Abstract: Disclosed in some examples are methods, systems and machine-readable mediums which allow for more secure authentication attempts by implementing authentication systems with credentials that include interspersed noise symbols in positions determined by the user. These systems secure against eavesdroppers such as shoulder-surfers or man-in-the middle attacks as it is difficult for an eavesdropper to separate the noise symbols from legitimate credential symbols.

Abstract: Method, device, and system for deriving keys are provided in the field of mobile communications technologies. The method for deriving keys may be used, for example, in a handover process of a User Equipment (UE) from an Evolved Universal Terrestrial Radio Access Network (EUTRAN) to a Universal Terrestrial Radio Access Network (UTRAN). If a failure occurred in a first handover, the method ensures that the key derived by a source Mobility Management Entity (MME) for a second handover process of the UE is different from the key derived for the first handover process of the UE. This is done by changing input parameters used in the key derivation, so as to prevent the situation in the prior art that once the key used on one Radio Network Controller (RNC) is obtained, the keys on other RNCs can be derived accordingly, thereby enhancing the network security.

Abstract: Systems and methods are provided for identifying potentially compromised cloud-based access information. The systems and methods include providing a unique signature for insertion into application programming interface (API) communications to be sent from a network resource to a cloud application executable in a cloud environment. The unique signature can be associated with an access token that a particular identity can use to request access to the cloud application. The systems and methods include accessing a log associated with the cloud environment, identifying the unique signature and the access token using information in the log, accessing a trusted validation resource storing signature information associated with the access token, determining whether the unique signature is valid, and determining whether the access token is potentially compromised.

Abstract: A secure DNS query may be made by establishing a secure connection with a specific DNS server to determine an address for a hostname. A client device may have a database that may contain a record of a secure DNS server for one or more hostnames. When a DNS request contains one of the specified hostnames, an authenticated session may be created with the designated secure DNS server and a network address for the hostname is returned using the session. The authenticated session may authenticate a client device to the server as well as authenticate the server to the client. In some embodiments, the secure DNS server may accept connections from authenticated clients and may disregard connection requests from non authenticated clients.

Abstract: A method for signing a new block of a blockchain of a distributed blockchain consensus network (DBCN), comprising a mining computing entity (MCE) and a node computing entity, includes the step of signing and/or encrypting of predefined MCE information by the MCE, using a secret key of a public key/secret key key pair of the MCE to obtain hidden information (HI). The new block is signed by the MCE using the secret key and block information comprising block height information to create a signature for the new block. In a case of at least one further signing of a different block with the respective same block height information by the MCE, reveal information is provided to reveal the HI to the DBCN by another node computing entity of the DBCN when the node computing entity has received two signatures comprising the same corresponding block height information.

Abstract: A domain transcendent file cryptology network includes a first data cryptology node in a first data domain having a first security protocol. A hardware processor of the first data cryptology node executes a first instantiation of a software code to receive a request to transfer a data file from the first data domain to a second data domain having a second, different, security protocol, obtain one or more characteristics of the data file, and generate an authentication tag for the data file based on the characteristic(s). The first instantiation of the software code also encrypts the data file and transmits the encrypted data file, the authentication tag, and a decryption key to a second data cryptology node in the second data domain. The decryption key and the authentication tag enable decryption of the encrypted data file by a second instantiation of the software code on the second data cryptology node.

Abstract: According to some embodiments, a system and method associated with an electronic voting system are provided. The system comprises a voting station associated with a voting precinct to receive an electronic vote from a voter. A recursive server (RS) receives the electronic vote from the voting station and determines a voting precinct vote count. An authoritative name server (ANS) receives the electronic vote from the RS and determines a final vote count associated with one or more voting precincts.

Abstract: A cell phone is disclosed for acquiring information to be transmitted to a receiving facility and for transmitting such thereto. A capture device captures information from an external source. A processor is provided for associating with the captured information a representation of the date and time of the capture of the information, such that the representation of the date and time information in association with the captured information forms augmented captured information. The processor also places the augmented captured information in association with subscriber information in a transmission of the augmented captured information to a receiving facility requiring such subscriber information. A transmitter transmits the transmission including the augmented captured information and the subscriber information to the receiving facility.

Abstract: Techniques are disclosed for dynamically generating a digital certificate for a customer server. A customer server creates a certificate profile and receives an associated profile identifier from a certificate authority (CA). The customer server installs an agent application received from the CA. The agent application generates a public/private key pair and an identifier associated with the customer server. The agent application sends a signed request to the CA that includes the profile identifier, server identifier, and the public key corresponding to the key pair. Upon receiving the credentials, the CA generates a dynamically updatable certificate. Thereafter, if the customer changes information associated with the certificate (or if external conditions require a change to the certificate, such as a key compromise or change in security standards), the CA may generate an updated certificate based on the certificate profile changes and the public key.

Abstract: According to an example aspect of the present invention, there is provided an apparatus comprising a memory configured to store a user key, a token relating to a resource, the token comprising the user key in encrypted form, and management data received in the apparatus from a server, and at least one processing core configured to participate in an access interaction with the resource, the access interaction being based at least partly on the token and the user key and the access interaction comprising first sending the management data to the resource and then completing the access interaction to access the resource.

Abstract: This invention relates to personal identity management and verifiable and authenticable methods and systems for mobile personal credentials. A critical problem is knowing the true identity of counterparties while using electronic messaging or conducting online transactions. Existing security measures can be bypassed when identity is presented in electronic form. The inventors address these issues by providing digital ID document in conjunction with data that permits the other party to verify ID. Further, the inventors either link the electronic ID to its physical counterpart or to the actual physical individual presenting the ID. Immutable digital ledger technology, such as blockchain, is used to provide trustworthy authentication of digital identity along with assurance that the identity presented belongs to the individual presenting it.

Abstract: A method for authenticating a transaction includes replacing a first security value of a transaction device with a second security value; receiving, during a first transaction, the second security value; authenticating the first transaction based at least in part on the second security value; determining that a predetermined number of transactions have occurred during which the second verification value was not rewritten since the second security value was replaced; responsive to determining that the predetermined number of transactions have occurred, replacing the second security value on the transaction device with a third security value; receiving, during a second transaction, the third security value; and authenticating the second transaction based at least in part on the third security value.

Abstract: Techniques for verifying the integrity of application data using secure hardware enclaves are provided. In one set of embodiments, a client system can create a secure hardware enclave on the client system and load program code for an integrity verifier into the secure hardware enclave. The client system can further receive a dataset from a server system and store the dataset at a local storage or memory location, and receive, via the integrity verifier, a cryptographic hash of the dataset from the server system and store the received cryptographic hash at a memory location within the secure hardware enclave. Then, on a periodic basis, the integrity verifier can compute a cryptographic hash of the stored dataset, compare the computed cryptographic hash against the stored cryptographic hash, and if the computed cryptographic hash does not match the stored cryptographic hash, determine that the stored dataset has been modified.

Abstract: A method and computer system for implementing authentication protocol for merging multiple server nodes with trusted platform modules (TPMs) utilizing provisioned node certificates to support concurrent node add and node remove. Each of the multiple server nodes boots an instance of enablement level firmware and extended to a trusted platform module (TPM) on each node as the server nodes are powered up. A hardware secure channel is established between the server nodes for firmware message passing as part of physical configuration of the server nodes to be merged. A shared secret is securely exchanged via the hardware secure channel between the server nodes establishing an initial authentication value shared among all server nodes. All server nodes confirm common security configuration settings and exchange TPM log and platform configuration register (PCR) data to establish common history for future attestation requirements, enabling dynamic changing the server nodes and concurrently adding and removing nodes.

Abstract: An exemplary method includes maintaining encrypted identity data associated with a user, the encrypted identity data representative of a digital identity of the user, receiving an access request from a service provider system for the service provider system to have access to the digital identity of the user when the user attempts to access a service provided by the service provider system, transmitting, in response to the access request, an authorization request to a computing device associated with the user, the authorization request prompting the user to authorize sharing of the digital identity with the service provider system, receiving, from the computing device, authorization data indicating that the user authorizes sharing of the digital identity with the service provider system, and providing, in response to receiving the authorization data from the computing device, the service provider system with access to the digital identity.

Abstract: An electronic device and method are disclosed. The electronic device includes a communication circuit, a memory storing identifiers for one or more external electronic devices defined as a group, and a processor. The processor implements the method, including receiving biometric information detected by an external biometric detection device via transmission from at least one external electronic device of the group, selecting from within the group a particular external electronic device based on the received biometric information and the information related to the particular external electronic device, and transmitting the received biometric information to the selected particular external electronic device.

Abstract: Systems and methods are described, and an example system creates a transaction between a biometric station and a user in a group of users. Transaction includes establishing for the user, a ground-truth identity, capturing an image of the user in the biometric station, making a first determination of whether the image is sufficient for identification of the user. When the image is sufficient, the transaction derives biometric information from the image, converts the biometric information into a generic-form biometric information, agnostic of how the biometric information was obtained, and generated hashed user data by applying a hash function to the generic-form biometric information. The transaction makes a second determination, based on the hashed user data, of whether the user is represented in a gallery of sample images. The transactions are repeated for other users in the group.

Abstract: A technique includes accessing data representing a plurality of values; and determining a pseudonym value for a given value of the plurality of values. Determining the pseudonym includes encrypting the given value to provide a first encrypted value; encrypting an attribute that is associated with the given value to provide a second encrypted value; and generating the pseudonym value based on the first encrypted value and the second encrypted value.

Abstract: A network device connected via a bus with a plurality of network devices includes: an authentication unit that executes authentication based upon message authentication information included in data transmitted, via the bus, by one of the plurality of network devices acting as a sender device; and a processing unit that invalidates the data upon determining that unauthorized data have been transmitted by the sender device impersonating another network device among the plurality of network devices if the authentication fails.

Abstract: Provided is a computer-implemented method for event-based communication and messaging that includes determining general event data associated with an event, determining user data associated with a user based on determining the event data associated with the event, determining pre-event data associated with the event, current event data associated with the event, or post-event data associated with the event based on the general event data associated with the event and the user data associated with the user, determining a current user location of the at least one user, generating at least one message based on the current user location, the at least one message including at least one of the following: pre-event data; current event data; post-event data; or any combination thereof; and communicating the at least one message to a user device of the user. A system and computer program product are also disclosed.

Abstract: A method of sharing content by using a personal cloud device and an electronic device and a personal cloud system using the method are provided. The method includes connecting to a personal cloud device configured to share the content with another electronic device, if a new first content is added to a set first folder, determining an upload condition of the electronic device, and if the upload condition satisfies a set condition, transmitting the first content to the personal cloud device. Accordingly, a user is able to share contents between a plurality of electronic devices by using a personal cloud device in real time.

Abstract: A system for transmission data protection includes user equipment (UE) and an access point. The access point sends a broadcast message that carries a public key for encryption. The UE receives and stores the public key for encryption. The UE obtains a global public key or a private key corresponding to the UE, and protects transmission data using the public key for encryption and the global public key or the private key corresponding to the UE.

Abstract: An electronic device that performs authentication of a user where the electronic device improves the convenience of user authentication that employs an LDAP server. An electronic device is configured to connect and communicate with a server storing a plurality of types of authentication information in association with a user for a plurality of users. The electronic device includes an information cache storage that stores user authentication information that is at least a part of the authentication information stored on the server, and an authentication controller that runs a user authentication process on the basis of authentication information entered by a user, and the authentication information acquired from the server. The authentication controller updates the user authentication information stored in the cache information storage after the user authentication process on the basis of the authentication information entered by the user or the authentication information acquired from the server.

Abstract: The present invention discloses an access control method, apparatus, and system, and belongs to the communications field. The method includes: receiving a virtual extensible local area network VXLAN request packet sent by an access device; parsing the VXLAN request packet to obtain an IP address of the access device and authentication information of a user; sending the IP address of the access device and the authentication information of the user to an authentication server, so that the authentication server authenticates the user; receiving an authentication result sent by the authentication server; and controlling the user according to the authentication result. According to the present invention, the user is authenticated according to access information of the user in a VXLAN scenario.

Abstract: An automated vehicle parking system uses a driver's authentication device, such as a mobile phone or portable tag, to identify the driver. Vehicle sensing terminals detect when and where a vehicle has parked and send wireless notifications to the vehicle owner's authentication device. The authentication device, the vehicle sensing terminal and a cloud server interact using secure wireless communications to validate the driver's qualifications and record the parking event. Vehicle sensing terminals detect when the vehicle leaves its parking space and the parking system automatically terminates the parking session. The authentication device handles the bulk of the communication with the cloud server to reduce consumption of the vehicle sensing terminal's power supply. The sensing and portable tag devices communicate using secure tokens that are encrypted with unique individual or group keys.

Abstract: A method for processing transactions of the type including transmission, to a communications terminal, of a receipt relating to a payment transaction during the implementation of this payment transaction by a payment terminal. The method includes, in the payment terminal: obtaining a piece of data representing an end of a transaction; building a data structure according a piece of data of the transaction, the data structure representing a receipt; transmitting a signal including at least the data structure; subsequently to the step of transmission, finalizing the transaction, including the transmission of a piece of finalizing data to be transmitted to a user.

Abstract: The disclosed embodiments relate to a system that facilitates accessing external servers to process messages during customer-support conversations in an online customer-support system. During operation, the system receives a message from a sender while the message is in transit between the sender and a receiver during a customer-support conversation, wherein the customer-support conversation is between a customer and a responsive entity, and wherein the customer-support conversation relates to an issue the customer has with a product or a service used by the customer. Next, the system feeds the message through a pipeline of processors, wherein each processor in the pipeline is configured to make a call to an associated external server to perform an operation on the message before forwarding the message to a subsequent stage of the pipeline. Finally, when the message finishes transiting the pipeline, the system forwards the message to the receiver.

Abstract: A set of secret, indexed keys is generated and used in requests from a signing entity to a signing server for digital signature of messages. The signing server maintains a counter as well as a hash tree that aggregates requests during a round into a root value that is stored in an append-only data structure in a repository. Each signing entity is associated with a leaf of the hash tree. After a signature is formed, the counter for the requesting signing entity is incremented, whereby the secret key that was used cannot be used again.

Abstract: A method of unlocking a locked device includes receiving a device identifier over a wireless communication protocol, determining if the device identifier is associated with a list of trusted devices, transmitting a request to generate an acoustic signal over the wireless communication protocol based on the determination, receiving the acoustic signal as an audio sound generated external to the locked device, estimating a distance between a source of the audio sound and the locked device, and unlocking the locked device based on the estimation.

Abstract: An embodiment of an automatic key delivery system is described, An automatic key delivery system comprises the following operations. Herein, a first token is generated and provided to a first network device. Thereafter, a first key value pair, including the first token and a first key segment of a cryptographic key, is received by a first relay server and a second key value pair, including the first token and a second key segment of the cryptographic key, is received from a second relay server. In response, a second token to be provided to the first relay server and the second relay server. Thereafter, the first and second key segment are returned from the first and second relay servers based on usage of the second token as a lookup in order to recover the cryptographic key for decryption of an encrypted content from the first network device.

Abstract: Securing public hotspot communications by: generating a public-private key pair, deriving an SSID using the generated public key, creating a network using the SSID, specifying a network security setting, and providing a Client the SSID and network security settings. Further, by: receiving a network connection request from the Client, establishing a connection with the Client, receiving a probe request from a network access point, sending an authentication message, receiving SSID configuration information from the network access point, associating the SSID network and the network access point, and receiving Client data.

Abstract: Some embodiments of the invention provide a system for defining, distributing and enforcing policies for authorizing API (Application Programming Interface) calls to applications executing on one or more sets of associated machines (e.g., virtual machines, containers, computers, etc.) in one or more datacenters. This system has servers that act as a logically centralized resource for defining and storing policies and parameters for evaluating these policies. The servers enforce these policies and distribute the policies and parameters to policy-enforcing local agents that execute near the applications that process the API calls. From an associated application, a local agent receives API-authorization requests to determine whether API calls received by the application are authorized. In response to such a request, the local agent uses one or more parameters associated with the API call to identify a policy stored in its local policy storage to evaluate whether the API call should be authorized.

Abstract: A method, system and computer-usable medium for using pseudonyms to identify entities and their corresponding security risk factors is disclosed. In certain embodiments, a computer-implemented method for identifying security risks associated with a plurality of different entities is disclosed, wherein the method comprises: receiving a stream of events, the stream of events comprising a plurality of events associated with the plurality of different entities; pseudonymizing events of the plurality of events by replacing entity names in the plurality of events with corresponding entity pseudonyms to thereby provide a plurality of pseudonymized events; executing security analytics operations on the plurality of pseudonymized events to identify user behaviors presenting security risks; and using the entity pseudonyms to anonymously identify entities engaging in security risk related behaviors.

Abstract: Systems and methods are described that enable trusted communications between two entities. In one implementation, a controller of a vehicle may include one or more processors configured to receive data and a controller signature from a second controller of the vehicle. The controller signature may be generated based on at least a first portion of the data. The one or more processors may be further configured to transmit the data and the controller signature to a gateway of the vehicle and receive a gateway signature from the gateway. The gateway signature may be generated based on at least a second portion of the data and transmitted to the controller after the gateway verified the controller signature. In addition, the one or more processors may be configured to verify the gateway signature and process the data.

Abstract: An authentication system and method are provided. According to the embodiments of the present disclosure, it is possible to provide a secure authentication service capable of maintaining personal privacy by enabling authentication while preventing personal information used for personal authentication, such as biometric information, from being exposed in the authentication process.

Abstract: Disclosed are various examples for enforcing network access permissions on applications that are installed on a client device. A network whitelist or network blacklist can be deployed by a management service onto a managed client device. A management component can facilitate enforcement of the whitelist and/or blacklist to enforce network access rules on installed applications.

Abstract: The disclosed technology teaches distributed routing and load balancing in a dynamic service chain: receiving and processing a packet, with added header including stream affinity code, at a first service instance and based on processing determining a second service, among available services, that should next handle the packet. The technology teaches accessing a flow table using the stream affinity code in the header to select a service instance performing the second service in the service chain, and routing the packet to the second service instance upon egress from the first service instance. When the flow table lacks an entry for the second service corresponding to the stream affinity code, the disclosed technology teaches accessing a consistent hash table of service instances performing the second service, selecting an available instance, and updating the flow table to specify the second service instance as providing the second service for packets sharing the header.

Abstract: User information is obtained, and an access token for receiving provision of a service from a service provider is obtained. The obtained access token is stored in a memory unit in association with the user information. In accordance with an instruction, the service provider is accessed using the access token stored in the memory unit, and a function corresponding to the instruction is executed.

Abstract: A system and method for providing data such as credentials to a third-party service while protecting the data from being transmitted to unintended locations. The system receives a first request containing encrypted data and information identifying the third-party service, validates that the first request is to be transmitted to the third-party service, generates a second request by replacing the encrypted data from the first request with unencrypted data, and transmits the second request to the third-party service.

Abstract: A system, method, and computer program product are provided for implementing zero round trip secure communications based on a noisy secret. In operation, a sender system utilizes a randomly generated message key for encrypting a message to send to a receiver system. The sender system selects a plurality of different sub-keys from a negotiated noisy secret to encrypt the randomly generated message key. The sender system encrypts the message utilizing the randomly generated message key. The sender system sends the encrypted message, all encrypted message keys, and a message MAC that is calculated and added for every sub-key, to the receiver system such that the receiver system is able to perform a MAC-based verification to test sub-key validity of the plurality of different sub-keys.

Abstract: A method for reliable computation of a program P includes generating, by a verifier, a public verification key vkp and a public evaluation key (ekp), both on a basis of the program P, providing, by the verifier, a number N at random and sending the number N to the at least one provider, producing, by the at least one provider, at least one output Si concatenated with N and producing a signature ?i over a corresponding input into the at least one provider and/or corresponding data within the at least one provider, both the input and/or the data signed under a secret key ski, so that a pair of output and signature (Si, ?i) is transmitted to the computing unit. The verifier verifies the proof ?y using the public verification key vkp and rejects y, if the proof verification fails.

Abstract: Systems and methods involving a user authentication system for granting access to digital systems and content, computing systems and devices and physical locations. The authentication system granting access to digital systems and content involves a mobile device, a computing device and a server. The authentication system granting access to computing systems and devices and physical locations involves a mobile device, an interface device, a secure system and a server. The authentication systems described permit a user to access digital systems and content, computing systems and devices and physical locations using only the user's mobile device. The mobile device runs mobile application that performs the authentication functionality using biometric data obtained on the mobile device. The authentication data is stored on the mobile device in an encrypted format and is not shared with the other devices in the authentication system.

Abstract: Techniques for secure pairing for devices with Near Field Communications (NFC) tags equipped with authentication are provided. In one aspect a device with a passive near field communication tag including a private key for authentication is provided. The device may send a challenge request to a host device including an active NFC tag via a wireless communication protocol. The challenge request may be combined with a shared secret value known to the device and the host device to create a challenge request seed. The challenge request seed may be combined with the private key to compute a verified challenge request response. A challenge request response may be received from the host device via the wireless communication protocol. The challenge request response and verified challenge request response may be compared to authenticate the host device to the device.

Abstract: A method of executing an application in a wearable device and a wearable device are disclosed, the method including receiving an input requesting execution of a first application, acquiring time information required to execute the first application in response to the input, and scrolling and displaying a predetermined image in a first direction until the execution of the first application based on the time information.

Abstract: Disclosed is an electronic device including a storage storing contents, a display, and a processor configured to set one or more access authorities of one or more applications for accessing the contents stored in the storage while the one or more applications is installed, based on detecting at least one application of the one or more applications to access the contents, display, on the display, a message requesting changing at least one access authority of the at least one application of the one or more applications for accessing the contents, and based on an input associated with the message, change the at least one access authority of the at least one application of the one or more applications for accessing the contents.

Abstract: Technologies are disclosed herein that allow for utilization of firmware specific data through an Advanced Configuration and Power Interface (ACPI) Firmware Identification (FID) table in a computing system. The ACPI FID table can be loaded during a boot of a computer system. The ACPI FID table can be read after an operating system has been loaded on the computer system. Based upon firmware specific data in the ACPI FID table, functionality provided by the application can be restricted. The use of various features provided by the application can be restricted or the application can be restricted from executing entirely. Compatibility between the application and the firmware can be ensured based upon firmware specific data in the ACPI FID table.

Abstract: A network node of a mobile communications network may need to generate at least one new Input Offset Value, IOV value, for use in protecting communications between the network node and a mobile station. The network node then associates a fresh counter value with the or each new IOV value; calculates a Message Authentication Code based on at least the at least one new IOV value, the fresh counter value associated with the or each new IOV value, and a constant indicating that the Message Authentication Code is calculated to protect the new IOV value; and transmits the at least one new IOV value, the fresh counter value associated with the or each new IOV value, and the calculated Message Authentication Code to the mobile station.

Abstract: The disclosure relates to a method and a system for data protection. The system provides a key server and a software sequence executed in a user device. The software sequence renders the method. In the method, a user value associated with a user's registered data in the key server is provided according to the user's input data; a server value is generated by the key server when the key server identifies the user; and a device value is generated according to the hardware information of the user device. The data in the user device can be effectively protected by an encryption process using the user value, the server value and the device value. A data protection mechanism with high-level security can be achieved when the data is protected in the encryption process incorporating the user-related user value, the device-related device value, and the server-related server value.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for efficiently processing data to allow for the streamlined assessment of risk ratings for one or more vendors. In various embodiments, the systems/methods may use one or more particular vendor attributes (e.g., as determined from scanning one or more webpages associated with the particular vendor) and the contents of one or more completed privacy templates for the vendor to determine a vendor risk rating for the particular vendor. As a particular example, the system may scan a website associated with the vendor to automatically determine one or more security certifications associated with the vendor and use that information, along with information from a completed privacy template for the vendor, to calculate a vendor risk rating that indicates the risk of doing business with the vendor.

Abstract: A controller includes a host interface and a processor. The host interface is configured for communicating with a host. The processor is configured to receive from the host, via the host interface, instructions for execution in a Non-Volatile Memory (NVM), to identify among the instructions an instruction, which pertains to a secure monotonic counter and is intended for execution in an NVM having a secure monotonic counter embedded therein, and to execute the identified instruction, and respond to the host responsively to the instruction, instead of the NVM.