Abstract: Techniques are disclosed for dynamically generating a digital certificate for a customer server. A customer server creates a certificate profile and receives an associated profile identifier from a certificate authority (CA). The customer server installs an agent application received from the CA. The agent application generates a public/private key pair and an identifier associated with the customer server. The agent application sends a signed request to the CA that includes the profile identifier, server identifier, and the public key corresponding to the key pair. Upon receiving the credentials, the CA generates a dynamically updatable certificate. Thereafter, if the customer changes information associated with the certificate (or if external conditions require a change to the certificate, such as a key compromise or change in security standards), the CA may generate an updated certificate based on the certificate profile changes and the public key.

Abstract: According to an example aspect of the present invention, there is provided an apparatus comprising a memory configured to store a user key, a token relating to a resource, the token comprising the user key in encrypted form, and management data received in the apparatus from a server, and at least one processing core configured to participate in an access interaction with the resource, the access interaction being based at least partly on the token and the user key and the access interaction comprising first sending the management data to the resource and then completing the access interaction to access the resource.

Abstract: A method for authenticating a transaction includes replacing a first security value of a transaction device with a second security value; receiving, during a first transaction, the second security value; authenticating the first transaction based at least in part on the second security value; determining that a predetermined number of transactions have occurred during which the second verification value was not rewritten since the second security value was replaced; responsive to determining that the predetermined number of transactions have occurred, replacing the second security value on the transaction device with a third security value; receiving, during a second transaction, the third security value; and authenticating the second transaction based at least in part on the third security value.

Abstract: This invention relates to personal identity management and verifiable and authenticable methods and systems for mobile personal credentials. A critical problem is knowing the true identity of counterparties while using electronic messaging or conducting online transactions. Existing security measures can be bypassed when identity is presented in electronic form. The inventors address these issues by providing digital ID document in conjunction with data that permits the other party to verify ID. Further, the inventors either link the electronic ID to its physical counterpart or to the actual physical individual presenting the ID. Immutable digital ledger technology, such as blockchain, is used to provide trustworthy authentication of digital identity along with assurance that the identity presented belongs to the individual presenting it.

Abstract: Techniques for verifying the integrity of application data using secure hardware enclaves are provided. In one set of embodiments, a client system can create a secure hardware enclave on the client system and load program code for an integrity verifier into the secure hardware enclave. The client system can further receive a dataset from a server system and store the dataset at a local storage or memory location, and receive, via the integrity verifier, a cryptographic hash of the dataset from the server system and store the received cryptographic hash at a memory location within the secure hardware enclave. Then, on a periodic basis, the integrity verifier can compute a cryptographic hash of the stored dataset, compare the computed cryptographic hash against the stored cryptographic hash, and if the computed cryptographic hash does not match the stored cryptographic hash, determine that the stored dataset has been modified.

Abstract: An exemplary method includes maintaining encrypted identity data associated with a user, the encrypted identity data representative of a digital identity of the user, receiving an access request from a service provider system for the service provider system to have access to the digital identity of the user when the user attempts to access a service provided by the service provider system, transmitting, in response to the access request, an authorization request to a computing device associated with the user, the authorization request prompting the user to authorize sharing of the digital identity with the service provider system, receiving, from the computing device, authorization data indicating that the user authorizes sharing of the digital identity with the service provider system, and providing, in response to receiving the authorization data from the computing device, the service provider system with access to the digital identity.

Abstract: A method and computer system for implementing authentication protocol for merging multiple server nodes with trusted platform modules (TPMs) utilizing provisioned node certificates to support concurrent node add and node remove. Each of the multiple server nodes boots an instance of enablement level firmware and extended to a trusted platform module (TPM) on each node as the server nodes are powered up. A hardware secure channel is established between the server nodes for firmware message passing as part of physical configuration of the server nodes to be merged. A shared secret is securely exchanged via the hardware secure channel between the server nodes establishing an initial authentication value shared among all server nodes. All server nodes confirm common security configuration settings and exchange TPM log and platform configuration register (PCR) data to establish common history for future attestation requirements, enabling dynamic changing the server nodes and concurrently adding and removing nodes.

Abstract: An electronic device and method are disclosed. The electronic device includes a communication circuit, a memory storing identifiers for one or more external electronic devices defined as a group, and a processor. The processor implements the method, including receiving biometric information detected by an external biometric detection device via transmission from at least one external electronic device of the group, selecting from within the group a particular external electronic device based on the received biometric information and the information related to the particular external electronic device, and transmitting the received biometric information to the selected particular external electronic device.

Abstract: Systems and methods are described, and an example system creates a transaction between a biometric station and a user in a group of users. Transaction includes establishing for the user, a ground-truth identity, capturing an image of the user in the biometric station, making a first determination of whether the image is sufficient for identification of the user. When the image is sufficient, the transaction derives biometric information from the image, converts the biometric information into a generic-form biometric information, agnostic of how the biometric information was obtained, and generated hashed user data by applying a hash function to the generic-form biometric information. The transaction makes a second determination, based on the hashed user data, of whether the user is represented in a gallery of sample images. The transactions are repeated for other users in the group.

Abstract: A technique includes accessing data representing a plurality of values; and determining a pseudonym value for a given value of the plurality of values. Determining the pseudonym includes encrypting the given value to provide a first encrypted value; encrypting an attribute that is associated with the given value to provide a second encrypted value; and generating the pseudonym value based on the first encrypted value and the second encrypted value.

Abstract: A network device connected via a bus with a plurality of network devices includes: an authentication unit that executes authentication based upon message authentication information included in data transmitted, via the bus, by one of the plurality of network devices acting as a sender device; and a processing unit that invalidates the data upon determining that unauthorized data have been transmitted by the sender device impersonating another network device among the plurality of network devices if the authentication fails.

Abstract: Provided is a computer-implemented method for event-based communication and messaging that includes determining general event data associated with an event, determining user data associated with a user based on determining the event data associated with the event, determining pre-event data associated with the event, current event data associated with the event, or post-event data associated with the event based on the general event data associated with the event and the user data associated with the user, determining a current user location of the at least one user, generating at least one message based on the current user location, the at least one message including at least one of the following: pre-event data; current event data; post-event data; or any combination thereof; and communicating the at least one message to a user device of the user. A system and computer program product are also disclosed.

Abstract: A system for transmission data protection includes user equipment (UE) and an access point. The access point sends a broadcast message that carries a public key for encryption. The UE receives and stores the public key for encryption. The UE obtains a global public key or a private key corresponding to the UE, and protects transmission data using the public key for encryption and the global public key or the private key corresponding to the UE.

Abstract: A method of sharing content by using a personal cloud device and an electronic device and a personal cloud system using the method are provided. The method includes connecting to a personal cloud device configured to share the content with another electronic device, if a new first content is added to a set first folder, determining an upload condition of the electronic device, and if the upload condition satisfies a set condition, transmitting the first content to the personal cloud device. Accordingly, a user is able to share contents between a plurality of electronic devices by using a personal cloud device in real time.

Abstract: An electronic device that performs authentication of a user where the electronic device improves the convenience of user authentication that employs an LDAP server. An electronic device is configured to connect and communicate with a server storing a plurality of types of authentication information in association with a user for a plurality of users. The electronic device includes an information cache storage that stores user authentication information that is at least a part of the authentication information stored on the server, and an authentication controller that runs a user authentication process on the basis of authentication information entered by a user, and the authentication information acquired from the server. The authentication controller updates the user authentication information stored in the cache information storage after the user authentication process on the basis of the authentication information entered by the user or the authentication information acquired from the server.

Abstract: The present invention discloses an access control method, apparatus, and system, and belongs to the communications field. The method includes: receiving a virtual extensible local area network VXLAN request packet sent by an access device; parsing the VXLAN request packet to obtain an IP address of the access device and authentication information of a user; sending the IP address of the access device and the authentication information of the user to an authentication server, so that the authentication server authenticates the user; receiving an authentication result sent by the authentication server; and controlling the user according to the authentication result. According to the present invention, the user is authenticated according to access information of the user in a VXLAN scenario.

Abstract: An automated vehicle parking system uses a driver's authentication device, such as a mobile phone or portable tag, to identify the driver. Vehicle sensing terminals detect when and where a vehicle has parked and send wireless notifications to the vehicle owner's authentication device. The authentication device, the vehicle sensing terminal and a cloud server interact using secure wireless communications to validate the driver's qualifications and record the parking event. Vehicle sensing terminals detect when the vehicle leaves its parking space and the parking system automatically terminates the parking session. The authentication device handles the bulk of the communication with the cloud server to reduce consumption of the vehicle sensing terminal's power supply. The sensing and portable tag devices communicate using secure tokens that are encrypted with unique individual or group keys.

Abstract: A method for processing transactions of the type including transmission, to a communications terminal, of a receipt relating to a payment transaction during the implementation of this payment transaction by a payment terminal. The method includes, in the payment terminal: obtaining a piece of data representing an end of a transaction; building a data structure according a piece of data of the transaction, the data structure representing a receipt; transmitting a signal including at least the data structure; subsequently to the step of transmission, finalizing the transaction, including the transmission of a piece of finalizing data to be transmitted to a user.

Abstract: The disclosed embodiments relate to a system that facilitates accessing external servers to process messages during customer-support conversations in an online customer-support system. During operation, the system receives a message from a sender while the message is in transit between the sender and a receiver during a customer-support conversation, wherein the customer-support conversation is between a customer and a responsive entity, and wherein the customer-support conversation relates to an issue the customer has with a product or a service used by the customer. Next, the system feeds the message through a pipeline of processors, wherein each processor in the pipeline is configured to make a call to an associated external server to perform an operation on the message before forwarding the message to a subsequent stage of the pipeline. Finally, when the message finishes transiting the pipeline, the system forwards the message to the receiver.

Abstract: A set of secret, indexed keys is generated and used in requests from a signing entity to a signing server for digital signature of messages. The signing server maintains a counter as well as a hash tree that aggregates requests during a round into a root value that is stored in an append-only data structure in a repository. Each signing entity is associated with a leaf of the hash tree. After a signature is formed, the counter for the requesting signing entity is incremented, whereby the secret key that was used cannot be used again.

Abstract: A method of unlocking a locked device includes receiving a device identifier over a wireless communication protocol, determining if the device identifier is associated with a list of trusted devices, transmitting a request to generate an acoustic signal over the wireless communication protocol based on the determination, receiving the acoustic signal as an audio sound generated external to the locked device, estimating a distance between a source of the audio sound and the locked device, and unlocking the locked device based on the estimation.

Abstract: An embodiment of an automatic key delivery system is described, An automatic key delivery system comprises the following operations. Herein, a first token is generated and provided to a first network device. Thereafter, a first key value pair, including the first token and a first key segment of a cryptographic key, is received by a first relay server and a second key value pair, including the first token and a second key segment of the cryptographic key, is received from a second relay server. In response, a second token to be provided to the first relay server and the second relay server. Thereafter, the first and second key segment are returned from the first and second relay servers based on usage of the second token as a lookup in order to recover the cryptographic key for decryption of an encrypted content from the first network device.

Abstract: Securing public hotspot communications by: generating a public-private key pair, deriving an SSID using the generated public key, creating a network using the SSID, specifying a network security setting, and providing a Client the SSID and network security settings. Further, by: receiving a network connection request from the Client, establishing a connection with the Client, receiving a probe request from a network access point, sending an authentication message, receiving SSID configuration information from the network access point, associating the SSID network and the network access point, and receiving Client data.

Abstract: Systems and methods are described that enable trusted communications between two entities. In one implementation, a controller of a vehicle may include one or more processors configured to receive data and a controller signature from a second controller of the vehicle. The controller signature may be generated based on at least a first portion of the data. The one or more processors may be further configured to transmit the data and the controller signature to a gateway of the vehicle and receive a gateway signature from the gateway. The gateway signature may be generated based on at least a second portion of the data and transmitted to the controller after the gateway verified the controller signature. In addition, the one or more processors may be configured to verify the gateway signature and process the data.

Abstract: A method, system and computer-usable medium for using pseudonyms to identify entities and their corresponding security risk factors is disclosed. In certain embodiments, a computer-implemented method for identifying security risks associated with a plurality of different entities is disclosed, wherein the method comprises: receiving a stream of events, the stream of events comprising a plurality of events associated with the plurality of different entities; pseudonymizing events of the plurality of events by replacing entity names in the plurality of events with corresponding entity pseudonyms to thereby provide a plurality of pseudonymized events; executing security analytics operations on the plurality of pseudonymized events to identify user behaviors presenting security risks; and using the entity pseudonyms to anonymously identify entities engaging in security risk related behaviors.

Abstract: Some embodiments of the invention provide a system for defining, distributing and enforcing policies for authorizing API (Application Programming Interface) calls to applications executing on one or more sets of associated machines (e.g., virtual machines, containers, computers, etc.) in one or more datacenters. This system has servers that act as a logically centralized resource for defining and storing policies and parameters for evaluating these policies. The servers enforce these policies and distribute the policies and parameters to policy-enforcing local agents that execute near the applications that process the API calls. From an associated application, a local agent receives API-authorization requests to determine whether API calls received by the application are authorized. In response to such a request, the local agent uses one or more parameters associated with the API call to identify a policy stored in its local policy storage to evaluate whether the API call should be authorized.

Abstract: An authentication system and method are provided. According to the embodiments of the present disclosure, it is possible to provide a secure authentication service capable of maintaining personal privacy by enabling authentication while preventing personal information used for personal authentication, such as biometric information, from being exposed in the authentication process.

Abstract: Disclosed are various examples for enforcing network access permissions on applications that are installed on a client device. A network whitelist or network blacklist can be deployed by a management service onto a managed client device. A management component can facilitate enforcement of the whitelist and/or blacklist to enforce network access rules on installed applications.

Abstract: User information is obtained, and an access token for receiving provision of a service from a service provider is obtained. The obtained access token is stored in a memory unit in association with the user information. In accordance with an instruction, the service provider is accessed using the access token stored in the memory unit, and a function corresponding to the instruction is executed.

Abstract: The disclosed technology teaches distributed routing and load balancing in a dynamic service chain: receiving and processing a packet, with added header including stream affinity code, at a first service instance and based on processing determining a second service, among available services, that should next handle the packet. The technology teaches accessing a flow table using the stream affinity code in the header to select a service instance performing the second service in the service chain, and routing the packet to the second service instance upon egress from the first service instance. When the flow table lacks an entry for the second service corresponding to the stream affinity code, the disclosed technology teaches accessing a consistent hash table of service instances performing the second service, selecting an available instance, and updating the flow table to specify the second service instance as providing the second service for packets sharing the header.

Abstract: A system and method for providing data such as credentials to a third-party service while protecting the data from being transmitted to unintended locations. The system receives a first request containing encrypted data and information identifying the third-party service, validates that the first request is to be transmitted to the third-party service, generates a second request by replacing the encrypted data from the first request with unencrypted data, and transmits the second request to the third-party service.

Abstract: A system, method, and computer program product are provided for implementing zero round trip secure communications based on a noisy secret. In operation, a sender system utilizes a randomly generated message key for encrypting a message to send to a receiver system. The sender system selects a plurality of different sub-keys from a negotiated noisy secret to encrypt the randomly generated message key. The sender system encrypts the message utilizing the randomly generated message key. The sender system sends the encrypted message, all encrypted message keys, and a message MAC that is calculated and added for every sub-key, to the receiver system such that the receiver system is able to perform a MAC-based verification to test sub-key validity of the plurality of different sub-keys.

Abstract: A method for reliable computation of a program P includes generating, by a verifier, a public verification key vkp and a public evaluation key (ekp), both on a basis of the program P, providing, by the verifier, a number N at random and sending the number N to the at least one provider, producing, by the at least one provider, at least one output Si concatenated with N and producing a signature ?i over a corresponding input into the at least one provider and/or corresponding data within the at least one provider, both the input and/or the data signed under a secret key ski, so that a pair of output and signature (Si, ?i) is transmitted to the computing unit. The verifier verifies the proof ?y using the public verification key vkp and rejects y, if the proof verification fails.

Abstract: Systems and methods involving a user authentication system for granting access to digital systems and content, computing systems and devices and physical locations. The authentication system granting access to digital systems and content involves a mobile device, a computing device and a server. The authentication system granting access to computing systems and devices and physical locations involves a mobile device, an interface device, a secure system and a server. The authentication systems described permit a user to access digital systems and content, computing systems and devices and physical locations using only the user's mobile device. The mobile device runs mobile application that performs the authentication functionality using biometric data obtained on the mobile device. The authentication data is stored on the mobile device in an encrypted format and is not shared with the other devices in the authentication system.

Abstract: Techniques for secure pairing for devices with Near Field Communications (NFC) tags equipped with authentication are provided. In one aspect a device with a passive near field communication tag including a private key for authentication is provided. The device may send a challenge request to a host device including an active NFC tag via a wireless communication protocol. The challenge request may be combined with a shared secret value known to the device and the host device to create a challenge request seed. The challenge request seed may be combined with the private key to compute a verified challenge request response. A challenge request response may be received from the host device via the wireless communication protocol. The challenge request response and verified challenge request response may be compared to authenticate the host device to the device.

Abstract: A method of executing an application in a wearable device and a wearable device are disclosed, the method including receiving an input requesting execution of a first application, acquiring time information required to execute the first application in response to the input, and scrolling and displaying a predetermined image in a first direction until the execution of the first application based on the time information.

Abstract: Disclosed is an electronic device including a storage storing contents, a display, and a processor configured to set one or more access authorities of one or more applications for accessing the contents stored in the storage while the one or more applications is installed, based on detecting at least one application of the one or more applications to access the contents, display, on the display, a message requesting changing at least one access authority of the at least one application of the one or more applications for accessing the contents, and based on an input associated with the message, change the at least one access authority of the at least one application of the one or more applications for accessing the contents.

Abstract: Technologies are disclosed herein that allow for utilization of firmware specific data through an Advanced Configuration and Power Interface (ACPI) Firmware Identification (FID) table in a computing system. The ACPI FID table can be loaded during a boot of a computer system. The ACPI FID table can be read after an operating system has been loaded on the computer system. Based upon firmware specific data in the ACPI FID table, functionality provided by the application can be restricted. The use of various features provided by the application can be restricted or the application can be restricted from executing entirely. Compatibility between the application and the firmware can be ensured based upon firmware specific data in the ACPI FID table.

Abstract: A network node of a mobile communications network may need to generate at least one new Input Offset Value, IOV value, for use in protecting communications between the network node and a mobile station. The network node then associates a fresh counter value with the or each new IOV value; calculates a Message Authentication Code based on at least the at least one new IOV value, the fresh counter value associated with the or each new IOV value, and a constant indicating that the Message Authentication Code is calculated to protect the new IOV value; and transmits the at least one new IOV value, the fresh counter value associated with the or each new IOV value, and the calculated Message Authentication Code to the mobile station.

Abstract: The disclosure relates to a method and a system for data protection. The system provides a key server and a software sequence executed in a user device. The software sequence renders the method. In the method, a user value associated with a user's registered data in the key server is provided according to the user's input data; a server value is generated by the key server when the key server identifies the user; and a device value is generated according to the hardware information of the user device. The data in the user device can be effectively protected by an encryption process using the user value, the server value and the device value. A data protection mechanism with high-level security can be achieved when the data is protected in the encryption process incorporating the user-related user value, the device-related device value, and the server-related server value.

Abstract: Data processing systems and methods, according to various embodiments, are adapted for efficiently processing data to allow for the streamlined assessment of risk ratings for one or more vendors. In various embodiments, the systems/methods may use one or more particular vendor attributes (e.g., as determined from scanning one or more webpages associated with the particular vendor) and the contents of one or more completed privacy templates for the vendor to determine a vendor risk rating for the particular vendor. As a particular example, the system may scan a website associated with the vendor to automatically determine one or more security certifications associated with the vendor and use that information, along with information from a completed privacy template for the vendor, to calculate a vendor risk rating that indicates the risk of doing business with the vendor.

Abstract: A controller includes a host interface and a processor. The host interface is configured for communicating with a host. The processor is configured to receive from the host, via the host interface, instructions for execution in a Non-Volatile Memory (NVM), to identify among the instructions an instruction, which pertains to a secure monotonic counter and is intended for execution in an NVM having a secure monotonic counter embedded therein, and to execute the identified instruction, and respond to the host responsively to the instruction, instead of the NVM.

Abstract: Aspects of the technology described herein enable a client device to access a web service in a claims-based identity environment thorough an Internet Protocol (IP) address, rather than the web service's domain name service (DNS). In a claims-based identity environment, a client device will authenticate a relying party's server SSL certificate before providing the token to the relying party by following an authentication process. Current authentication processes include a name-chaining operation, which compares a subject field of a token provided with the Uniform Resource Identifier (URI) used to request the resource (e.g., RP application). When the IP address is used as the URI, then the URI in the certificate will not match the URI in the request and the authentication will fail. Accordingly, aspects of the technology use an alternative authentication method that allows access to a web service through an IP address, when the default client-side token validation is DNS-name based.

Abstract: An embodiment includes an apparatus comprising: an out-of-band cryptoprocessor coupled to secure non-volatile storage; and at least one storage medium having firmware instructions stored thereon for causing, during runtime and after an operating system for the apparatus has booted, the cryptoprocessor to (a) store a key within the secure non-volatile storage, (b) sign an object with the key, while the key is within the cryptoprocessor, to produce a signature, and (c) verify the signature. Other embodiments are described herein.

Abstract: Embodiments are described for performing file restores from remote high-latency storage tiers by reading available data from a local low-latency tier in a deduplication appliance. A request to restore a previously segmented and deduplicated file can be received by a storage appliance from an application, each segment having a fingerprint. The name of the file can be looked up in an index on the storage appliance, and a first batch of fingerprints of segments of the file can be retrieved from the index. Each fingerprint can be looked up in metadata in the index to determine whether the segment corresponding to the fingerprint is available locally and therefore need not be retrieved locally. A list of local and remote prefetch segments is generated, and a prefetch request is generated for each list, if non-empty. Use of the prefetch scheme can be dynamically turned on or off.

Abstract: Systems, methods, and software described herein provide security actions based on related security threat communications. In one example, a method of operating an advisement system includes identifying a security threat within the computing environment, wherein the computing environment comprises a plurality of computing assets. The method further provides obtaining descriptor information for the security threat, and retrieving related communication interactions based on the descriptor information. The method also includes generating a response to the security threat based on the related communication interactions.

Abstract: A method of administering a computing system, including a plurality of computing devices. The method includes selecting an application for download to a computing device, prior to downloading the application, decompiling the application, searching for string patterns in the decompiled application, replacing the string patterns in the decompiled application with another string pattern, the another string pattern being configured to intercept at least one of a system event or an Application Programming Interface (API) call, and associating logic with the application. The logic is configured to interact with the application via the at least one system event or API call, the logic is configured to provide additional functions to the application, the logic is configured to be shared between the application and at least one other application, and the logic is stored separate from the application.

Abstract: A secure Basic Input/Output System (BIOS) attribute system includes a secure server system coupled to a computing device through a network. The computing device receives a first BIOS attribute modification request, and authenticates the first BIOS attribute modification request using a first certificate that was previously stored in the computing device in response to validating the first certificate based on a key provided by the secure server system. In response to authenticating the first BIOS attribute modification request using the first certificate, the computing device modifies at least one BIOS attribute stored in the computing device.

Abstract: An example operation may include one or more of joining, by a host device, a blockchain managed by one or more devices on a decentralized network, the blockchain is configured to use one or more smart contracts that specify transactions among a plurality of end-users, creating on the blockchain the smart contract defining authentication parameters for an authentication of an end-user from the plurality of the end-users, executing the smart contract to perform the authentication of the end-user associated with a transaction based on the authentication parameters by generating an authentication challenge for the transaction, and recording an authentication log produced by the authentication challenge into a metadata of a transaction payload for analytics.

Abstract: This application relates to the field of communications technologies, and discloses a network authentication triggering system, method and a related device. The method includes: receiving a first message from a terminal, where the first message carries first identity information and identifier information, the first identity information is encrypted identity information, and the identifier information is used to identify an encryption manner of the first identity information; and sending a second message to a first security function entity, where the second message is used to trigger authentication for the terminal, and the second message carries the identifier information. This application provides a solution of triggering an authentication process when identity information is encrypted.