Abstract: A first network device is configured to receive a first request for a first secret key, generate the first secret key, and send the first secret key to a second network device and a first user device; and is also configured to receive a second request for a second secret key, generate the second secret key, and send the second secret key to a third network device and a second user device. The second network device and the first user device may mutually authenticate each other using the first secret key. The third network device and the second user device may mutually authenticate each other using second secret key.

Abstract: Systems and methods which provide identification of a user in combination with mutual authentication between a user and identification host are shown. Embodiments further provide mutual authentication between the identification host and a resource for which access is controlled, thereby providing three-party authentication (e.g., user, identification host, resource). Although utilizing biometric data for user identification, embodiments store such biometric information within devices which remain in the control of users. Protocols implemented according to embodiments facilitate a decentralized approach to user identification and authentication to allow a user to interact with any of a number of identification hosts for user identification and authorization. Auditing and tracing of user identification and authentication and/or resource access is provided according to embodiments.

Abstract: Embodiments of the invention are directed to systems, methods and computer program products for enrolling a user in a device identification program. In some embodiments, a system is configured to: receive device identification information from a mobile device, receive user information associated with a user, the user information enabling identification of the user, associate the device identification information with the user information, and create a record based on the device identification information and the user information.

Abstract: A device receives an encrypted key generating value from a first device and decrypts the encrypted key generating value. A temporary session key associated with the first device is generated based on the key generating value. A secure session invitation message is received from the first device. A master session key is generated and encrypted using the temporary session key associated with the first device. The encrypted master session key is transmitted to the first device.

Abstract: A display control apparatus performs download processing and streaming processing. In the download processing, after first mutual authentication between removable media and a license server, the removable media receive and store a first title key from a license server and first encrypted content from a content server.

Abstract: A system includes an interface with a plurality of sub-addresses. The interface receives critical data and non-critical data. The critical data are received only at more specific sub-addresses of the interface. The interface transfers the critical data received at the sub-addresses to a critical processor, such that the critical data avoids being received by or being processed by a non-critical processor. The interface transfers the non-critical data from the interface to the non-critical processor. The configuration of the interface is hard-coded such that the configuration of the interface is fixed at power up of the interface and is non-changeable by the non-critical processor. The interface includes an external platform interface that is external to the critical processor, the non-critical processor, and a local controller. The external platform interface includes a limited ability to store the critical and non-critical data.

Abstract: Disclosed is a method for mutual authentication between a station, having a digital rights agent, and a secure removable media device. The digital rights agent is configured to initiate mutual authentication by sending a message to the secure removable media device. The secure removable media device is configured to encrypt at least a first random number using a public key associated with the digital rights agent. The digital rights agent is configured to decrypt the encrypted first random number, and encrypt at least a second random number and a first hash based on at least the first random number. The secure removable media device is configured to decrypt the encrypted second random number and the first hash, verifie the first hash to authenticate the digital rights agent, and generate a second hash based on at least the second random number. The digital rights agent is configured to verify the second hash to authenticate the secure removable media device.

Abstract: An embodiment generally relates to a method of managing tokens. The method includes detecting a presence of a token at a client and determining a status of the token. The method also includes formatting the token at the client in response to the status of the token being unformatted.

Abstract: The authentication of identities within a realm in which some identities are authenticated using direct authentication, and some identities are authenticated using federated authentication. Requests for service from valid identities in the realm that are to be authenticated by direct authentication are responded to with a direct authentication interface. Requests for service from valid identities in the realm that are to be authenticated by federated authentication are responded to with a federated authentication interface. Requests for service from invalid identities are responded to pseudo-randomly with either the direct authentication interface or the federated authentication interface.

Abstract: A two-factor network authentication system uses “something you know” in the form of a password/Pin and “something you have” in the form of a key token. The password is encrypted in a secure area of the USB device and is protected from brute force attacks. The key token includes authentication credentials. Users cannot authenticate without the key token. Four distinct authentication elements that the must be present. The first element is a global unique identifier that is unique to each key. The second is a private credential generated from the online service provider that is stored in a secure area of the USB device. The third element is a connection profile that is generated from the online service provider. The fourth element is a credential that is securely stored with the online service provider. The first two elements create a unique user identity. The second two elements create mutual authentication.

Abstract: Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

Abstract: A communication apparatus including: a reception portion that receives identification information for a first apparatus to identify a second apparatus, and authentication information for the first apparatus to authenticate the second apparatus, from a network, the network being different from a route used when wireless communication between the first apparatus and the second apparatus is executed; and a communication unit that substitutes for the second apparatus and executes the wireless communication with the first apparatus by using the identification information and the authentication information when the second apparatus fails to execute the wireless communication with the first apparatus.

Abstract: Methods and apparatus for verifying authenticity of device information of an end-user device are provided herein. In some embodiments, a method for verifying authenticity of device information of an end-user device may include sending a request to verify device information of an end-user device receiving, responsive to the request, verification information regarding the device information sent, and performing a verification analysis on the verification information received.

Abstract: An improved quantum key distribution (QKD) system and method are provided. The system and method introduce new clients at intermediate points along a quantum channel, where any two clients can establish a secret key without the need for a secret meeting between the clients. The new clients perform operations on photons as they pass through nodes in the quantum channel, and participate in a non-secret protocol that is amended to include the new clients. The system and method significantly increase the number of clients that can be supported by a conventional QKD system, with only a modest increase in cost. The system and method are compatible with a variety of QKD schemes, including polarization, time-bin, continuous variable and entanglement QKD.

Abstract: A confidential information exchange between a sender and a receiver may be conducted without the use of encryption keys. The information is coded with a Challenge-Response Table that is shared between the sender and the receiver. Rather than sending a challenge and then waiting for a response, the challenge and response are both sent by the sender of the information. The information sent comprises an index with a challenge and a response from the Challenge-Response Table. Upon receiving the coded information, the receiver uses the Challenge-Response Table to decode the information by using the index to locate the challenge and its valid response. Upon determining that the challenge and the response are correct, a first decoded answer is determined. Upon determining that either the challenge or the response, or both, are incorrect, a second decoded answer is determined.

Abstract: A computer-implemented technique is presented. The technique can include selectively initiating, at a mobile computing device including one or more processors, communication between the mobile computing device and a public computing device. The technique can include transmitting, from the mobile computing device, authentication information to the public computing device. The authentication information can indicate access privileges to a private account associated with a user of the mobile computing device. The technique can include receiving, at the mobile computing device, an access inquiry from the public computing device. The access inquiry can indicate an inquiry as to whether the user wishes to login to the private account at the public computing device. The technique can also include transmitting, from the mobile computing device, an access response to the public computing device. The access response can cause the public computing device to provide the user with access to the private account.

Abstract: Various embodiments of a system and method for a single request-single response protocol with mutual replay attack protection are described. Embodiments include a system that receives multiple single request messages, each of which include a respective nonce, timestamp, and digital signature. The system may create a record of previously received nonces that, at any given time, may include multiple message nonces received within a valid period of time prior to that given time. To validate a given single request message, the system verifies the digital signature of the message, determines that the timestamp of the message indicates a time within the valid period of time prior to the current time, and determines that the nonce of the message is not present within the record of previously received nonces. The system sends a single response message that includes the same nonce as the validated message.

Abstract: A storage controller and program product is provided for performing double authentication for controlling disruptive operations on storage resources generated by a system administrator. A first request is received from a first user for generation of a first key. A first key is generated, provided to the first user and associated with the storage resource. An input is received from the administrator, the input comprises a second key and a command for performing the disruptive operation. The second key and the first key are compared. It is verified that the administrator is authorized as an administrator of the storage resource. The disruptive operation is performed on the storage resource if the second key and the first key match and the administrator is authorized. Otherwise, the performance of the disruptive operation is denied.

Abstract: Mechanisms and methods for sharing database content stored by a first organization with a third party are provided. A network address is provided to the third party, which can enable control of the access to the content and tracking of the views of the content. For example, the network address can include an encrypted key that contains information about the organization that created content and the specific distribution ID for delivering the content when requested by the third party using the address. A distribution can be created in numerous ways, with various restrictions on the access to the document of a distribution.

Abstract: A set of redundant industrial control system communications/control modules includes at least a first communications/control module and a second communications/control module.

Abstract: Generally, this disclosure describes devices, methods and systems for securely providing context sensor data to mobile platform applications. The method may include configuring sensors to provide context data, the context data associated with a mobile device; providing an application programming interface (API) to a sensor driver, the sensor driver configured to control the sensors; providing a trusted execution environment (TEE) operating on the mobile device, the TEE configured to host the sensor driver and restrict control and data access to the sensor driver and to the sensors; generating a request for the context data through the API, the request generated by an application associated with the mobile device; receiving, by the application, the requested context data and a validity indicator through the API; verifying, by the application, the requested context data based on the validity indicator; and adjusting a policy associated with the application based on the verified context data.

Abstract: Techniques for configuring network security include obtaining non-packet flow information, evaluating a policy rule based on the obtained information, and proposing a security arrangement based on the evaluation. The non-packet flow information can include, for example, authentication information obtained during an Internet Key Exchange protocol session or information obtained from a layered service provider. Therefore, policies such as Internet Protocol security (IPsec) policies can be defined and implemented so that they more accurately reflect the network's security requirements.

Abstract: A method and device for securely provisioning trust anchors includes generating a database wrapper key as a function of computing device hardware. The database wrapper key encrypts a key database when it is not in use by a trusted execution environment and may be generated using a Physical Unclonable Function (PUF). A local computing device establishes a secure connection and security protocols with a remote computing device. In establishing the secure connection, the local computing device and remote computing device may exchange and/or authenticate cryptographic keys, including Enhanced Privacy Identification (EPID) keys, and establish a session key and device identifier(s). One or more trust anchors are then provisioned depending on whether unilateral, bilateral, or multilateral trust is established. The local computing device may act as a group or domain controller in establishing multilateral trust. Any of the devices may also require user presence to be verified.

Abstract: An information processing apparatus for executing authentication processing, characterized by comprises: storage means for storing, in association with each other, an image, region information indicating a region included in the image, and word information indicating an object linked with the region; determination means for determining an image to be used for the authentication processing among the images stored in the storage means; display means for displaying the image determined by the determination means; specification means for specifying, in a case where a user designates a position within the image displayed by the display means, word information associated with region information of a region including the position; and authentication means for executing authentication processing using the word information specified by the specification means.

Abstract: A method for authentication of a high-security client and a low-security client in a high-security mobile radio network includes: transmitting a request for authentication from a base station to the high-security client, wherein the request for authentication comprises a random number as a challenge; receiving a response from the high-security client at the base station, wherein the response from the high-security client comprises a generated number generated by performing a keyed cryptographic function on the challenge; providing a fixed number to the low-security client; and receiving a response from the low-security client at the base station, wherein the response from the low-security client comprises the fixed number. Limited access to the mobile radio network is granted for the low-security client relative to an access of the high-security client.

Abstract: A magnetic memory device includes a main memory made of magnetic memory, the main memory and further includes a parameter area used to store parameters used to authenticate data. Further, the magnetic memory device has parameter memory that maintains a protected zone used to store protected zone parameters, and an authentication zone used to store authentication parameters, the protection zone parameters and the authentication parameters being associated with the data that requires authentication. Upon modification of any of the parameters stored in the parameter memory by a user, a corresponding location of the parameter area of the main memory is also modified.

Abstract: A method of generating a time managed challenge-response test is presented. The method identifies a geometric shape having a volume and generates an entry object of the time managed challenge-response test. The entry object is overlaid onto the geometric shape, such that the entry object is distributed over a surface of the geometric shape, and a portion of the entry object is hidden at any point in time. The geometric shape is rotated, which reveals the portion of the entry object that is hidden. A display region on a display is identified for rendering the geometric shape and the geometric shape is presented in the display region of the display.

Abstract: A first server is configured to receive a first token from a user device, determine whether the first token is valid, request the user device to provide a set of credentials to a second server, based on determining that the first token is invalid, and receive a first response from the user device. The first response may include information identifying whether the user device is authenticated to communicate with the first server. The first server is further configured to send the first response to a third server. The third server may generate a second response to indicate authentication of the user device to communicate with the first server. The first server is further configured to receive the second response from the third server, generate a second token, based on receiving the second response, and send the second token to the user device.

Abstract: A system, method, and apparatus for the authentication of the physical location of a target node are disclosed herein. In one or more embodiments, the authentication of the target node's physical location is achieved by using ping ranging measurements obtained from the amount of time that elapses during ping messages being sent between the target node and at least one trusted node with a known physical location. The physical location of the trusted node(s) is obtained by using satellite geolocation techniques. The accuracy of the ranging measurements may be improved upon by using pre-coordination and/or priority determination of the ping messages being sent between the target node and the trusted node(s). In at least one embodiment, the ping messages are sent by dedicated ping response hardware that is associated with the target node and/or the trusted node(s). In some embodiments, the ping messages include a pseudo random code bit sequence.

Abstract: A method for protecting a digital document and user data typed into a digital document is presented. The method comprises computation of an authentication tag when the document is sent from a server. A similar authentication tag is computed when the document is shown on a client. When another document referenced in the document is requested by the client from the server, the authentication tag computed by the client is attached to the request for that other document. The server receiving the request compares the authentication tag it computed with the one it received to verify if the request came from an authentic copy of the document. The method is suitable for protection of online banking, online investment, online shopping, and other electronic applications.

Abstract: Content is transmitted within a range of the user's legitimate use while limiting the number of equipment to which the content is transmitted at the same time. A content using apparatus periodically transmits an exchange key and the corresponding key ID using a command. Only while receiving the key ID at predetermined reception cycles, a content providing apparatus maintains the corresponding exchange key. When not periodically receiving the key ID, the content providing apparatus destroys the corresponding exchange key. After that, when receiving a command including the key ID, the content providing apparatus returns a response including information indicating that the exchange key has become invalid.

Abstract: A wireless computing device operating as a controller of a peer-to-peer group configured to generate unique master keys for each device joining the group. The wireless computing device may use the unique master keys to selectively remove remote devices from the group such that the remote device cannot later rejoin the group. Other remote devices, each possessing a master key that remains valid, can disconnect from the group and later reconnect to the group without express user action. To support such behavior, the wireless device may provide a user interface through which a user may manage connected remote devices by providing commands to selectively disconnect or remove remote devices from the group.

Abstract: Systems and method for authenticating users are presented. A system can send a passkey to a user interface of a known device. A user can then send a messaging service message with the passkey from a second device to the system. After receiving the message from the user, the system can extract the passkey from the message, and compare the received passkey against the passkey originally sent to the user. The known device and the second device can each have separate and unique device identifiers.

Abstract: A method for wireless communications and a wireless transmit/receive unit are disclosed. At least one first wireless communication link with a base station for transmitting/receiving data packets is established, which at least one first wireless communication link complies with at least a first authentication mechanism. At least one second wireless communication link with at least one user device for transmitting/receiving data packets is established, which at least one second wireless communication link complies with at least a second authentication mechanism, wherein the at least one second wireless communication link comprises a peer-to-peer wireless communication link. The at least one first wireless communication link and the at least one second wireless communication link are concurrently maintained.

Abstract: High-security communications against information leakage as well as high-speed communications are realized using present optical fiber networks. The methods are as follows: (1) A seed key is shared between a transmitter and a receiver in advance. Random numbers are transmitted using carrier light accompanied by fluctuations and bases that are decided by random numbers. The transmitter and receiver compare a shared basis that is determined by the seed key with the random basis, and decompose the random numbers superimposed on each bit into two sequences, based on whether the shared basis coincides with the random basis or not. Error correction is processed for each sequence in the receiver, and then the random numbers are shared between the transmitter and the receiver. (2) The amount of the random numbers shared between the transmitter and the receiver is reduced to secret capacity through privacy amplification, and the resultant random numbers are used as a secret key.

Abstract: A remote device secure data file storage system and method of securely storing data files at a remote device, includes a host system having a database and a plurality of remote devices, each connected with the host system by a communication network. Each remote device and the host system is programmed with a time-based cryptography system that generates an encryption key (RVK) and initialization vector (IV) for encrypting and decrypting data on the remote device. The time-based cryptography system generates the encryption key (RVK) as a function of a parameter (PDPT) that is a function of a personal date (PD) and personal time (PT) of the user. The personal date and personal time of the user being a function of personal data entered by the user on the remote device. The personal date (PD) is a function of the date of birth (DOB) of the user and the personal time (PT) is a function of the time of birth (TOB) of the user.

Abstract: Techniques for transmitting pilot and traffic data are described. In one aspect, a terminal may scramble its pilot with a scrambling sequence generated based on a set of static and dynamic parameters. The static parameter(s) have fixed value for an entire communication session for the terminal. The dynamic parameter(s) have variable value during the communication session. The terminal may generate a scrambling sequence by hashing the set of parameters to obtain a seed and initializing a pseudo-random number (PN) generator with the seed. The terminal may then generate the pilot based on the scrambling sequence. In another aspect, the terminal may use different scrambling sequences for pilot and traffic data. A first scrambling sequence may be generated based on a first set of parameters and used to generate the pilot. A second scrambling sequence may be generated based on a second set of parameters and used to scramble traffic data.

Abstract: A system and method for exchanging secure information between Secure Removable Media (SRM) devices. An initialization operation is performed between the SRM devices. After a mutual authentication operation is performed between the SRM devices, a secret key is exchanged for secure information exchange. An installation setup operation is then performed to establish an environment for moving rights between the SRM devices, and the rights information can be directly exchanged between the SRM devices by performing a rights installation operation between the SRM devices.

Abstract: A trusted network connection implementing method based on Tri-element Peer Authentication is provided in present invention, the method includes: step 1, configuring and initializing; step 2, requesting for network connection, wherein an access requester sends a network connection request to and access controller, and the access controller receives the network connection request; step 3, authenticating user ID; and step 4, authenticating a platform. The invention enhances the safety of the trusted network connection implementing method, widens the application range of the trusted network connection implementing method based on the Tri-element Peer Authentication, satisfies requirements of different network apparatuses and improves the efficiency of the trusted network connection implementing method based on the Tri-element Peer Authentication.

Abstract: The present invention relates to application-level secure end-to-end communication. Specifically it relates to methods apparatuses and computer program products for creating and distributing a shared secret and to sending or receiving messages between an embedded device and a user device via a cloud server.

Abstract: A device includes a memory which stores a program, and a processor which executes, based on the program, a procedure comprising establishing a session with a request source when a request for a service, made to a second providing source, has been received from the request source, the second providing source providing the service based on data stored in a first providing source; and when an inquiry about whether to transmit the data to the second providing source has been received from the first providing source, notifying, so as to encrypt a mask range of the data, the first providing source of session information indicating the session established with the request source and notifying the request source of the session information so as to decrypt the encrypted mask range of data based on the session information.

Abstract: A security method in a server-based mobile IP system is provided. Specifically, in the security method, general data is securely exchanged in addition to a control message that is exchanged between a mobile node and a server or between mobile nodes. Specifically, provided is a method of securely exchanging data by using a mobile node including an mPAK execution module generating necessary keys by exchanging key information with the server while performing a mutual authentication process and negotiating the security policy; and a security module setting a security policy that is negotiated with the corresponding node and applying the security policy to data according to the set security policy when transmitting the data.

Abstract: A message filtering method and system is provided for enabling a terminal to determine whether a message is true or false. A message server and a mobile network server perform mutual authentication and negotiate with each other for a sequence code for message verification; when transmitting a message to a terminal, the message server contains the sequence code in the message; after receiving the message, the terminal transmits the sequence code to the mobile network server for verification, presents the message for the user if the verification is passed, or rejects the message if the verification is not passed. By verifying the source of a message received using a sequence code, a false message server can be prevented from spreading a false message to terminals.

Abstract: A mechanism is provided for secure data access in a data processing system. A database having two tables is provided. A subset of the tables' primary key attributes is considered sensitive. A first user is authorized to access the primary key's sensitive attribute in an unmasked format, while a second user is authorized to access same data in a masked format. Two security views are generated granting the second user access to the primary key's sensitive attribute values of both tables in the masked format. The masked format value is generated from an unmasked format value using a reversible function. A join operation between the two security views is performed by optimizing a query statement corresponding to the join operation.

Abstract: One embodiment of the invention is directed to a method including receiving an alias identifier associated with an account associated with a presenter, determining an associated trusted party using the alias identifier, sending a verification request message to the trusted party after determining the associated trusted party, and receiving a verification response message.

Abstract: A system and method for securely storing, retrieving and sharing data using PCs and mobile devices and for controlling and tracking the movement of data to and from a variety of computing and storage devices.

Abstract: A method and apparatus for redirecting data traffic are provided. The method includes receiving a service request from a first device, allocating resources for the service, associating the resources with a first unique identifier, confirming the service request with the first device, receiving a connection request from a second device including the first unique identifier and an authentication certificate, passing the authentication certificate to the first device, and receiving an authentication confirmation from the first device. The method further includes, in response to receiving the authentication confirmation, accepting the connection request from the second device, providing an indication regarding at least one local area network to the second device, and providing required credentials associated with the at least one local area network to the second device.

Abstract: A key management and node authentication method for a sensor network is disclosed. The method comprises the following steps of: 1) keys pre-distribution: before deploying the network, communication keys for establishing security connection between nodes are pre-distributed to all of nodes by a deployment server. 2) Keys establishment: after deploying the network, a pair key for the security connection is established between nodes, which includes the following steps of: 2.1) establishment of shared keys: the pair key is established between neighbor nodes in which the shared keys are existed; 2.2) path keys establishment: the pair key is established between the nodes in which there is no shared keys but there is a multi-hop security connection. 3) Node identity (ID) authentication: before formally communicating between nodes, the identity is authenticated so as to determine the legality and the validity of the identity of the other.

Abstract: A method and apparatus for directing a client to establish a secure connection with a server across a public network. The server and the client exchange a Server Authentication Public Key, a Client Authentication Public Key, and a Remote Service Unique Identifier (RSUID) during a registration process. In one embodiment, the method includes the client transmitting to the server a client information package having the RSUID and a client challenge information package encrypted with the Server Authentication Public Key, the client receiving from the server a server information package having the RSUID and a server challenge information package and a portion of the received client challenge information encrypted with the Client Authentication Public Key, the client decrypting and verifying the server challenge information package with the Client Authentication Private Key, and, the client transmitting to the server an encrypted portion of the received client challenge information.

Abstract: System and method for setting up a data communication are disclosed. Method includes facilitating authenticating a module of a client computing device for the data communication. Method includes facilitating authenticating a module of a server for the data communication. Method includes authenticating an encoding for a network-based procedure call interface for the server. Method includes binding the network-based procedure call interface to a protocol for a gateway interface of the server. Method includes facilitating verifying that a message size of a message transmitted to a module of the client computing device or to a module of the server is within a message size range. Method includes facilitating creating a tunnel to a module of the server, wherein the tunnel is for the data communication. Method includes facilitating creating a channel within the tunnel, wherein the channel is for the data communication.