Abstract: A system comprising a distributed ledger (BC) configured to store a smart contract (SB) related to a problem statement (Z), the smart contract (SB) enabling a zero-knowledge proof (ZK) concerning the problem statement (Z).

Abstract: Domain-based server-selection computer-implemented processes and machines implement an extension of RAFT consensus for leader selection based on patterns of update data proximity. Accounts involved in payment or other transactions are maintained as “sharded” data across data store instances that are split into shards according to their temporal activity. If the domain attributes for a node exceed a threshold and are greater than the other nodes, the node is designated as a leader node and the others are designated as follower nodes. This provides an additional optimization in network performance by introducing insights in normal operations within a domain in a distributed network. If the domain attributes do not exceed the threshold and/or are not greater than the other nodes, a traditional consensus algorithm is used to select leader and follower nodes.

Abstract: A hardware cryptographic engine comprises a direct-memory-access (DMA) input module for receiving input data over a memory bus, and a cryptographic module. The cryptographic module comprises an input register having an input-register length, and circuitry configured to perform a cryptographic operation on data in the input register. The hardware cryptographic engine further comprises an input-alignment buffer having a length that is less than twice said input-register length, and alignment circuitry performing an alignment operation on input data in the input-alignment buffer. The hardware cryptographic engine is configured to pass input data, received by the DMA input module, from the memory bus to the input register of the cryptographic module after buffering an amount of input data no greater than the length of the input-alignment buffer.

Abstract: Various aspects pertain to ways to securing a peer-to-peer communication link that serves to relay transmissions to/from a managed mobile network node. A first user equipment may identify a second user equipment that can communicate via a peer-to-peer wireless interface and serve as a relay between the first user equipment and a managed mobile network node. A relay session key material may be obtained from the managed mobile network node. A peer-to-peer communication link between the first user equipment and the second user equipment may be established or modified by, for example, securing the peer-to-peer communication link based on the relay session key material. A protocol data unit session may be established, over the peer-to-peer communication link, between the first user equipment and the managed mobile network node for secured transmissions there between.

Abstract: Provided are methods and systems for controlling access to a property via one or more electronic locks.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for managing a phone number list are disclosed. In one aspect, a method includes the actions of receiving, by a computing device, telephone call data that reflects characteristics of telephone calls placed and received by a first user. Based on the telephone call data, the actions further include generating, by the computing device, a first telephone number whitelist for the first user. The actions further include determining, by the computing device, whether to combine the first telephone number whitelist and a second telephone number whitelist for a second user. The actions further include storing, by the computing device, the first telephone number whitelist or the combined telephone number whitelist in association with the first user.

Abstract: A system, method, and computer-readable medium for performing a data center connectivity management operation. The connectivity management operation includes: providing a data center asset with a data center asset client module; establishing a connection between a mobile device application and a connectivity management system; submitting a request to the connectivity management system via the mobile device application to establish connectivity with the data center asset client module; establishing a connection between the data center asset client module and the connectivity management system based upon the request; and, exchanging information between the data center asset client module and the data connectivity management system via the secure communication channel between the data center asset client module and the connectivity management system.

Abstract: One embodiment provides a method, including: identifying, at an information handling device, a sensitivity level associated with user-created content; detecting editing input provided to the user-created content by a user; determining, using a processor, a type of continuous authentication policy to implement for the user-created content based upon the sensitivity level; and authenticating the user providing the editing input at a frequency dictated by the type of the continuous authentication policy. Other aspects are described and claimed.

Abstract: A computer-implemented method, and system, for detecting modification of a semiconductor device includes generating and applying an exhaustive first set of patterns to a netlist golden model of a golden device. The exhaustive first set of patterns is developed by a pseudorandom number generator. Applying the patterns to stimulate the device produces a first response serial bit stream in relation to logical composition of the golden model. A signature analyzer compresses the total output to provide a first cyclic redundancy code or answer. The same exhaustive set of patterns can be provided to stimulate the model of an unknown device. The unknown device is shown to be identical to the golden device if its answer matches that of the golden device and modified if its answer does not match that of the golden device.

Abstract: Methods and apparatus provide communications among respiratory therapy device (“TD”), server and intermediary (e.g., a control device (“CTLD”) for the therapy device) to improve security. More secure communication channel(s) may be established using shared secrets derived with different channels. The communications may include transmitting therapy data from TD to server for authentication. The CTLD may receive the data and a nonce from a server. The CTLD receives from the TD a signing key dependent on the nonce and a secret shared by TD and server. The CTLD generates an authorisation code with received therapy data and the key for authentication of the data by the server upon its receipt of the code and data. The server computes (1) a key from the nonce and the secret known to TD, and (2) another authorisation code from received therapy data and the key. Data authentication may involve comparing received and computed codes.

Abstract: Apparatuses, systems, and techniques for handling faults by a direct memory access (DMA) engine. When a DMA engine detects an error associated with an encryption or decryption operation, the DMA engine reports the error to a CPU, which may be executing an untrusted software directing a DMA operation, and the secure processor. The DMA engine waits for clearance from the secure processor before responding to further directions from the potentially untrusted software.

Abstract: The invention proposes a novel type of infective countermeasure against fault injection attacks. Instead of determining the injected error before amplifying it, the novel countermeasure applies the same diffusion function to two intermediate ciphers obtained by executing a cryptographic operation on an input. The error is therefore amplified within the same intermediate ciphers, referred to as infective ciphers after diffusion. It is then possible to use diffusion functions which do not map the cipher 0 as an output equal to 0. A cipher recomposed from bits of undiffused ciphers is also generated. These infective and recomposed ciphers are XOR-combined to provide an output cipher. This approach makes it possible to adapt, by simple duplication of the pairs and associated specific diffusion functions, the protection offered by the countermeasure to a desired number of injected faults.

Abstract: A method, a device, and a non-transitory storage medium are described in which an pre-authentication service is provided. The service may support a transport layer security handshake and determine authentication based on the initial message. The service may provide for the generation of a message that initiates a handshake between devices in which the message includes an authentication string used for authentication. The service may provide for the generation of another authentication string for comparison. The service may also support authorization of a device. The service may minimize potential malicious attacks and activities between the devices.

Abstract: An access control system stores information defining conditions under which each user is allowed to perform resource access. The access control system acquires a first access request indicating an operation for a first resource in a target system by a first user, determines based on the information whether or not the first access request is permitted, acquires a result of an additional permission/disapproval determination of the first access request in response to the disapproval determination of the first access request, and grants execution authority of the first access request by the first user according to the result of the additional permission/disapproval determination indicating permission.

Abstract: Methods, systems, and computer media provide attestation tokens that protect the integrity of communications transmitted from client devices, while at the same time avoiding the use of stable device identifiers that could be used to track client devices or their users. In one approach, client devices can receive anonymous certificates from a device integrity computing system signifying membership in a selected device trustworthiness group, and attestation tokens can be signed anonymously with the anonymous certificates using a group signature scheme. Client devices can include throttlers imposing limits on the quantity of attestation tokens created by the client device.

Abstract: An information processing apparatus has a controller configured to identify a driver of a vehicle on the basis of at least one of the results of first authentication based on a first part of the living body of a user and second authentication based on a user device. The controller gives higher priority to the result of first authentication than the result of second authentication in the processing of identifying the driver of the vehicle. The user device may include a first communication terminal capable of functioning as an electronic key of the vehicle and a second communication terminal incapable of functioning as an electronic key of the vehicle. The controller gives higher priority to the result of authentication of the first communication terminal than the result of authentication of the second communication terminal.

Abstract: Methods and systems for authenticating an Internet of Things device, such as an electronic lock, are disclosed. One method includes generating a first challenge at a server; transmitting the first challenge to the Internet of Things device; receiving a first signed certificate from the Internet of Things device, the first signed certificate being the first random number challenge signed with a private key associated with the internet of things device; and verifying the first signed certificate with the first challenge and a public key associated with the Internet of Things device. Mutual authentication of the server from the Internet of Things device is also provided.

Abstract: A verifier device in one embodiment is configured to communicate over one or more networks with a client device and a server device. The verifier device participates in a three-party handshake protocol with the client device and the server device in which the verifier device and the client device obtain respective shares of a session key of a secure session with the server device. The verifier device receives from the client device a commitment relating to the secure session with the server device, and responsive to receipt of the commitment, releases to the client device additional information relating to the secure session that was not previously accessible to the client device. The verifier device verifies correctness of at least one characterization of data obtained by the client device from the server device as part of the secure session, based at least in part on the commitment and the additional information.

Abstract: A system in one embodiment comprises a first endpoint device that is configured to communicate with a second endpoint device using a given communication protocol. The first endpoint device is configured to monitor a communication session under the given communication protocol and to generate monitoring data associated with the communication session. The first endpoint device is configured to determine that a designated network condition has occurred based at least in part on the monitoring data. The first endpoint device is configured to activate a performance monitoring component based at least in part on the determination that the designated network condition has occurred and to generate performance data utilizing the activated performance monitoring component. The first endpoint device is configured to anonymize and store the performance data.

Abstract: Anonymizing systems and methods comprising a native configurations database including a set of configurations, a key management database including a plurality of private keys, a processor in communication with the native configurations database and the key management database, and a memory coupled to the processor. The set of configurations includes one or more textual descriptions and one or more ranges, wherein each range includes a contiguous sequence comprised of IP addresses, port numbers, or IP addresses and port numbers. The processor is configured to retrieve the set of configurations from the native configurations database, wherein the set of configurations includes a plurality of objects; retrieve a private key from the key management database; assign a unique cryptographically secure identity to each object; and anonymize the plurality of objects based on the cryptographically secure identities and the private key.

Abstract: Systems and methods are provided for a network appliance comprising a plurality of virtual private network nodes operating on the network appliance, each virtual private network node being configurable to connect to selectable virtual private network end points in an on-demand computing network. A web interface is configured to connect a client device to the network appliance and to identify a selected virtual private network end point, where the client device is connected to a particular one of the virtual private network nodes and the particular virtual private network node is connected to the selected virtual private network end point based on interactions with the web interface.

Abstract: In various example embodiments, a system and method for an electronic commerce file system are provided. In example embodiments, a selection of an item contained in a folder of an electronic commerce file system is received. The item is offered for sale by an electronic commerce provider, and the electronic commerce file system resides locally on a client device. Based on a type of the folder, a set of actions are provided for selection, with the set of actions to be performed with respect to the item. A selection of an action to be performed with respect to the item is received. The action is performed with respect to the item, with the action being performed between the electronic commerce file system and the electronic commerce provider via a network.

Abstract: This disclosure provides systems, methods and apparatus, including computer programs encoded on computer storage media, for multi-link aggregation in wireless communications. In one aspect, an apparatus includes a multi-link operation device configured to generate and output for transmission a message indicating a mapping of each of a plurality of traffic identifiers (TIDs) to one or more parameters associated with each of a plurality of wireless links. In some aspects, another apparatus may obtain a message via at least one of a plurality of wireless links indicating a mapping of each of a plurality of TIDs to one or more parameters associated with each the plurality of wireless links, obtain a sequence of packets associated with at least one of the plurality of TIDs via one or more of the plurality of wireless links, and process the sequence of packets based on the mapping indicated via the message.

Abstract: A processor may segment a media key block into two or more subsets. Each of the two or more subsets may be respectively associated with a particular group of receivers, and each receiver of the particular group of receivers may be in a blockchain network. The processor may receive, from a first receiver, a request for permission to process the media key block. The processor may identify which of the two or more subsets that the first receiver is associated. The processor may provide a media key block value to the first receiver.

Abstract: Computer methods and devices for handling requests by using a distributed ledger database. An evaluation of a request is performed based on a first data item comprising first information about a state of a system and on a second data item comprising second information about a proposed action in response to the state of the system. The first and second data items are evaluated to establish whether, given the state of the system, the proposed action is appropriate. A third data item is provided and a fourth data item is accessed. The third data item comprises encrypted first information. The fourth data item comprises information for accessing encrypted information comprised in a first encrypted data item. The first data item is authenticated against the first encrypted data item to establish whether the information in the first data item is compatible with the in-formation in the first encrypted data item.

Abstract: A method for leveraging a universal credential in an access control system according to one embodiment includes generating, by a cloud system, a CBOR web token for user access to at least one electronic lock, wherein the CBOR web token includes a group tag associated with a set of access rights for a group of users and a cryptographic signature, transmitting the CBOR web token to a user mobile device, receiving, by a first electronic lock, the CBOR web token from the user mobile device for access to a passageway secured by the first electronic lock, verifying an authenticity of the cryptographic signature of the CBOR web token and that the group tag of the CBOR web token is associated with a group authorized to access the passageway secured by the first electronic lock, and unlocking a lock mechanism in response to the verifications.

Abstract: A method for providing a personal data storage service between a first user who is a data provider and a second user who is a data requester by using a smart contract based on a first layer and a privacy layer and a storage layer based on a second layer is provided. The method has an effect of generating encoded subject data made by encoding subject data by using a random key as an encryption key generated through a data provider terminal, to thereby prevent the personal storage service provider from decoding the subject data. Further, the method has another effect of saving the storage for use in PDS service, since there is no need to generate each of encoded encryption key and encoded subject data in line with each of data requester even if the number of data requesters increase by implementing using a proxy re-encryption technology.

Abstract: A secret key is communicated to a receiver system. A one-time pad is generated using the secret key and a counter. An encrypted message is generated by performing an XOR operation on a first message using the one-time pad. The encrypted message and the counter are sent to the receiver system.

Abstract: A secure authentication method includes: deriving a distributed LSH value using secret LSH, taking a first distributed feature amount which is a feature amount of user information distributed through a secret distribution method and encrypted LSH parameters as inputs; deriving a distributed hash value using a secret unidirectional function, taking the distributed LSH value and a distributed key as inputs; decoding the hash value by reversing distribution of the distributed hash value; selecting, from a secret hash table storing sets of a hash value as an index and a distributed feature amount as a data string, a set including a hash value matching the decoded hash value; computing, in secret, similarity between the distributed feature amount in the set and the first distributed feature amount; deriving, in secret, a user authentication result based on the similarity computed; and outputting the derived authentication result.

Abstract: This invention relates generally to methods and apparatus for providing secure services using a mobile device, and in particular for securely making transactions, such as payments, using mobile phones and smartphones.

Abstract: Various embodiments relate to a method performed by a processor of a computing system. An example method includes generating a symmetric content encryption key. Content is encrypted using the content encryption key to generate cipher text. A hash of the cipher text is generated. Each of the hash and the content encryption key is signcrypted using each of a signcrypting party public key, a signcrypting party private key and a recipient public key to generate a signcrypted envelope message. The cipher text is embedded in a component of the signcrypted envelope message. The signcrypted envelope message is transmitted to a recipient. The recipient can unsigncrypt the signcrypted envelope message using each of the recipient public key, a recipient private key, and the signcrypting party public key to retrieve the content encryption key and hash of the cipher text. The recipient can decrypt the cipher text using the content encryption key.

Abstract: A method encrypting, by a user device based on utilizing a first cryptographic key, first factor authentication information that is associated with determining a first authentication factor; encrypting, by the user device, the first cryptographic key based on utilizing an assigned public key associated with the user device; encrypting, by the user device based on utilizing a first master key, an assigned private key associated with the user device; encrypting, by the user device based on utilizing a second cryptographic key, second factor authentication information that is associated with determining a second authentication factor; encrypting, by the user device, the second cryptographic key based on utilizing a second master key; and storing, by the user device, encrypted first factor authentication information and encrypted second factor authentication information in a memory associated with the user device is disclosed. Various other aspects are contemplated.

Abstract: According to an example aspect of the present invention, there is provided a cryptoprocessor comprising physical unclonable function circuitry comprising at least one physical unclonable function, and at least one processing core configured to process a challenge received from outside the cryptoprocessor by at least deriving a response to the challenge by providing the challenge as input to the physical unclonable function circuitry, using the response as an encryption key to encrypt a second encryption key, and by causing the encrypted second encryption key to be provided to a party which issued the challenge.

Abstract: Key management for encrypted data. A node, such as a storage device, obtains a shared key to be used in cryptographic operations. The obtaining includes using an identifier of another node, such as a host of the computing environment, and a unique identifier of the shared key to obtain the shared key. The obtained shared key is then used in one or more cryptographic operations.

Abstract: A computer-implemented method for automatically pairing two devices is disclosed. The computer-implemented method includes detecting a first type of movement from a first device. The computer-implemented method further includes determining that the first device is located within a threshold distance of a second device when the first type of movement from the first device is detected. The computer-implemented method further includes determining whether an auto-pairing policy matches the first type of movement from the first device and the threshold distance between the first and second devices. The computer-implemented method further includes, responsive to determining that the auto-pairing policy matches the first type of movement from the first device and the threshold distance between the first and second devices, automatically pairing the first device and the second device.

Abstract: An authentication system, including at least one processor configured to: perform, based on a similarity between input authentication information that has been input and registered authentication information that has been registered, authentication of a user to be authenticated; determine whether there is a possibility that the user is authenticated as another user; acquire, when it is determined that there is the possibility that the user is authenticated as another user, for the input authentication information, a plurality of pieces of processed authentication information processed differently from each other; and determine, when it is determined that there is the possibility that the user is authenticated as another user, whether a predetermined number or more of pieces of processed authentication information are more similar to the registered authentication information than to the input authentication information and perform the authentication based on a result of the determination.

Abstract: Example embodiments of systems and methods for data transmission system between transmitting and receiving devices are provided. In an embodiment, each of the transmitting and receiving devices can contain a master key. The transmitting device can generate a diversified key using the master key, protect a counter value and encrypt data prior to transmitting to the receiving device, which can generate the diversified key based on the master key and can decrypt the data and validate the protected counter value using the diversified key. Example embodiments of systems and methods can be used to provide further authentication and added levels of security for transactions.

Abstract: A method and system for implementing and managing security policies in a cloud environment of enterprises are disclosed. In some embodiments, the method includes creating cloud-independent policies associated with enterprise assets in the cloud environment and sharing the cloud-independent policies across one or more distributed enterprises in the cloud environment. The method also includes translating and enforcing the policies in run-time across the distributed enterprises. The method further includes applying the policies collaboratively in the distributed enterprises based on distributing policy enforcement in the distributed enterprises while centralizing policy operations, where applying the policies includes discovering cloud-based assets of the enterprises and enterprise asset data related to the cloud-based assets and creating, based on the enterprise asset data, at least one graph (organization, user, resource) representing the relationships among the assets.

Abstract: Disclosed are various embodiments providing user authentication through registered device communications. An authentication request is received from a client device. A user is authenticated for access to a user account based at least in part on the client device providing the authentication token. The authentication token is generated by the client device or by one or more other computing devices and sent to the client device. The client device encrypts the authentication token based at least in part on a user authenticating factor and stores the encrypted authentication token on the client device.

Abstract: A plurality of computing devices are provisioned configured to communicate on a mobile communications network operated, in part, by an edge computing network. The edge computing network is associated with a customer of a computing service provider. The edge computing network comprises computing and storage devices configured to extend computing resources of the computing service provider to the customer of the computing service provider. A selection is received of a SIM provider and a quantity of SIM profiles for enabling the plurality of computing devices to access the mobile communications network. SIM data corresponding to the quantity of SIM profiles is received. The SIM data is encrypted and received over an encrypted channel.

Abstract: A system may include a memory and a processor in communication with the memory. The processor may be configured to perform operations that include generating a key pair and encrypting a data credential with a public key to make a data credential secret. The operations may further include storing the data credential secret in a cluster on a host and deploying a workload on the cluster. The operations may also include establishing an empty bundle in the host and generating a pod trusted execution environment.

Abstract: Systems, apparatus, and methods of managing the lifecycle of a digital token are described. In an example, while the digital token is being generated, the digital token or the underlying digital asset can be compared to other digital tokens and/or digital assets to determine similarity thereto. Based on the similarity, a program code interface (e.g., smart contract, an application programming interface—API, RPC, etc.) can be determined and an API call can be made to execute a program code. The execution can indicate whether the digital token creation process can be completed. If so, the digital token is recorded. Thereafter, its use or the use of the underlying digital asset can be monitored, whereby this monitoring can apply similarity processing. If a use thereof is determined or if a use of a similar digital token or similar digital asset is determined, notifications can be generated and sent.

Abstract: A method for accessing a private key is provided. The method includes storing, by a first device, the private key and an associated public key, generating an access token, sending to a second device, the access token, sending, to a first server, an address relating to a decentralized identifier and the access token, sending, by the first server, to a ledger, a request for getting a decentralized identifier along with the decentralized identifier address. By way of the method a solution is provided for accessing, by a first server to be accessed from a second device, based on a decentralized identifier readable from a ledger, a second server, as a proxy to a first device. It allows for authenticating a first device to a first server while keeping the private key only at the first device side (and not at the second device side).

Abstract: A system and method for controlling authorization to a protected entity are provided. The method includes: receiving an access request for access to the protected entity, wherein the access request is received from a client device; in response to the access request, causing the client device to perform an admission process that includes performing at least one game; monitoring a distributed database to identify at least one admission transaction designating admission criteria; determining if the admission criteria satisfy a set of conditions for accessing the protected entity; identifying, on the distributed database, completion results of the at least one game, wherein whether the admission criteria satisfies the set of conditions for accessing the protected entity is determined based on the results of the at least one game; and granting access to the protected entity by the client device when the admission criteria satisfies the set of conditions.

Abstract: A method and system for controlling media-content presentation based on user presence and/or user profile. An example method includes a computing system determining a quantity of users present at a media-presentation device, the quantity being at least one. Further, the example method includes, based on the determining, the computing system using the determined quantity of users present at the media-presentation device as a basis to control what media content a media player outputs for presentation by the media-presentation device. For instance, based on the determined quantity of users the computing system could tailor a graphical user interface (GUI) that the media player outputs for presentation by the media-presentation device, such as by tailoring a set of channel options that a channel-selection GUI provides, among other possibilities.

Abstract: An asynchronous and concurrent transaction processing method with high-performance oriented to a permissioned blockchain belongs to the field of blockchain technologies. The method designs two processing schemes for abort transactions, namely, additional submission of unnecessary abort transactions that are serializable and delayed centralized processing of long-conflict-chain transaction aggregation. In order to avoid the instability of system transaction processing performance caused by single point failure, the method designs a multi-node round robin consensus strategy. In addition, an inter-node auxiliary concurrency acceleration scheme is designed, which can improve the transaction performance of the whole of the system only by upgrading some of node devices in the system.

Abstract: Intelligent methods of providing online security against hackers, which prevents the hackers from obtaining unauthorized access to secure resources. A first application session established between a first client and a first application of a first host device is detected. The first application is associated with a first plurality of security time limits. A duration of the first application session established between the first client and the first application is monitored. One or more first security actions are executed against the first application session responsive to the duration of the first application session reaching a security time limit of the first plurality of security time limits. One or more second security actions are executed against the first application session responsive to the duration of the first application session reaching another security time limit of the first plurality of security time limits.

Abstract: A data storage device comprising a non-volatile storage medium configured to store user data, a data port configured to transmit data between a host computer system and the data storage device, a data security indicator, and a controller. The controller is configured to selectively control access of the host computer system to the user data based on security configuration data of the data storage device. The controller is further configured to respond to the occurrence of one or more operations, the operations being any of: (i) a data access operation requested or performed, by the host computer system, on the data storage device to access the storage medium via the data port; and (ii) a security control operation requested or performed, by an external device, on the data storage device to store, retrieve or update the security configuration data of the data storage device.

Abstract: Systems and methods are provided for validating components of an Information Handling System (IHS). During factory provisioning of the IHS, an owner certificate is stored that specifies an identity of a motherboard installed during manufacture of the IHS. The owner certificate is signed by a certificate authority of an owner of the IHS that retains capabilities for specifying the use of boot code provided by successive renters of the IHS. A renter certificate is also stored that specifies an identity of a chassis to which the motherboard is installed during manufacture of the IHS. Upon a transfer of control or ownership of the IHS, boot code operations by the security processor identify a motherboard and chassis in use by the IHS and utilize the motherboard and chassis certificates to validate that the identified motherboard and chassis are the same motherboard and chassis installed during manufacture of the IHS.

Abstract: A cloud implementation of a persisted storage device, such as a disk, is provided. The implementation supports a variety of features and protocols, in full analogy with a physical storage device such as a disk drive. The present disclosure provides for implementing standard eDrive protocols in the cloud by designing internal disk storage, referred to as a “system area,” in a virtual disk instance that the virtual disk can potentially utilize for a multitude of disk features. This internal storage can be used to implement eDrive protocols, which use the system area to maintain the necessary internal virtual disk state.