Abstract: A wireless communication system enables one-sided authentication of a responder device (120) by an initiator device (110) and mutual authentication of both devices. Embodiments of the initiator may have a message unit (116) and a state machine (117). The initiator starts by acquiring a responder public key via an out-of-band action and sends an authentication request. The responder sends an authentication response comprising responder authentication data based on a responder private key and a mutual progress status indicative of the mutual authentication being in progress for enabling the responder device to acquire an initiator public key via a responder out-of-band action. The initiator state machine is arranged to provide a mutual authenticating state, engaged upon receiving the mutual progress status, for awaiting mutual authentication. Thereby long time-out periods during wireless communication are avoided, while also enabling the initiator to report communication errors to the user within a short time.

Abstract: In one embodiment, a secure challenge-response method includes requesting respective token challenges from devices, receiving the respective token challenges from the devices, providing the respective token challenges to a signing server, receiving from the signing server a signature of the respective token challenges signed with a private key of the signing server, and providing to a given device of the devices a request to perform an operation, the request including the signature and the respective token challenges.

Abstract: Discussed are a cross certification method and a certifying device to perform the method.

Abstract: A method provisions keys in a network of connected objects, including a plurality of such objects as well as a programming station. The nodes of the network could communicate over a main channel and over a secure auxiliary channel, distinct from the main channel. After a first phase of authentication and mutual identification with the nodes of the network, a terminal including a secure hardware element, broadcasts, in a second phase, a set of secret keys to each node, via the auxiliary channel, the set of secret keys including a first secret key intended to authenticate the nodes belonging to the network and a second secret key, intended to encrypt the exchanges over the main channel. In a third phase, the programming station performs a discovery of the nodes of the network.

Abstract: An adversarial robustness testing method, system, and computer program product include testing, via an accelerator, a robustness of a black-box system under different access settings, where the testing includes tearing down the robustness testing to a subtask of a predetermined size.

Abstract: A system and method for providing dynamic network traffic policies is provided. The method includes: inspecting a workload for a cybersecurity object, the cybersecurity object indicating a cybersecurity risk, wherein the workload is deployed in a cloud computing environment having a firewall connected to an external network; detecting the cybersecurity risk on the workload based on the cybersecurity object; generating a policy for the firewall based on the cybersecurity risk; and configuring the firewall to apply the generated policy.

Abstract: Some aspects of the present disclosure include systems and techniques for key exchange and encryption to facilitate secure wireless communication. Certain aspects of the present disclosure are directed towards a method for wireless communication by a first device. The method generally includes determining, at a security system, a first output associated with a first expression having a first value for a variable of the first expression; determining, at the security system, a second value; evaluating, at the security system, a second expression based on the first output and the second value, the second expression being evaluated to determine a second output associated with the first expression with the variable having a third value, the third value being a product of the first value and the second value; and communicating, via a communication interface coupled to the security system, a message based on the second output.

Abstract: Implementations of the present disclosure are directed to systems and methods for reducing the size of packet headers by using a single field to encode multiple elements. Instead of including separate fields for each element, one or more encoded fields may be used, each of which is decoded to determine two or more values for the data packet. A receiving device decodes the encoded data field to retrieve the two or more values.

Abstract: A zero-touch deployment (ZTD) manager receives a first request to issue a first cryptographic token to a constrained device for establishing a communications session between the constrained device and a secured resource. The ZTD manager evaluates identity information corresponding to the constrained device and determines whether the identity information is valid. If so, the ZTD manager returns the first cryptographic token to the constrained device, where it is stored in cache memory. The ZTD manager receives a second request to obtain a second cryptographic token from the secured resource. When the second cryptographic token is provided to the secured resource, the secured resource uses this second cryptographic token to validate the first cryptographic token and to facilitate the communications session with the constrained device.

Abstract: The invention refers to a method for increasing a security level of one-time-password message format of an organization and for disabling displays of one-time-passwords on screens of smartphones in a state of locked-screen-preview. The method includes the steps of having a computer system of an organization on which the format is saved and used for sending one-time-passwords to smartphones of clients of the organization, redrafting the format or replacing the format with a new format to include at least one hundred and twenty characters from the beginning of the redrafted or the new format until the digits that comprise the one-time-password, and using the redrafted or the new format for sending one-time-passwords to smartphones of clients of the organization. By that, the one-time-passwords are disabled to be shown on the screens of the smartphones that are in a state of locked-screen-preview.

Abstract: An example operation may include one or more of receiving, by a data store peer, measured values of objects, storing, by the data store peer, the measured values along with corresponding hash/time pair values on a data store of the data store peer, executing, by the data store peer, a smart contract to update the hash/time pair values on a blockchain ledger, executing, by the data store peer, a smart contract to retrieve hash values corresponding to a particular time from the blockchain ledger and providing the hash values to the data store, generating, by the data store peer, a summary table that contains object values retrieved from the data store based on the hash values, and executing, by the data store peer, a smart contract to calculate a fee based on the summary table.

Abstract: In one arrangement, a method for using symmetric keys between two entities comprising a device and a host include initiating, by the device, a transaction involving original data, wherein the original data needs to be verified by the host. The method further includes deriving, by the device, a first key based on a previously generated key and a first number, wherein the first key is unique to the transaction, and the first number is randomly generated. The method further includes sending, by the device, the first key to the host for verification.

Abstract: The present application provides methods for downloading a key, a client, a password device, and a terminal device, in which, the client sends a request for downloading an initial key to a backend server, and receives a server identity certificate delivered by the backend server and forwards the server identity certificate to the password device. The client acquires a device identity ciphertext returned by the password device and sends the device identity ciphertext to the backend server. The client acquires a server identity ciphertext and an initial key ciphertext generated by the backend server, and sends the server identity ciphertext to the password device. After the password device successfully verifies an identity of the backend server, the client sends the initial key ciphertext to the password device.

Abstract: A data intermediary system includes a processor and a storage unit. The storage unit stores, for a plurality of services used by a user in the past, provision situation information indicating data for each item of the data provided to a service provider to use the service. The processor acquires information indicating an item of data requested, by the service provider, acquires the provision situation of data of the same item as the item of the data requested by the service provider, determines that an item of the data whose provision situation satisfies a predetermined condition is provided to the service provider, and controls distribution of the data to the service provider that that holds the data of the item determined to be provided.

Abstract: An authentication encryption device generates a mask sequence having, as an element, multiplication, in a Galois field, of a basic mask and a primitive element raised to power of an exponent. The basic mask is defined based on an initialization vector, a secret key, and a constant. The primitive element is a primitive element of a multiplicative group of the Galois field. The exponent differs per cleartext block. The authentication encryption device generates a mask for tag generation by multiplication, in the Galois field, of the basic mask and the primitive element of the multiplicative group of the Galois field raised to power of an exponent differing from the exponent in any of the element in the mask sequence.

Abstract: An information processing device according to the present application includes a control unit. The control unit acquires, from an authentication server in a state in which a first authenticator used for FIDO authentication and a second authenticator used for recovery for the FIDO authentication cooperate with each other, a recovery execution request that is transmitted from a user terminal including the second authenticator to the authentication server, and if the recovery execution request meets a predetermined authentication condition that is set in advance, notifies the user terminal including the second authenticator of a recovery execution permission.

Abstract: Methods and systems for user authentication. At a server, receiving unique fingerprint information for an unauthenticated browsing session with the server by a first user device. The unique fingerprint information received is compared with respective historical fingerprint information associated with a plurality of user accounts stored on the server. Based on the comparison, determining that one of the plurality of user accounts has associated historical fingerprint information that matches the unique fingerprint information with at least a threshold confidence level. In response to receiving user input from a second device indicating that the unauthenticated browsing session corresponds to the one of the plurality of user accounts, associating the unauthenticated browsing session with the one of the plurality of user accounts.

Abstract: The disclosed computer-implemented method for protecting the security of authentication credentials utilized to access sensitive data during online transactions may include (i) registering, utilizing a set of cryptographic keys, a proxy service with a third-party service provider of sensitive online transactions, (ii) identifying user credentials for accessing the third-party service provider, (iii) encrypting the user credentials utilizing the set of cryptographic keys, (iv) sending the encrypted user credentials in a request for authentication tokens, (v) accessing, responsive to the request, the authentication tokens for sharing with an access manager of the user credentials, and (vi) performing a security action that protects against a data privacy invasion by utilizing the authentication tokens to validate a user requesting access to a website hosted by the third-party service provider without the user credentials. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Discussed is a mutual authentication protocol, and systems, methods and devices implementing the same. Such a protocol may be used, as a non-limiting example, by devices coupled by low throughput connections for speedy authentication to establish a secure communication session.

Abstract: Techniques disclosed herein relate to the pairing of a pairing initiator device and a pairing responder device for communication. The pairing initiator device and the pairing responder device range with each other to determine the distance between the pairing initiator device and the pairing responder device. Based on the distance being below a threshold distance, the pairing initiator device and the pairing responder device wirelessly pair with each other without further input from the user.

Abstract: Provided is a method to authenticate a user equipment (UE) at a service provider (SP), when the UE is compliant with either Generic Bootstrap Architecture (GBA) or Authentication and Key Agreement for Applications (AKMA). The user authentication is performed by way of the GBA or AKMA protocol The method relies on the Mobile Network Operator's (MNO) GBA or AKMA authentication framework. It can employ a Diffie-Hellman exchange between the user equipment (UE) and the service provider (SP), leading to a Diffie-Hellman session key (gxy), while establishing the GBA or AKMA protocol. The method calculates a final Network Application Function (NAF) or AKMA Application Function key (iNAF_key or iAApF_key) to maintain confidentiality of the communication between the user equipment (UE) and the service provider (SP). It derives this key from the Diffie-Hellman session key (gxy) and from the respective protocol's service provider key (Ks_ext/int_NAF or KAF).

Abstract: Systems and methods for device agnostic remote eSIM provisioning. One example method includes detecting, with an electronic processor, a provisioning trigger event. The method includes, responsive to detecting the provisioning trigger event, transmitting, via a transceiver, a provisioning request to a mobile device management server, the provisioning request including a device identifier and an identifier for an integrated circuit card of the wireless communication device. The method includes receiving, from the mobile device management server, an activation code. The method includes transmitting, to the integrated circuit card, a provisioning command based on the activation code.

Abstract: A method for creating a secure channel between devices for secure communication therebetween. The method comprises transmitting a first nonce from an initiator device to a responder device; receiving, at the initiator device, a second nonce and an identity of the responder device; transmitting an identity of the initiator device and a first set of one or more encrypted data objects from the initiator device to the responder device; receiving, at the initiator device, a second set of one or more encrypted data objects from the responder device; and generating, at the initiator device, a session key for secure communication between the initiator and responder devices.

Abstract: Disclosed are various approaches for authenticating a user through a voice assistant device and creating an association between the device and a user account. The request is associated with a network or federated service. The user can use a client device, such as a smartphone, to initiate an authentication flow. A passphrase is provided to the client device can captured by the client device and a voice assistant device. Audio captured by the client device and voice assistant device can be sent to an assistant connection service. The passphrase and an audio signature calculated from the audio can be validated. An association between the user account and the voice assistant device can then be created.

Abstract: A method for sequential authentication based on chain of authentication using public key infrastructure (PKI) is provided. The method includes abutting a first wearable device belonging to a first party with a second wearable device belonging to a second party; transmitting, by the first wearable device, authentication information of the first party; verifying the authentication information of the first party; transmitting, by the second wearable device, authentication information of the second party; verifying the authentication information of the second party; authorizing electronic transaction in response to successfully verifying both the authentication information of the first party and the authentication information of the second party. Each of the authentication information of the first party and the authentication information of the second party includes information configured for authentication based on a public key infrastructure (PKI) certificate.

Abstract: An authentication-gaining apparatus includes: an acquiring unit that acquires unique information; an encrypting unit that encrypts the unique information using a cryptographic key, thereby generating encrypted information; and a transmitting unit that repeatedly transmits an authentication request containing the encrypted information, to an authentication apparatus, during an authentication period, wherein multiple authentication requests respectively containing encrypted information obtained by encrypting multiple pieces of unique information are transmitted during the authentication period.

Abstract: A system and method for data compression with homomorphic encryption, which enables secure storage of private information in a database, and which enables searching and comparison of encrypted data within the database, comprising a stream condition system configured to optimize the contents of received data for lossless compression by a data encoder, a data encoder to perform the lossless compression, and an encrypted search engine configured to encrypt the compressed data according to a homomorphic encryption scheme and store the encrypted data in a database. The system may receive a data query and encrypt the data query according to the homomorphic encryption scheme. The encrypted data query may be compared against an encrypted element in the database and an encryption score generated. The encryption score may be compared against a set of criteria to determine if a match is found. Matched data may be returned to the requesting entity.

Abstract: A virtualization host is identified for an isolated run-time environment. One or more records generated at a security module of the host, which indicate that a first phase of a multi-phase establishment of an isolated run-time environment has been completed by a virtualization management component of the host, is transmitted to a resource verifier. In response to a host approval indicator from the resource verifier, the multi-phase establishment is completed at the virtualization host.

Abstract: Systems and methods for file sharing over secure connections.

Abstract: A server device is provided for authenticating client devices on a communication network. The server device includes a transceiver configured for operable communication with at least one client of the communication network, and a processor including a memory configured to store computer-executable instructions. When executed by the processor, the instructions cause the server device to transmit one or more messages of an authentication exchange with a client device, transmit a server Registration Authorization Token (RAT) associated with the server device to the client device, receive from the client device a client RAT associated with the client device, and store the client RAT.

Abstract: Methods, apparatuses, and computer program products are provided to facilitate connections between devices, such as a printer and a cloud-based server, and to implement an adaptive application framework. In the context of an apparatus, a printer is provided comprising communications circuitry configured to facilitate communications with a network; and processing circuitry configured to transmit a connection request to the network; receive requested connection parameters from the network; transmit printer connection parameters to the network; and establish a first secure connection between the printer and the network. The printer comprising processing circuitry further configured to receive requested connection parameters comprising at least a signed security certificate and a DNS name for a server on the network and to verify the signed security certificate and the DNS name for the server.

Abstract: An implantable medical device, external device and method for managing a wireless communication are provided. The IMD includes a transceiver configured to communicate wirelessly, with an external device (ED), utilizing a protocol that utilizes multiple physical layers. The transceiver is configured to transmit information indicating that the transceiver is configured with first, second, and third physical layers (PHYs) for wireless communication. The IMD includes memory configured to store program instructions. The IMD includes one or more processors configured to execute instructions to obtain an instruction designating one of the first, second and third PHY to be utilized for at least one of transmission or reception, during a communication session, with the external device and manage the transceiver to utilize, during the communication session, the one of the first, second and third PHY as designated.

Abstract: A distributed computing system provides a distributed data store for network enabled devices at the edge. The distributed database is partitioned such that each node in the system has its own partition and some number of followers that replicate the data in the partition. The data in the partition is typically used in providing services to network enabled devices from the edge. The set of data for a particular network enabled device is owned by the node to which the network enabled device connects. Ownership of the data (and the data itself) may move around the distributed computing system to different nodes, e.g., for load balancing, fault-resilience, and/or due to device movement. Security/health checks are enforced at the edge as part of a process of transferring data ownership, thereby providing a mechanism to mitigate compromised or malfunctioning network enabled devices.

Abstract: A variable-step authentication system and a method for operating for performing variable-step authentication for communications in a controlled environment is disclosed. The variable-step authentication system may include a communication device and a server. The variable-step method includes steps for determining an authentication process that involves a number of authentication steps. The number of authentication steps is variable and dependent on a trust level associated with each participant in the communication.

Abstract: An exemplary method includes an access management system receiving a signed message that is associated with a non-fungible digital asset and that includes a non-fungible digital asset identifier and a nonce. The non-fungible digital asset may be configured to provide access to an access-restricted resource. Based on the non-fungible digital asset identifier included in the signed message, the access management system may access a distributed record that is configured to store ownership information associated with the non-fungible digital asset. Based on the signed message and the ownership information stored in the distributed record, the access management system may verify that a user of the non-fungible digital asset is authorized to access the access-restricted resource.

Abstract: A trust rule between a first service and a second service in a plurality of services deployed in a distributed system is received; the trust rule defines whether the first service is allowed to access the second service. A trust tree is obtained for the distributed system, and the trust tree comprises a plurality of certificates for accessing the plurality of services. A first group of certificates is selected for the first service based on the trust rule and the trust tree, and the first group of certificates enables the first service to access the second service.

Abstract: Systems, methods, and computer-readable media for discovering trustworthy devices through attestation and authenticating devices through mutual attestation. A relying node in a network environment can receive attestation information from an attester node in the network environment as part of a unidirectional push of information from the attester node according to a unidirectional link layer communication scheme. A trustworthiness of the attester node can be verified by identifying a level of trust of the attester node from the attestation information. Further, network service access of the attester node through the relying node in the network environment can be controlled based on the level of trust of the attester node identified from the attestation information.

Abstract: Examples described herein relate to a graphics processing system that includes one or more integrated graphics systems and one or more discrete graphics systems. In some examples, an operating system (OS) or other software supports switching between image display data being provided from either an integrated graphics system or a discrete graphics system by configuring a multiplexer at runtime to output image data to a display. In some examples, a multiplexer is not used and interface supported messages are used to transfer image data from an integrated graphics system to a discrete graphics system and the discrete graphics system generates and outputs image data to a display. In some examples, interface supported messages are used to transfer image data from a discrete graphics system to an integrated graphics system and the integrated graphics system uses an overlay process to generate a composite image for output to a display.

Abstract: A method is disclosed and includes authenticating a first stage boot loader and authenticating a second stage boot loader in response to authentication of the first stage boot loader. The method also includes executing the second stage boot loader in response to authentication of the second stage boot loader. Executing the second stage boot loader includes loading an operating system, a first set of machine-readable instructions, and first configuration information associated with the first set of machine-readable instructions onto a non-transitory computer-readable medium, wherein the first set of machine-readable instructions and the first configuration information are associated with one or more priority partitions. Executing the second stage boot loader includes authenticating the operating system and the first set of machine-readable instructions.

Abstract: Embodiments of the present disclosure relate to managing admin-controlled access of external resources to group-based communication interfaces associated with an organization, via a group-based communication system including APIs for improved external resource permissioning, provisioning, and access handling. Embodiments include methods, computer program products, apparatuses, and systems configured to receive an external resource access request, determine an organization identifier, obtain an admin response indication, set an external resource permission status for the external resource based on the admin response indication, and cause rendering of the requested group-based communication interface based on the admin response indication. Embodiments further relate to provisioning and handling requests for services associated with an external resource by managing one or more single-interface access tokens linked to a multi-interface access token.

Abstract: A method for providing Cheon-resistance security for a static elliptic curve Diffie-Hellman cryptosystem (ECDH), the method including providing a system for message communication between a pair of correspondents, a message being exchanged in accordance with ECDH instructions executable on computer processors of the respective correspondents, the ECDH instructions using a curve selected from a plurality of curves, the selecting including choosing a range of curves; selecting, from the range of curves, curves matching a threshold efficiency; excluding, within the selected curves, curves which may include intentional vulnerabilities; and electing, from non-excluded selected curves, a curve with Cheon resistance, the electing comprising a curve from an additive group of order q, wherein q is prime, such that q?1=cr and q+1=ds, where r and s are primes and c and d are integer Cheon cofactors of the group, such that cd?48.

Abstract: A verifier device of an authentication system comprises physical layer circuitry and processing circuitry coupled to the physical layer circuitry. The processing circuitry is configured to encode an authentication command for sending to a credential device; decode a response communication received from the credential device, wherein the response communication includes a first random number; encrypt the first random number, a second random number, and verifier keying material for sending to the credential device; decrypt encrypted information received from the credential device, wherein the encrypted information includes the first random number, the second random number, and receiver keying material; and calculate a session encryption key using the verifier keying material and the receiver keying material.

Abstract: An exemplary method includes a digital asset management system generating a set of collectible non-fungible digital assets, generating metadata specifying that non-fungible digital assets included the set of collectible non-fungible digital assets are configured to combine together to form a layered scene configured to be presented by a computer system, and recording, in a distributed record configured to track ownership of non-fungible digital assets, ownership information associated with the set of collectible non-fungible digital assets.

Abstract: In IP communication, an authentication code AC1 uniquely generated by a receiving-side communication device 1b is sent to an originating-side communication device 1a (S1, S2), and stored in the originating-side communication device (S3). Packets in which the stored authentication code is embedded are sent to the receiving-side communication device 1b on connection from the originating-side communication device 1a to the receiving-side communication device 1b (S4), and it is determined at the receiving-side communication device whether the originating-side communication device is true or false depending on if the authentication code sent from the receiving-side communication device is contained in the packets received from the originating-side communication device or not (S5).

Abstract: One disclosed example method includes a leader client device associated with a leader participant generating a meeting key for a video meeting joined by multiple participants. For each participant, the leader client device obtains a long-term public key and a cryptographic signature associated with the participant. The leader client device verifies the cryptographic signature of the participant based on the long-term public key and the cryptographic signature. If the verification is successful, the leader client device encrypts the meeting key for the participant using a short-term private key generated by the leader client device, a short-term public key of the participant, a meeting identifier, and a user identifier identifying the participant. The leader client device further publishes the encrypted meeting key for the participant on the meeting system. The leader client device encrypts and decrypts meeting data communicated with other participants based on the meeting key.

Abstract: An elliptic curve random number generator avoids escrow keys by choosing a point Q on the elliptic curve as verifiably random. An arbitrary string is chosen and a hash of that string computed. The hash is then converted to a field element of the desired field, the field element regarded as the x-coordinate of a point Q on the elliptic curve and the x-coordinate is tested for validity on the desired elliptic curve. If valid, the x-coordinate is decompressed to the point Q, wherein the choice of which is the two points is also derived from the hash value. Intentional use of escrow keys can provide for back up functionality. The relationship between P and Q is used as an escrow key and stored by for a security domain. The administrator logs the output of the generator to reconstruct the random number with the escrow key.

Abstract: Verifiable, secure communications between a sender and a receiver on at least one shared communication channel is provided. A manicoded key encoder produces an argument of knowledge for a secret key to the at least one shared communication channel, and a manicoded message encoder provides an implication argument indicating that knowledge of the secret key enables access to message content of the manicoded message. The argument of knowledge is included in a key manifest for the secret key within a manicoded key, and the implication argument is included in a message manifest of a manicoded message. In this way, the sender may provide message content within the manicoded message, and the receiver may operate a decoder to access the message content. A verifier may use the manicoded key and the manicoded message to verify that the receiver has access to the message content.

Abstract: An adversarial robustness testing method, system, and computer program product include testing a robustness of a black-box system under different access settings via an accelerator.

Abstract: A constrained device, such as an Internet of Things (IoT) device, can use a handshake procedure to establish a secure transport session with a server and generate a corresponding client session state. The constrained device can encrypt the client session state into an encrypted client session state, and transmit the encrypted client session state to the server. When the constrained device enters an idle mode, the client session state may be cleared from memory of the constrained device. However, when the constrained device next wakes from the idle mode and re-enters an active mode, the constrained device can retrieve the encrypted client session state from the server. The constrained device can decrypt the encrypted client session state to recover the client session state, and use the recovered client session state to resume the secure transport session instead of establishing a new secure transport session with a new client session state.

Abstract: Aspects and features of a cryptosystem and authentication for the cryptosystem, and a method or process for the cryptosystem, are described. In one example, a method for cryptographic communications includes storing a secret key, generating a system randomization number, and encrypting a plain data package into an encrypted data package by application of the plain data package, the secret key, and the system randomization number to a system of equations for encryption. The system of equations can be a system of linearly dependent equations in one example. Among other benefits, the cryptosystem relies upon the system of linearly dependent equations and the system randomization number to provide additional strength against known-plaintext attacks, chosen-plaintext attacks, and other types of attacks. The system is more semantically secure and offers ciphertext indistinguishability in a new approach using the system of linearly dependent equations.