Abstract: A method for ensuring integrity of data sent by a vehicle V2X communication device to a control module to ensure operational safety, including: receiving data transferred by vehicle-to-X communication by a first computing apparatus of the V2X communication device, storing the data in a data memory, forwarding the data to a second computing apparatus, receiving the data by the second computing apparatus, establishing whether an action is to be triggered for the data and, in response, transmitting the data to a comparison apparatus, carrying out a comparison test for the data provided by the second computing apparatus with the data stored in the data memory and, in response to the test being passed, outputting the data and/or a control instruction and/or a warning message by the V2X communication device to a control module. Furthermore, a corresponding vehicle-to-X device and the use of the device in a vehicle are disclosed.

Abstract: The subject matter discloses computer-implemented method performed during a multi-party computation (MPC) process performed between multiple parties, said method comprising, the multiple parties executing a pre-processing phase and obtain values of correlated random variables to be used in an MPC process, the parties periodically verifying the correctness of the correlated random variables by exchanging information between the multiple parties, refreshing the values of the correlated random variables in each of the multiple parties, wherein no party of the multiple parties has access to values of the correlated random variables stored in another party of the multiple parties during the verifying and refreshing processes, the multiple parties using the correlated random variables during the MPC process after verifying a correctness of the correlated random variables.

Abstract: Systems and techniques that facilitate universal and efficient privacy-preserving vertical federated learning are provided. In various embodiments, a key distribution component can distribute respective feature-dimension public keys and respective sample-dimension public keys to respective participants in a vertical federated learning framework governed by a coordinator, wherein the respective participants can send to the coordinator respective local model updates encrypted by the respective feature-dimension public keys and respective local datasets encrypted by the respective sample-dimension public keys. In various embodiments, an inference prevention component can verify a participant-related weight vector generated by the coordinator, based on which the key distribution component can distribute to the coordinator a functional feature-dimension secret key that can aggregate the encrypted respective local model updates into a sample-related weight vector.

Abstract: There is provided a cryptographic key determination device for determining one or more cryptographic keys in a cryptographic device, the cryptographic device being configured to execute one or more test programs, the cryptographic device comprising one or more components (11-i), each component (11-i) being configured to generate static and dynamic data, the dynamic data being generated in response to the execution of the one or more test programs, wherein the cryptographic key determination device comprises: a data extraction unit configured to extract at least one part of the static data and at least one part of the dynamic data generated by the one or more components (11-i), and a key generator configured to combine the at least one part of static data and the at least one part of dynamic data, and to determine the one or more cryptographic keys by applying a cryptographic function to the combined data.

Abstract: An information processing apparatus includes a processor configured to request a management apparatus for user authentication to acquire second credential information that is used for acquiring first credential information that is used for a Web service, the second credential information indicating that a user has been authenticated, receive the second credential information transmitted from the management apparatus in a case where the user authentication is successful by the management apparatus, transmit the received second credential information to an authentication server, receive the first credential information transmitted from the authentication server in response to the transmission of the second credential information, and use the Web service by using the received first credential information.

Abstract: Approaches in accordance with various embodiments allow for zero-touch enrollment of devices with respective manager systems. In at least one embodiment, a device at startup can contact a central directory service (CDS) for information about an associated manager. The CDS can authenticate the device using device information included in the request, and can send a challenge token to the device in response. The challenge token can include information for the manager, protected with multiple layers of security that should only be able to be decrypted by the authenticated device. The device can decrypt this challenge token to determine the manager information, and can convert this challenge token to a bearer token. The device can then send a request to the determined manager that includes the bearer token, which the manager can use to authenticate the device. The manager can then send the device appropriate configuration information.

Abstract: A method, apparatus and system for secure forensic investigation of a target machine by a client machine over a communications network. In one aspect the method comprises establishing secure communication with a server over a communications network, establishing secure communication with the target machine over the communications network, wherein establishing secure communication with the target machine includes establishing secure communication between the server and the target machine, installing a servelet on the target machine, transmitting a secure command to the servelet over the communications network, executing the secure command in the servelet, transmitting data, by the target machine, in response to a servelet instruction, and receiving the data from the target machine over the communication network.

Abstract: A system for releasing locking of a fusion splicer includes a fusion splicer, an information terminal, and a server. The fusion splicer locks a fusion-splicing function in accordance with a predetermined lock condition and releases the locked function in accordance with a release command input. The server includes a storage unit that stores authentication information provided by a user of the fusion splicer, a collation unit that collates authentication information provided from the information terminal with the authentication information stored in the storage unit, and a password issuance unit that issues a one-time password including at least a date in an algorithm when a collation result is favorable. The information terminal authenticates the one-time password in consideration of a day difference or a time difference between the information terminal and the server and applies the release command to the fusion splicer when an authentication result is favorable.

Abstract: Discussed herein are devices, systems, and methods for secure access to offline data. A method can include configuring a device in a task retrieval state and retrieving a task to be executed on a cold storage device while the device is in the task retrieval state, configuring the device in a disconnected state after retrieving the task, and configuring the device in a task execution state after the device is in the disconnected state and executing the task on the cold storage while the device is in the task execution state. In the task retrieval state, the device can communicate with a buffer network and cannot communicate with a cold network. In the disconnected state, the device cannot communicate with either the cold network or the buffer network. In the task execution state, the device can communicate with the cold network and cannot communicate with the buffer network.

Abstract: There is provided an information processing device, including a processing unit configured to perform a calculation using keys assigned to a plurality of areas of a recording medium and generate an authentication key. The processing unit generates the authentication key by performing a calculation using conversion values corresponding to the keys, the conversion values being obtained by converting device-specific information using conversion methods associated with the keys used in the calculation.

Abstract: An information processing apparatus includes a first processor, a second processor, and one or more non-volatile storage devices. The one or more storage devices store a first control program to be executed by the first processor and a second control program to be executed by the second processor. The first processor verifies the second control program stored in the one or more storage devices, and then verifies the first control program stored in the one or more storage devices.

Abstract: Devices, systems and methods are provided to implement key generation for secure pairing between first and second devices using embedded out-of-band (OOB) key generation and without requiring the devices to have input/output (IO) capability to enter authentication information. Bluetooth Smart or Low Energy (BLE) OOB pairing option can be used for pairing medical devices with added security of OOB key generation. The OOB key generation comprises providing first and second devices with the same predefined credential and secure hashing algorithm, and making input of the hashing algorithm of the first and second devices the same. The first device transmits unique data to second device (e.g., via BLE advertising) to share and compute a similar input. The first and second devices use the credential and shared data with the hashing function to generate a key that is the same at each of first and second devices.

Abstract: A first authentication apparatus obtains a modification restriction parameter which is stored in a second authentication apparatus and which indicates a number of times a mutual authentication pair modification is possible or a number of times modification has been executed. The first authentication apparatus transmits to the second authentication apparatus authentication information corresponding to the modification restriction parameter. The second authentication apparatus receives the authentication information from the first authentication apparatus. The second authentication apparatus determines whether or not the received authentication information is authentication information for permitting the mutual authentication pair modification. In a case where the received authentication information is authentication information that permits the mutual authentication pair modification, the second authentication apparatus and the first authentication apparatus form a mutual authentication pair.

Abstract: Each of the authentication apparatus and the authentication target device holds the last piece of authentication information subjected to an authentication process. When the authentication target device is reconnected to the authentication apparatus, the authentication apparatus collates the authentication information held in the authentication apparatus with the authentication information read out of the authentication target device. The authentication apparatus determines, based on the collation result, whether or not the authentication target device has been authenticated by a different authentication apparatus.

Abstract: A method of operating an electronic device is provided.

Abstract: An elliptic curve random number generator avoids escrow keys by choosing a point Q on the elliptic curve as verifiably random. An arbitrary string is chosen and a hash of that string computed. The hash is then converted to a field element of the desired field, the field element regarded as the x-coordinate of a point Q on the elliptic curve and the x-coordinate is tested for validity on the desired elliptic curve. If valid, the x-coordinate is decompressed to the point Q, wherein the choice of which is the two points is also derived from the hash value. Intentional use of escrow keys can provide for back up functionality. The relationship between P and Q is used as an escrow key and stored by for a security domain. The administrator logs the output of the generator to reconstruct the random number with the escrow key.

Abstract: Techniques are provided for authenticating a user using shared secret updates. One method comprises, in response to a first authentication of a client using a given shared secret, updating, by the server, the given shared secret using information from the first authentication as part of a secret update protocol to generate an updated shared secret; and evaluating a second authentication using the updated shared secret. An anomaly may be detected when the client attempts the second authentication using a shared secret and the server determines that the shared secret was previously used for an authentication. The server may detect a breach of shared secrets of multiple users by monitoring a number of the detected anomalies across a user population and initiate a predefined recovery flow depending upon a number of impacted users.

Abstract: Provided is a method for authenticating a device. The method may include coupling a first device to an interaction database that is connected to a second device. The first and second devices store first group public and private keys. The second device also stores second device public and private keys. The first device transmits to a remote computer system a first message encrypted with a remote computer system public key that includes challenge data and response data encrypted with the first group public key and authentication data. The second device receives from the remote computer system a second message including the encrypted challenge data. The second device transmits to the remote computer system a third message including the response data. In response to receiving an authentication message, interaction may be permitted between the first device and remote computer system. A system and computer program product are also disclosed.

Abstract: A data management platform for Autonomous Vehicles (AVs) is provided. The data management platform can receive, from an AV at a first time, a first copy of a manifest including a creation history of a transformed object generated by the AV and a data integrity value corresponding to the transformed object. The data management platform can receive, from a second computing system at a second time, a second copy of the manifest. The data management platform can reconcile the first copy and the second copy. The data management platform can receive, from the second computing system at a third time, a request to upload the transformed object. The data management platform can validate the transformed object stored in storage of the first computing system based on the data integrity value included in the manifest.

Abstract: A communication system includes a plurality of processors coupled with a network, each of the processors having a predefined encryption method for a communication with a server. Each of the processors configured to determine a primary processor of the processors based on at least one of a processability of the processor, network distance to the processor, or cipher strengths, when the processor is not determined as the primary processor, transfer unencrypted communication data through the network to the primary processor, and when the processor is determined as the primary processor, perform an encryption of unencrypted communication data received, and an encrypted communication with the server by the encryption method of the primary processor.

Abstract: Disclosed are methods, systems, and machine-readable mediums which provide for customer chatbots that detect a customer handoff condition and in response, transferring the customer to a communication session with a live agent. The handoff condition may comprise an inability to understand the customer, an inability to answer the customer's question, expressions of frustration or anger on the part of the customer, a customer's express request to be transferred, or the like. The live agent may receive a complete history of the conversation with the chatbot so that the customer does not have to repeat him or herself to the live agent. The chatbot chat session may be linked to a social networking account of the customer and may take place in association with a social networking profile page of the company.

Abstract: Methods and systems for specifying and enforcing network policies are provided. One method for configuring a network that includes a plurality of heterogeneous network access devices includes creating a network enforcement profile based on at least one enforcement policy, and determining a network access device group of the plurality of heterogeneous network access devices that are capable of managing the enforcement profile. The method further includes providing vendor-specific configuration parameters for at least one network access device of the network access device group so as to cause the network to manage the network enforcement profile, and applying the vendor-specific configuration parameters to the at least one network access device.

Abstract: Embodiments disclosed herein provide systems, methods, and computer readable media for using a single sign-on proxy to regulate access to a cloud service. In a particular embodiment, a method provides receiving an authentication request from a user system directed to a SSO service and determining whether the authentication request satisfies at least one criterion for allowing access to the cloud service associated with the SSO service. Upon determining that the authentication request satisfies the at least one criterion, the method provides forwarding the authentication request to the SSO service.

Abstract: A system and method for recognition of biometric information for a shared vehicle in which data exposure is prevented which may otherwise occur when using a biometric recognition function in a shared vehicle or autonomous driving vehicle in a shared environment. The system and method may be associated with an AI device, a drone, an UAV, a robot, an AR device, a VR device, and a 5G service.

Abstract: A method and system for responding to a message directed to a recipient includes receiving the message including a query from a sender, receiving an indication that the recipient is unavailable to respond to the query, and providing the query to as an input to a machine-learning (ML) model to identify information requested in the query. The method further includes obtaining the information requested as an output from the ML model, determining if access to the information requested is available to the sender, based on a confidentiality group to which the sender belongs with respect to the information requested, upon determining that access to the information requested is available, generating a response to the query that includes the information requested, and providing the response to the sender. The confidentiality group to which the sender belongs may be determined based on a degree of association between the sender and the information requested.

Abstract: The present disclosure discloses a method for preventing a SIP device from being attacked, a calling device, and a called device, belonging to the field of network security. The present disclosure provides a method including: generating, by a calling device and a called device, the same public password, and transmitting, by the calling device, a connection request to the called device; performing, by the called device, header field verification on the connection request to verify whether a specified header field is carried in the connection request; performing, by the called device, device verification on the connection request; and performing, by the called device, identity verification on the connection request, and establishing, by the called device, a connection to the calling device. In this case, spoofing data is filtered out and the SIP device is not easily attacked, so that a user is free of disturbance.

Abstract: Verifiable, secure communications between a sender and a receiver on at least one shared communication channel is provided. A manicoded key encoder produces an argument of knowledge for a secret key to the at least one shared communication channel, and a manicoded message encoder provides an implication argument indicating that knowledge of the secret key enables access to message content of the manicoded message. The argument of knowledge is included in a key manifest for the secret key within a manicoded key, and the implication argument is included in a message manifest of a manicoded message. In this way, the sender may provide message content within the manicoded message, and the receiver may operate a decoder to access the message content. A verifier may use the manicoded key and the manicoded message to verify that the receiver has access to the message content.

Abstract: In an embodiment, a system for asserting a mobile identity to users and devices in an enterprise authentication system includes a communication interface and a processor coupled to the interface. The processor is configured to receive, via the communication interface and from a first device, a request to authenticate a user to a service using a unique identity associated with a second device. The processor is configured to determine, based at least in part on the unique identity, an identity certificate associated with the request, generate an identity assertion based at least in part on the identity certificate, and provide the identity assertion via the communication interface to a requesting node with which the request to authenticate is associated.

Abstract: A cryptography system for the protection of data in transit using a post-quantum encryption key management system that eliminates the need for PKI or other asymmetric key management systems used in today's solutions, while allowing encryption of data in transit with no hands-on management including configuration of routers, switches, etc. The present system includes a multi-factor post-quantum key management mechanism that strengthens existing symmetric encryption systems and industry standard key generators on existing hardware through the post-quantum age.

Abstract: The present disclosure relates to a dialysis machine, external medical equipment and to methods for establishing an authenticated connection between a dialysis machine and external medical equipment. The dialysis machine is caused to establish a short-range wireless connection between the dialysis machine and external medical equipment. A first shared key is associated with the short-range wireless connection. The dialysis machine is further configured to obtain a second shared key generated using the first shared key and to generate a first signature, using the obtained second shared key. The dialysis machine is further configured to send, to the external medical equipment, an authentication request comprising the generated first signature and to receive in return an authentication accept comprising a second signature. Furthermore, the dialysis machine is configured to verify the authenticity of the external medical equipment using the second signature.

Abstract: Pairing data associated with a second device may be received at a first device. The pairing data may be received from a server. A first authentication proof may be generated based on the pairing data received from the server. A second authentication proof may be received from the second device. Furthermore, an authentication status of the second device may be updated based on a comparison of the first authentication proof that is based on the pairing data received from the server and the second authentication proof that is received from the second device.

Abstract: The present disclosure relates to an authentication terminal, an authentication device, and an authentication method and system using the authentication terminal and the authentication device, and more particularly, to a device and a method for authenticating users and allowing transactions through information delivery among a user terminal, an authentication terminal, and an authentication device.

Abstract: A computer-implemented method for detecting replay attack comprises: obtaining at least one candidate transaction for adding to a blockchain, the obtained candidate transaction comprising a timestamp; verifying if the timestamp is within a validation range and if an identification of the candidate transaction exists in an identification database; and in response to determining that the timestamp is within the validation range and the identification does not exist in the identification database, determining that the candidate transaction is not associated with a replay attack.

Abstract: An agreement apparatus P(i) (where i=0, . . . , n?1) which executes a consensus protocol generates an opinion value with a signature Xij=(xi, sig_i(xi)) including an opinion value xi indicating an opinion and a signature sig_i(xi) on the opinion value xi or information different from the opinion value with the signature Xij as an opinion value with a signature X?ij=(x?ij, e?ij) and outputs the opinion value with the signature X?ij to an agreement apparatus P(j) (where j=0, . . . , n?1, i?j). The agreement apparatus P(j) accepts the opinion value with the signature X?ij and outputs the opinion value with the signature X?ij or information different from the opinion value with the signature X?ij to an agreement apparatus P(m) (where m=0, . . . , n?1, m?i, m?j) as an opinion value with a signature X?ij.

Abstract: One embodiment of the invention includes a system comprising: a personal digital key and a computer readable medium that is accessible when authenticated by the personal digital key.

Abstract: Embodiments provide methods, and systems for cryptographic keys exchange where the method can include receiving, by a server system, a client public key being part of a client asymmetric key pair from a client device; sending, by the server system, a server public key being part of a server asymmetric key pair to the client device; generating, by the server system, a random value master key and sending the random value master key encrypted using the client public key to the client device; and generating, by the server system, an initial unique session key and sending the initial unique session key encrypted under the random value master key to the client device. A unique session key from the set of the unique session keys is used by the client device to encrypt a session data for transmission to the server system per session.

Abstract: A device for validating authorization key obfuscation in a continuous integration (CI) pipeline codebase is presented. The device comprises a transceiver, one or more memories, and one or more processors interfacing with the transceiver and the one or more memories. The one or more processors are configured to receive an update to the CI pipeline codebase. The update may include an authorization key, which the one or more processors store in the one or more memories. The one or more processors may perform a build process to integrate the update into the CI pipeline codebase. The build process may include an obfuscation, which creates an obfuscated CI pipeline codebase. The one or more processors may also scan the obfuscated CI pipeline codebase to determine a presence or an absence of the authorization key.

Abstract: Techniques for securely provisioning a set of enclaves are described. A contract owner may register with a shared registry. A subset of enclaves may be selected to be provisioned from among a plurality of enclaves. A keyshare may be requested from one or more provisioning services for each of the subset of enclaves to be provisioned. The requested keyshares may be received from each provisioning service for each of the subset of enclaves to be provisioned. For each of the selected enclaves, the received keyshares may be sent for verification by the enclave. Each of the selected enclaves may send an authenticated and encrypted key derived from the received keyshares.

Abstract: A technology is described for connecting a device to a network. An example method may include identifying a preinstalled network configuration for a default wireless network from device memory. The preinstalled network configuration may be used by the device to connect to the default wireless network and obtain a local network configuration for a local wireless network. Thereafter, the device may disconnect from the default wireless network and connect to the local wireless network using the local network configuration.

Abstract: A formalized set of interfaces (e.g., application programming interfaces (APIs)) is described, that uses a security scheme, such as asymmetric (or symmetric) cryptography, in order authorize and authenticate requests sent to a virtualization later. The interfaces can be invoked to perform security monitoring, forensic capture, and/or patch software systems at runtime. In addition to the foregoing, other aspects are described in the claims, detailed description, and figures.

Abstract: A system of secure data packets for transmission over a packet switched network includes an expiring Hash-based Message Authentication Code (HMAC) appended to the data packet. The expiring HMAC is calculated based on a shared secret and a clock time. A receiving network application or firewall with the shared secret validates the secure data packets based on a comparison of the expiring HMAC to the receiving network or application's own calculation of a valid HMAC based on the shared secret and the clock time. Applications executing on the receiving and sending networks do not need modification to use the secure data packet protocol because HMAC appending, validation, and removal may all occur at network boundaries on firewalls. Protected host endpoints may serve client endpoints using expiring HMAC data packets and other validation information based on security data stored on a shared ledger such as nonce values encountered by the network.

Abstract: Embodiments of a secure multi-party computation method applicable to any one computing node of a plurality of computing nodes deployed in a distributed network are provided. The plurality of computing nodes jointly participate in a secure multi-party computation based on private data held by each computing node. The computing node is connected to a trusted key source, and the method includes: obtaining a trusted key from the trusted key source; encrypting the private data held by the computing node based on the obtained trusted key to obtain ciphertext data; transmitting a computing parameter comprising at least the ciphertext data to other computing nodes participating in the secure multi-party computation, so that the other computing nodes perform the secure multi-party computation based on collected computing parameters transmitted by the computing nodes participating in the secure multi-party computation.

Abstract: Cellular connections can be used to provision non-cellular devices such as internet-of-things (IoT) devices. For example, IoT devices can comprise Bluetooth, Wi-Fi, and cellular capabilities. However, the cellular capability can be used to provision the IoT devices using non-internet protocol data delivery to prevent security vulnerabilities. Data can be transmitted to the IoT device using core elements without using an IP stack. Thus, IoT device configurations and the keys can be provisioned over-the-air without the use of internet protocol data.

Abstract: A method and apparatus provide for security for restricted local operator services. At least one of a restricted local operator services indication and security capabilities associated with the restricted local operator services can be sent. A non-access stratum key exchange request including a symmetric root key can be received. The symmetric root key can be encrypted with a public key. The non-access stratum key exchange request can be acknowledged. A non-access stratum security key can be derived with the symmetric root key. Radio interface keys for user plane and radio resource control can be derived with the symmetric root key.

Abstract: A Wi-Fi access point device (APD) includes a controller, a radio, and a memory. The memory contains instructions for establishing a programmed secure Wi-Fi onboarding SSID with the client device with connection to the external network. The controller is configured to instruct the radio to broadcast the open Wi-Fi onboarding SSID for a predetermined period of time. The controller is also configured to: instruct the radio to broadcast an established programmed secure Wi-Fi onboarding SSID; onboard the Wi-Fi APD to the external network, based on information communicated between the Wi-Fi client device and the Wi-Fi APD over the established programmed secure Wi-Fi onboarding SSID; and instruct the radio to stop the broadcast of the open Wi-Fi onboarding SSID at the earlier of a termination of the predetermined time period and the onboarding of the Wi-Fi APD to the external network.

Abstract: An augmented reality device engages in a mutual exchange of negotiated services with another device. The negotiation comprises a first exchange of respective zero-knowledge proofs, and second exchange of credentials followed by verification of the credentials by a trusted third party, and further exchanges of information comprising services provided by the augmented reality device to the other device, and vice versa. The services are used, in embodiments, to customize an augmented reality experience.

Abstract: This application discloses an identity authentication method, a device, and a system. The method includes: obtaining a first master public key and a first private key from a key generation center; sending a ClientHello message; obtaining a second identity from a ServerKeyExchange message; generating a pre-shared key of a selected PSK mode by using the second identity, the first private key, and the first master public key; and completing identity authentication with a second device by using the pre-shared key. According to the method, device, and system provided in embodiments of this application, an identity can be transmitted by using information in the TLS protocol, without extending the TLS protocol. This can avoid a compatibility problem caused by TLS protocol extension.

Abstract: A system for controlling airplane mode of a user device is configured to transmit a connection request to a telecommunication network for connecting with a target user device over a first communication channel. Upon receiving a call failure response from the telecommunication network the system is configured to transmitting a second communication request to the target user device through a second communication channel, wherein the second communication request comprises a target authentication key. The target user device is configured for generating an authentication response upon authentication of the second communication request based on the target authentication key. Further, the system is configured to transmit an activation signal to the target user device through the secondary communication channel for deactivating the airplane-mode and activate the first communication channel upon receipt of the activation signal.

Abstract: Systems and methods provide techniques for dynamic rate-limiting, such as techniques that utilize one or more of asynchronous rate-limiting, context-aware rate-limiting, and cost-aware rate-limiting. In one example, a method for asynchronous rate-limiting includes the steps of receiving a rate-limiting request for a service application; extracting one or more policy-defining parameters from the rate-limiting request; querying a local cache storage medium associated with the rate-limit decision node to identify one or more local rate-limiting policies associated with the rate-limiting request; determining, based on the one or more policy-defining parameters and the one or more local rate-limiting policies, a rate-limiting decision for the rate-limiting request; and transmitting the rate-limiting decision to the service application in response to the rate-limiting request.

Abstract: The present disclosure includes secure device coupling. An embodiment includes a processing resource, memory, and a network management device communication component configured to, identifying a network attached device within a first domain. Generating a domain device secret corresponding to the first domain. Each network attached device within the first domain can share the same domain device secret. Coupling iterations may be performed for each device within the first domain can include: generating a network management device private key and public key. Providing, via short-range communication, the network management device public key and the domain device secret to a network attached device communication component included in each network attached device of the first domain.