and preventing unauthorized use of a Voice over Internet Protocol (VoIP) service. A computer rates a VoIP call based on a database including information of the caller number, in response to determining that no record of a caller number exists in a database including the information of unauthorized uses. The computer sets a predetermined time period for the VoIP call based on a rating of the VoIP call, adds the predetermined time period to a session initiation protocol (SIP) invite, and connects the VoIP call to a called party. In response to that the predetermined time period is reached, the computer interrupts the VoIP call and prompts the caller to conduct user verification. In response to that the caller is successfully verified, the computer reconnects the VoIP call to the called party.

Abstract: A system and method for establishing trust between management entities with different authentication mechanisms in a computing system utilizes a token exchange service to acquire a second security token used in a second management entity in exchange for a first security token used in a first management entity. In an embodiment, an endpoint is set at the first management entity as an authentication endpoint for the second management entity, which is used to authenticate a request with the second security token that is sent from the first management entity to the second management entity. After authentication, the request is processed at the second management entity and a response is transmitted to the first management entity.

Abstract: A Wi-Fi network includes one or more access point devices configured to connect to one or more devices; wherein the Wi-Fi network is designated by a Service Set Identifier (SSID); wherein each Wi-Fi client device accesses the Wi-Fi network using the SSID and a key of a plurality of keys each being a password or certificate for the Wi-Fi network; and wherein each of the plurality of keys designates an access zone of a plurality of access zones each defining rules for network and/or device access such that the one or more access point devices provide selective access based on which of the plurality of keys is used for each of the one or more devices.

Abstract: The present invention puts forward a personal electronic access permission (Figure B, 31) that can both check on the customer's identity (Figure A, step 2) and right to access an event/venue in one scanning event, and address the unwanted secondary market, still enabling a customer (Figure D, 5) to sell back an electronic access permission to the system (Figure D, I) in case the customer is not able to attend the event.

Abstract: Systems and methods for monetizing the reproduction of digital media content for the rights-holders of the digital media content. Embodiments of the present disclosure relate to determining whether a user of a media content item has a license to reproduce the media content item. In one embodiment, the media content item may be reproduced when the user is licensed. The user is prompted to select to acquire a license to reproduce the media content item or to decline the license to reproduce the media content item when the user is not licensed. Further embodiments determine whether a user may receive a license when the user wishes to acquire a license. In an embodiment, the user is declined a license when not approved for the license.

Abstract: A method for assigning a random number to a user in a set of users includes computing a random number assignment seed value based on an ASCII-value representation of the user's name, dividing the random number assignment seed value by a quantity of unassigned numbers available to be assigned to the user to produce a modified random number assignment seed value, rounding the modified random number assignment seed value down to an integer, computing a random number offset value by multiplying the quantity of unassigned numbers by the rounded modified random number assignment seed value, subtracting the random number assignment offset value from the random number assignment seed value to determine a random number assignment lookup number, determining the random number to be assigned to the user based on the random number assignment lookup number, and assigning the determined random number to the user.

Abstract: Examples provided herein are directed to a computing device and media playback system sharing access to a media service corresponding to a media application installed on the computing device. In one example, a media playback system may be configured to (i) receive from the computing device an authorization code that corresponds to a media application installed on the computing device that is authorized to access media from a media service, (ii) transmit to the media service an authorization request with the authorization code, (iii) receive from the media service an authorization token that facilitates obtaining media from the media service, and (iv) transmit to the media service a request for media for playback by the media playback system, where the request for media includes the authorization token.

Abstract: According to a first aspect, there is provided an identity verifier comprising: at least one processor; at least one memory including computer program code; and a communication port coupled to the processor the at least one memory and the computer program code configured to, with the at least one processor, cause the identity verifier at least to: receive, through the communication port, query information to verify an identity provided by a party requesting a financial service; extract a unique identifier of an electronic device from the query information, the electronic device used to request the financial service; calculate a probability of an accuracy of the identity verification by at least determining whether one or more databases contain a record of the unique identifier, the one or more databases storing data used to perform the identity verification; and respond, through the communication port, to the query with the calculated probability.

Abstract: A distributed secure communication system includes a first System Control Processor (SCP) subsystem coupled to second and third SCP subsystems via a network. The first SCP subsystem identifies the second SCP subsystem, signs a first SCP authentication communication with a first private key to provide a first signed SCP authentication communication that it transmits to the second SCP subsystem. The first SCP subsystem receives a second signed SCP authentication communication from the second SCP subsystem, authenticates the second signed SCP authentication communication using a second public key associated with the second SCP subsystem and, in response, establishes a first secure communication channel with the second SCP subsystem.

Abstract: In embodiments, an authentication server interfaces between a user device with a self-signed certificate and a verifying computer that accepts a user name and password. The user device generates a self-signed certificate signed by a private key on the user device. The self-signed certificate is transmitted to a verifying party computer over a network. The verifying party stores the self-signed certificate with user identification data. The user migrates trust to another device by providing the root certificate and intermediate certificate as a certificate chain to a second device, which then adds a new intermediate certificate to create a longer certificate chain with the same root certificate. In subsequent communications, the verifying party receives a certificate chain including the self-signed certificate from the second user device, and matches that with the user identification data stored in a database.