Abstract: Binding a public cloud account and a personal cloud account is described. A pre-approval list indicates that a user's public cloud account and personal cloud account are approved for binding. A copy of the pre-approval list is stored on the personal cloud device; another copy is stored on the public cloud service. The user logs into the public cloud account using a client device. Based on the pre-approval list stored on the public cloud service, the client device obtains information identifying the user's personal cloud account. The personal cloud device verifies the pre-approval of the binding based on the pre-approval list stored on the personal cloud device. The personal cloud device transmits a verification to the public cloud service. Each of the public cloud service and the personal cloud device stores information indicating the binding.

Abstract: Methods and systems for serving advertisement objects on an advertising platform are disclosed. The advertising platform detects invalid activity related to advertisement objects served in response to a request, and identifies a source associated with the invalid activity. In response to detection of the invalid activity, at least one decoy advertisement object is served in response to further requests originating from the identified source. The decoy advertisement object is an advertisement object that is processed by the advertising platform differently from regular advertisement objects that are served by the advertising platform in response to requests from other sources.

Abstract: Systems and methods for a publish-subscribe broker network that distributes data packets between authorized entities and includes one or more publish-subscribe brokers. Each publish-subscribe broker is reachable by an entity attempting to connect thereto via a transport network configured to transport IP packets. The publish-subscribe brokers are configured to check credentials of entities attempting to connect to the publish-subscribe broker network and ensure that first and second entities are authorized for publishing packets on the secured named channel or for receiving published packets via the secured named channel. Cipher keys are used by the first and second authorized entities to encrypt and decrypt messages distributed via the publish-subscribe broker network and the publish-subscribe brokers are configured to route encrypted messages as data packets on behalf of the first authorized entity to the second authorized entity using the secured named channel.

Abstract: A method, system, and apparatus for managing digital certificates, managing a certificate authority (CA), and cross-referencing CA hierarchies. The method includes receiving, by a processor of a CA computing system, at least one of a digital certificate generation request and a digital certificate revocation from a user via a user computing device, the digital certificate generation request including a user public key and a user identity. The method further includes generating a digital certificate for the user and signing the digital certificate with a CA private key, wherein the CA private key is associated with a known CA public key. The method further includes publishing the digital certificate signed with the CA private key to a digital certificate blockchain, determining a certificate status of the digital certificate, and publishing an update to the digital certificate blockchain to reflect the certificate status of the digital certificate.

Abstract: Systems and methods of an internet of things device connecting to a remote server. The internet of things device connects to a web target. The web target sends a response to the internet of things device indicating whether a change to the one or more settings of the internet of things device has been received at a cloud server. If a change has occurred, the internet of things device connects to a secure cloud server to update the settings on the internet of things device.

Abstract: A client can allocate and reassociate unique identifiers to local content items associated with an account at a content management system, and use the unique identifiers to commit operations for the content items on the content management system. For example, a client can create a content item and determine the content item does not have an identifier from the content management system. The client obtains an identifier for the content item and asks the content management system to verify a uniqueness of the identifier. When the identifier is unique, the client adds a node corresponding to the content item to a local tree representing a state at the client of content items associated with the account, and uploads the content item with the identifier to the content management system. When the identifier is not unique, the client obtains a new identifier for the content item.

Abstract: A method of a wireless private gateway securely obtaining a communication link to another wireless private gateway is provided. The method comprises transmitting a request for a first partial identifier of a relay wireless private gateway by an application executing on a first wireless private gateway to a second wireless private gateway, receiving the first partial identifier, transmitting a request for a second partial identifier of the relay wireless private gateway to a third wireless private gateway, receiving the second partial identifier, concatenating the first partial identifier and the second partial identifier to form a complete identifier of the relay wireless private gateway by the application, and transmitting a request to establish a communication link with the relay wireless private gateway by the application to the relay wireless private gateway, wherein the request to establish the communication link comprises the complete identifier of the relay wireless private gateway.

Abstract: Described herein are systems and techniques for privacy-preserving unsupervised learning. The disclosed system and methods can enable separate computers, operated by separate entities, to perform unsupervised learning jointly based on a pool of their respective data, while preserving privacy. The system improves efficiency and scalability, while preserving privacy and avoids leaking a cluster identification. The system can jointly compute a secure distance via privacy-preserving multiplication of respective data values x and y from the computers based on a 1-out-of-N oblivious transfer (OT). In various embodiments, N may be 2, 4, or some other number of shares. A first computer can express its data value x in base-N. A second computer can form an ×N matrix comprising random numbers mi,0 and the remaining elements mi,j=(yjNi-mi,0) mod . The first computer can receive an output vector from the OT, having components mi=(yxi Ni-mi,0) mod .

Abstract: Systems and methods for enabling Media Access Control Security (MACsec) at a MAC layer, according to IEEE 802.1AE, and extending MACsec are provided. An edge device, according to one implementation, includes one or more User-to-Network Interface (UNI) ports and a plurality of Network-to-Network Interface (NNI) ports. The edge device also includes a processing device and a memory device configured to store a computer program having instructions. The instructions, when executed, allow the processing device to provide network security on a Media Access Control (MAC) layer, the network security defined by the MAC Security (MACsec) protocol. The instructions also allow the processing device to provide network path protection by enabling packet routing over multiple paths via the plurality of NNI ports on a network layer.

Abstract: In certain embodiments, shares related to an output of a function having multiple shares of a secret as input may be computed. In some embodiments, with respect to initial key shares of a key that are collectively held by multiple parties, an output of an arithmetic function (performed on an initial key share of the initial key shares) may be received from each of the multiple parties. The outputs from the multiple parties may be provided as input for a Multi-Party Computation (MPC) process, where the MPC process outputs final key shares in connection with the outputs from the multiple parties being provided as input for the MPC process. With respect to each party of the multiple parties, a final key share of the final key shares may be sent to the party.

Abstract: Features for providing a secure method of symmetric encryption for private smart contacts among multiple parties in a private peer-to-peer network. The features include a master key representing a unique blockchain ledger. The master key may be shared among multiple participants in a private peer-to-peer network. Sharing of the master key may include communicating the master key in an encrypted message (e.g., email) using public key infrastructure (PKI). In some implementations, more complex distribution features may be includes such as quantum entanglement. The features support instantiation of a smart contract using a specific master key. The request may be submitted as an entry to the ledger with appropriate metadata and/or payload information for identifying and processing the request.

Abstract: A method including determining, by a user device, an assigned key pair including an assigned public key and an associated assigned private key; determining, for content to be encrypted, an access key pair including an access public key and an associated access private key; encrypting the access private key by utilizing the assigned public key; encrypting a randomly generated key by utilizing the access public key; and encrypting content utilizing the randomly generated key. Various other aspects are contemplated.

Abstract: The disclosed systems can regulate access to an online mode for a dynamic transportation matching system. For example, based on a provider efficiency parameter associated with the dynamic transportation matching system, the disclosed systems can prevent a transportation provider device from switching to the online mode within a geographic area. In addition, the disclosed systems can detect a pattern of behavior and, based on a comparison between the pattern of behavior and a behavioral threshold, cause a transportation provider device to switch from the online mode to an offline mode. Further, the disclosed systems can provide a map interface that indicates where a transportation provider device can switch from the offline mode to the online mode. Additionally, the disclosed systems can determine priorities associated with transportation provider devices and, based on the prioritization, selectively allow the transportation provider devices to switch from the offline mode to the online mode.

Abstract: An example operation may include one or more of marking a document, by a user node, to be included into a collection of documents, determining, by the user node, a business process step associated with the document based on a user mark, and executing a transaction to store a hash of the document onto a ledger of a blockchain, wherein a Merkle tree hash is generated and tagged on the ledger with details of the business process step.

Abstract: According to one embodiment, a wireless communication device includes: a receiver that configured to receives a first frame; and a transmitter that configured to transmits a second frame including a first identifier and acknowledgement information on the first frame, the first identifier being extracted from a predetermined field of the first frame and being different from a source address of the first frame.

Abstract: Various embodiments provide a method and an apparatus for determining a trust status of a TPM, and a storage medium, and pertains to the field of data security technologies. In those embodiments, a verifier send an unsealing request to a host, so that the host unseals current PCR values in the TPM based on a seal key handle carried in the unsealing request, and sends verification information to the verifier based on the unseal verification key obtained after the unsealing. Therefore, any verifier that establishes an encrypted channel with the host can determine the trust status of the TPM in the host based on a second verification key transmitted on the encrypted channel, and there is no need to pre-deploy a remote attestation server to determine the trust status of the TPM.

Abstract: There is disclosed in one example a home router, including: a hardware platform including a processor and a memory; a local area network (LAN) interface; a data store including rules for domain name-based services; and instructions encoded within the memory to instruct the processor to: provision a certificate and key pair to provide domain name system (DNS) over hypertext transfer protocol secure (DoH) or DNS over transport layer security (DoT) services; receive on the LAN interface an encrypted DNS request; decrypt the DNS request; query the data store according to the DNS request; receive a rule for the DNS request; and execute the rule.

Abstract: A system/method for secure communication between client devices includes receiving a request, at a secure communication platform, from a from a first client device to communicate with a second client device; determining, by the secure communication platform, whether the first client device is permitted to communicate with the second client device; if communication is permitted: generating, by the secure communication platform, a one-time use ephemeral key; transmitting, by the secure communication platform, the generated one-time use ephemeral key to the first and second client devices; establishing, by the secure communication platform, a secure communication session directly between the first and second client devices, wherein communications between the first and second client devices are encrypted and decrypted using the one-time use ephemeral key; and destroying, by the secure communication platform, the one-time use ephemeral key upon termination of the secure communication session between the first and

Abstract: Systems and methods for encrypted storage device telemetry data are described. Storage device telemetry data may be collected for a telemetry message, such as a non-volatile memory express (NVMe) telemetry command, and encrypted using a first encryption key. The first encryption key may be encrypted using one or multiple second encryption keys and the encrypted first encryption key may be added to the telemetry message. A client system may receive the telemetry message, decrypt the encrypted first encryption key, and use the first encryption key to decrypt the encrypted storage device telemetry data.

Abstract: A method for integrating third-party encryption managers with cloud services includes receiving, at data processing hardware, an operation request requesting a cryptographic operation on data comprising an encryption operation or a decryption operation. When the operation is an encryption operation, the method includes transmitting a data encryption key associated with the data to a remote entity. The remote entity encrypts the data encryption key with a key encryption key and transmits the encrypted data encryption key to the data processing hardware. When the operation is a decryption operation, the method includes transmitting the encrypted data encryption key to the remote entity which causes the remote entity to decrypt the encrypted data encryption key with the key encryption key and transmit the decrypted data encryption key and transmit to the data processing hardware.

Abstract: A method, apparatus and computer program product are provided for encrypting and decrypting data using multiple authority keys including receiving, from a first computing device, a data decrypt request to decrypt encrypted data, the data decrypt request comprising a user key, determining that the user key is associated with a key hierarchy that comprises a server key, decrypting the server key using the user key, decrypting the encrypted data using the decrypted server key and permitting access to the decrypted data by the first computing device.

Abstract: In embodiments of the present disclosure, there is provided an approach for connecting an access point (AP) to a mesh network. According to embodiments of the present disclosure, an AP in a recovery mode transmits its identity information to a mesh portal (MPP) in the mesh network via an unsecured connection between the AP and the MPP. Upon a successful verification by the MP, the AP establishes a secured connection with a trusted server to obtain configuration information. The configuration information is used by the AP to establish a mesh link with an MPP or MP in the mesh network automatically. Accordingly, the AP switches from the recovery mode to a normal mode. Embodiments of the present disclosure provide an effective way for deploying and/or recovering an AP in a mesh network, which is more secure and requires no manual operation.

Abstract: This technology uses a bootstrap key (“BSK”) to securely onboard a computing device to a network. A unique BSK associated with an onboarding computing device is used to verify for various deployment models (1) that the computing device has proof the computing device is connecting to the correct wired or wireless network and (2) that the network has proof the computing device is trusted. The BSK may be an associated BSK or an embedded BSK. A computing device receives a signed voucher from the manufacturer authorized signing authority (“MASA”) before the computing device may onboard to a network. The MASA will issue a voucher to a Bootstrapping Remote Secure Key Infrastructure (“BRSKI”) registrar if the registrar proves knowledge of the computing device's BSK to the MASA or the registrar has an established trust relationship with the MASA.

Abstract: A vehicle includes: at least one memory configured to store at least one default Instruction Structure Key (ISK), a generated ISK, and a pin code of the vehicle; and at least one processor. The at least one default ISK may include a first default ISK and a second default ISK. The processor may generate a random number using the first default ISK, receive the second default ISK encrypted with the generated ISK generated based on the pin code, and determine the generated ISK as an encryption key for encryption communication of the vehicle when the generated random number and the random number corresponding to the second default ISK are the same.

Abstract: A unique transaction key (Tk) is established amongst multiple entities using a common hardware security module (HSM) with a common HMAC key (HK) and transaction scheme name (T). The transaction key (Tk) can be used for various cryptographic functions (e.g. encryption, MAC, HMAC, key management) with one or more messages at the transaction or session level.

Abstract: At least a static analysis and a dynamic analysis to perform for a first software application are determined based, at least in part, on a profile of the first software application. The first software application is analyzed with the static analysis to generate static analysis results. The first software application is analyzed with dynamic analysis to generate dynamic analysis results. An assessment report is generated based on the static analysis results and the dynamic analysis results, wherein the assessment report indicates a security score of the first software application that is based, at least in part, on the static analysis results and the dynamic analysis results.

Abstract: A method includes establishing a multi-link security association between a transmitter upper Media Access Control (MAC) logic entity of a transmitter and a receiver upper MAC logic entity of a receiver. The transmitter includes one or more transmitter links. The receiver includes one or more receiver links.

Abstract: A method for secure key exchange. The method comprises receiving a request to certify a key from a communication partner at an interface between an access and tamper resistant circuit block and exposed circuitry. Within the access and tamper resistant circuit block, a first random private key is generated. A corresponding public key of the first random private key is derived, and a cryptographic digest of the public key and attributes associated with the first random private key is generated. The generated cryptographic digest is signed using a second random private key that has been designated for signing by one or more associated attributes. The public key and the signature are then sent to the communication partner via the interface.

Abstract: A method for hosted payload operations comprises transmitting, by a hosted payload (HoP) operation center (HOC), encrypted hosted commands to a host spacecraft operations center (SOC). The method further comprises transmitting, by the host SOC, encrypted host commands and the encrypted hosted commands to a vehicle. Also, the method comprises reconfiguring a host payload according to unencrypted host commands, and reconfiguring a hosted payload according to unencrypted hosted commands. Additionally, the method comprises transmitting host payload data to a host receiving antenna. Also, the method comprises transmitting hosted payload data to a hosted receiving antenna and/or the host receiving antenna. Additionally, the method comprises transmitting, by a host telemetry transmitter, encrypted host telemetry to the host SOC; and transmitting, by a hosted telemetry transmitter, encrypted hosted telemetry to the host SOC.

Abstract: Embodiments of the invention introduce efficient methods for securely generating a cryptogram by a user device, and validating the cryptogram by a server computer. A secure communication can be conducted whereby a user device provides a cryptogram without requiring the user device to persistently store an encryption key or other sensitive data used to generate the cryptogram. The user device and server computer can mutually authenticate and establish a shared secret. Using the shared secret, the server computer can derive a session key and transmit key derivation parameters encrypted using the session key to the user device. The user device can derive the session key using the shared secret, decrypt the encrypted key derivation parameters, and store the key derivation parameters. Key derivation parameters and the shared secret can be used to generate a single use cryptogram key, which can be used to generate a cryptogram for conducting secure communications.

Abstract: A computer-implemented system and method for secure authentication of IoT devices are disclosed. The method for secure authentication of IoT devices comprises establishing a network connection with a network operator server via a control channel, establishing identity of the network operator server using a pre-shared server key from one or more of pre-shared server keys, establishing identity of the IoT device using a pre-shared client key from one or more of pre-shared client keys and cryptographically generating a session key for a network session to allow secure data exchange between the network operator server and the IoT device. The cryptographically generated session key is used for securely authenticating application running on the authenticated IoT device.

Abstract: A communication apparatus can act as a proxy to perform communication with a plurality of other communication apparatuses by receiving a request from a client apparatus in a network in compliance with the Neighbor Awareness Networking standard, and includes a first reception unit configured to receive, from a first other communication apparatus, a first signal for service provision notification, a second reception unit configured to receive, from the first other communication apparatus, a second signal for service provision notification, and a third reception unit configured to receive, from a second other communication apparatus, a third signal for service provision notification. In addition, a notification unit notifies the client apparatus of information related to the first other communication apparatus and information related to the second other communication apparatus together in a case where the first signal, the second signal, and third signal are received.

Abstract: One disclosure in the present specification provides a session management method performed by a session management function (SMF) node. The session management method may comprise: a step of transmitting, to a user plane function (UPF) node, a request message for discarding traffic buffering, when a notification of the detection of particular traffic associated with a wireless device has been received, and if additional authentication is required for the particular traffic; and a step of transmitting a message for triggering the wireless device to establish a new packet data unit (PDU) session, to an access and mobility management function (AMF) node.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for establishing a proof of storage over a specified period of time.

Abstract: A system and method are provided for generating access tokens on a user device rather than via a remote server computer. An access token can be generated on a second user device by combining and encrypting, with format preservation, a primary access identifier, variable value, and salt. The resulting value can be provided to a first user device that can subsequently can provide the access token to an access device as part of an interaction. The access device can generate an authorization request message that comprises the access token and transmit it to a remote server computer for processing. The remote server computer can process the access token to determine the primary access identifier despite not being involved in the generation of the access token, providing an improvement over conventional tokenization methods.

Abstract: Disclosed herein are embodiments of systems, methods, and products comprise a computing device, which allows in-network and network-border protection for Internet of things (IoT) devices by securely partitioning network space and defining service-based access to IoT devices. The disclosed segmented attack prevention system for IoT networks (SAPSIN) segments the IoT network into two virtual networks: a service network and a control network; and define access control rules for each virtual network. In the service network, SAPSIN utilizes a service-based approach to control device access, allowing only configured protocol, applications, network ports, or address groups to enter or exit the network. In control network, the SAPSIN provides the access control rules by defining a threshold for the number of configuration requests within a predetermined time. As a result, SAPSIN protects IoT devices against intrusion and misuse, without the need for device-specific software or device-specific security hardening.

Abstract: A method for seamlessly and automatically granting tailored permission for use and transference of internet data between databases with comprehensive consent is described. The method employs a graph language such as JSON-LD to integrate and employ cryptographically signed Information Sharing Agreements (ISA) between parties. Data is serialized to be easily transferred between databases when appropriate permission is obtained. Granular data exchange under usage control contacts can be automated among any number of parties on the internet. As such, the method provides a means by which users may control not only what may be done with their data, but to what entity or entities the data may be transferred. Advertisements may then be served to the user according to his or her preferences as defined within a web or desktop app, which is then applied to all related ad publishers publishing to the domains visited by the user.

Abstract: A method that includes obtaining threat model data associating at least one actor with an application. The at least one actor being capable of taking advantage of at least one potential vulnerability associated with the application. The method includes associating at least one technology with the at least one potential vulnerability based at least in part on the at least one actor, formulating a test based at least in part on the at least one technology, instructing a processor to perform the test on the application, and receiving results from the processor after performance of the test.

Abstract: An authentication unit of an information processing apparatus authenticates an update control device that controls update of a control program by using a random number generated by a random number generation unit. In the random number generation unit, a first extraction unit extracts a bit value from a count value of a first clock signal, a calculation unit performs logical operation on the bit value extracted by the first extraction unit and a target bit value at a bit position included in an entropy as an update position that is designated, a replacement unit replaces the bit value at the update position with a result of the logical operation a position designation unit designates a new update position after the bit value is replaced, and an output unit generates the random number from the entropy.

Abstract: An encrypted sequence that includes an authentication key may be received. A base key stored at a device may be identified and the encrypted sequence may be decrypted with the base key to obtain the authentication key. A challenge value may be received and the authentication key may be combined with the challenge value to generate a device ephemeral key. An authentication result may be generated for the device based on a combination of the device ephemeral key and the challenge value. Furthermore, the authentication result may be transmitted to a mobile network to authenticate the device.

Abstract: Disclosed are an electronic device and a method for controlling same. A method for controlling an electronic device according to the present disclosure comprises: a step of obtaining a program which shares data about an advertisement with another electronic device so as to verify the shared data; a step of, when an event for the advertisement occurs, generating first data including information about the event for the advertisement; a step of transmitting the generated first data to the other electronic device; a step of receiving second data including information about an event from the advertisement generated from the other electronic device; and a step of verifying the second data using the program.

Abstract: A network entity may determine whether a network context of a device is stored in the device or in the network based, at least in part, on a preference or capability of the device, as reported by the device during attachment to the network entity. The context may be stored in, and retrieved from, a dedicated context storage function that is independent of the network entity. A context storage function may be partitioned, or separate storage functions used, to automatically group and track access network contexts, core network contexts, or network slice contexts. The context storage function may provide to the device an index, such as a link or other identifier to be used in retrieving the stored context information. The context storage function may further provide a token to secure re-attachment communications among the device, the network entity, and the context storage function.

Abstract: A communication terminal (10) includes control means for generating a subscription concealed identifier (SUCI) including a subscription permanent identifier (SUPI) concealed using a predetermined protection scheme, and a protection scheme identifier identifying the protection scheme, and transmission means for sending the SUCI to a first network apparatus during a registration procedure, the SUCI being sent for a second network apparatus to de-conceal the SUPI from the SUCI based on the protection scheme used to generate the SUCI.

Abstract: A method and apparatus for providing user key material from a server to a client is disclosed. The method comprises receiving a first message from the client in a server, the first message having a user key material request, an access token and an identifier of a transport key (TrK-ID), validating the user key material request according to the access token, generating a response having user key material responsive to the user key material request, encrypting the response according to the transport key (TrK), and transmitting a second message comprising the response from the server to the client. The client decrypts the second message according to the transport key (TrK) and validates the second message using the identifier of the transport key (TrK-ID).

Abstract: The embodiments herein relate to reducing signaling for DoNAS (Data over Non-Access Stratum) via SGi. In one embodiment, there proposes a method (400) in a mobility management node (203), comprising: establishing (S401) an S11-U connection between the mobility management node (203) and a gateway node (204); monitoring (S402) the frequency of data transferring request for a wireless device (201); and deciding (S404) whether or not to release the S11-U connection based on the frequency of data transferring request. With the embodiments herein, the signaling between the mobility management node and the gateway node can be significantly reduced, without introducing extra signaling or message to the existing network.

Abstract: The present disclosure is directed to secure processing and display of protected content. The use of a trusted execution environment (TEE) to handle authentication and session key negotiation in accordance with a selected content protection protocol may reduce any trusted computing base (TCB) needed for such operations, and thereby present a smaller target for potential attackers. Techniques are presented in which a session key negotiated via such a TEE is securely provided to output circuitry such as a display controller, which may encrypt protected content that has been requested for viewing on a protocol-compliant display device communicatively coupled to a device comprising the TEE and/or the output circuitry. The output circuitry may then provide the encrypted protected content to the protocol-compliant display device, such as for compliant display of the protected content.

Abstract: A system that provides recommendations of documents to a user, the system including a server arrangement, and a database arrangement that stores documents, wherein the server arrangement: receives identification details of the user, obtains prior work associated with the user, determines a user classification of the user based on: the identification details of the user, the prior work associated with the user, and an activity data of the user, determines a document classification for the documents based on a metainformation pertaining to the documents, determines a relevance factor for the documents with respect to the user based on the document classification of the documents, the user classification of the user, and activity data relating to the documents of a plurality of users with similar user classification as the user, and provides recommendations of documents to the user based on relevance factors of the documents.

Abstract: Embodiments described herein relate to credential wrapping for secure transfer of electronic SIMs (eSIMs) between wireless devices. Transfer of an eSIM from a source device to a target device includes re-encryption of sensitive eSIM data, e.g., eSIM encryption keys, financial transaction credentials, transit authority credentials, and the like, using new encryption keys that include ephemeral elements applicable to a single, particular transfer session between the source device and the target device. The sensitive eSIM data encrypted with a symmetric key (Ks) is re-wrapped with a new header that includes a version of Ks encrypted with a new key encryption key (KEK) and information to derive KEK by the target device. The re-encrypted sensitive SIM data is formatted with additional eSIM data into a new bound profile package (BPP) to transfer the eSIM from the source device to the target device.

Abstract: A secure element device for use in a connected device includes a first interface configured to enable communication with a communication module and a second interface configured to enable communication with an action module of the connected device. A processor coupled to the first interface and the second interface, executes a first set of computer-readable instructions, stored in a memory of the secure element device, to authenticate, via the first interface, the connected device on the communication network. The processor also executes a second set of computer-readable instructions, stored in the memory, to perform one or both of (i) obtaining, via the second interface, data from the action module, the data to be transmitted over the communication network and (ii) controlling, via the second interface, the action module to cause the action module to perform one or more operations based on an instruction received over the communication network.

Abstract: A system and method of determining an attestation or identity score of a user of a communication device employs metadata stored in a plurality of client devices, such as IoT devices. A request for attestation, comprises a unique identifier associated with the communication device and an input or shared value. The unique identifier is used to identify, in a distributed ledger (blockchain), client devices that are paired with the communication device. Metadata stored in association with each of the client devices is retrieved and compared to the input or shared value, and a sub-identity score is determined based on the extent to which there is a match and the reliability of the client device. The sub-identity scores are combined to obtain an identity score reflecting a confidence level in the user and/or communication device.