Abstract: Embodiments are directed to a computer-implemented method and system for generating a transport key. A method can include generating, using a processor, a key agreement pair comprising a public agreement key and a private agreement key in a second element. Thereafter, generating, using the processor, a transport key based on the public agreement key in a first element. Then sending, using the processor, an information blob to the second element. Finally, independently generating, using the processor, the transport key in the second element using the information blob and the private agreement key. The transport key can thereafter be used to send information securely between the first and second elements.

Abstract: A method includes receiving a first message associated with a first machine type communications (MTC) device; sending an authentication request associated with the first MTC device to a home subscriber server (HSS), wherein the authentication request requests a validated time period indicating an amount of time that authentication associated with the first MTC device is valid; and receiving, from the HSS, an authentication response, wherein the authentication response indicates the validated time period.

Abstract: One embodiment provides a system for facilitating distribution of quantum keys. During operation, the system receives, from a requester, a first request for a key, wherein the first request indicates a requested length for the key and identifying information of the requester. The system determines whether a subset pool of a general pool of keys is allocated to the requester based on the identifying information of the requester, wherein the keys in the general pool are generated by a quantum engine. In response to determining that a subset pool is not allocated to the requester, the system allocates a subset pool to the requester. The system obtains from the allocated subset pool a key with a length matching the requested length, and the system returns the obtained key to the requester.

Abstract: Method and system for secure access from a security device at a local network location to a remote network location are disclosed. At the security device having a unique identifier (UID), processor, and memory, a security software is obtained from a remote network location, the security software obtaining a personal identification number (PIN) of a user, and the UID of the security device. The PIN, the UID and the private security software are forwarded to the remote network location for generating a credential code, including encrypting the credential code. At the security device, the credential code is obtained from the remote network location, and authenticity of the PIN and the UID is verified, without communicating over a network, including decrypting the credential code. Upon verifying the authenticity of the PIN and the UID, access credentials to the remote network location are retrieved.

Abstract: A key-value store is adapted to represent hierarchical structures, such as directory structures, to be associated with objects otherwise mapped to a flat keyspace. For example, one or more key-value pairs stored in the key-value store are designated to have a key indicating the name of a hierarchical structure, and an associated value that maps the structure to a namespace (e.g., of a group of objects to be associated with a directory). Inbound requests for operations related to the objects in a given namespace and defining the structure are checked against such “redirecting” key-value pairs to determine whether the structure is related to the namespace objects, and if so, the request is internally processed to perform the requested operations against the actual key-value pair(s) associated with the objects without necessitating identification of the objects with a fully qualified name as represented in the flat keyspace.

Abstract: One embodiment provides a system that facilitates efficient content exchange in a CCN. During operation, the system receives, generates, by a client computing device, an interest with a name that includes a routable prefix and a first hash of one or more original name components, wherein the name is a hierarchically structured variable length identifier that includes contiguous name components ordered from a most general level to a most specific level. The system computes a key based on a second hash of the original name components and a randomly generated first nonce. The system encrypts a payload of the interest with the key, wherein the interest indicates the first nonce. In response to transmitting the interest, wherein the interest allows a receiving content producing device to compute the key and decrypt the payload, the system receives receiving a content object with a payload encrypted based on the key.

Abstract: A protocol handler communicatively coupled to client devices in an internet of things (IoT) network can operate to update manufacturer specific parameters for corresponding different protocols. A protocol component of the protocol handler can map updates from different manufacturers or different manufacturer servers to a translator dataset of a look-up table. The updates can be mapped to an IoT protocol as IoT parameters based on the associations of the look-up table between the different protocols. An IoT translator component can translate communications back and forth from manufacturers or their servers of different communications protocols to one or more of the client devices and vice versa, in which the client devices are associated with different protocols, and can also communicate to one another via the IoT translator in the IoT protocol.

Abstract: A method includes identifying a first node in a plurality of nodes based on a client device identifier for a client device, the client device being associated with a first network device; storing, information for the client device, on the first node; responsive to the client device associating with a second network device, retrieving the information for the client device by: identifying the first node based on the client device identifier for the client device and obtaining the information from the first node.

Abstract: Embodiments herein include systems and methods for providing a mechanism to enable smooth, seamless, and reliable connectivity for wireless devices in a unified network. The system supports roaming of mobile units across mobility switches. A given mobile unit can retain its IP address in both intra-subnet and inter-subnet roaming scenarios. The given mobile unit also retains its membership to a mobility VLAN to which it had been assigned, even during roaming scenarios. Embodiments include a framework for wireless switches to advertise VLANs they support to peer wireless switches in the mobility domain, and to advertise their capability to act as VLAN servers for those VLANs. Embodiments support VLAN membership management capabilities that allow access points and peer wireless switches to request wireless switches to add VLANs to the tunnels they share.

Abstract: A work method for a smart key device. A host machine acquires data from a trusted server via a browser and then transmits the data to a smart key device; the smart key device performs a signing operation when the data transmitted by the host machine is received and when a user confirmed by pressing a key and then returns a signing result to the host machine; and the host machine transmits data returned by the smart key device to the trusted server to verify the validity of the smart key device. This implements rapid authentication of user identity, thus allowing highly efficient, secure, and expedited online transactions.

Abstract: An authentication device includes at least one processor, at least one computer-readable medium, and program instructions stored on the at least one computer-readable medium for execution by the at least one processor. The program instructions include first program instructions to wirelessly pair the authentication device with a controlled access device. The program instructions further include second program instructions to broadcast data indicative of an authorization to grant access to the controlled access device, while the controlled access device is within a predefined range of the authentication device, upon successfully pairing with the controlled access device.

Abstract: An information handling system includes a plurality of components, and a logo device configured to communicate with one of the components. The logo device includes a logo, a memory, a communication device, and a processor. The logo is on an external surface of the logo device, and is visible from outside of the information handling system. The memory stores real-time status and error logs of the first information handling system. The communication device receives authentication information from a second information handling system in response to the second information handling system being within a first distance of the logo device. The processor detects that a second information handling system is within the first distance of the communication device, verifies the authentication information, and provides the real-time status and the error logs for the first information handling system in response to verifying the authentication information.

Abstract: A method includes establishing, using a connection policy at a first device, a security association with a second device of an industrial process control and automation system. The method also includes, once the security association is established, activating a process data policy at the first device. The security association is established during first and second types of negotiations. The process data policy is activated during the second type of negotiation without the first type of negotiation. The second type of negotiation is faster than the first type of negotiation. The connection policy defines a communication channel between the devices using a non-process communication port of the first device. The process data policy defines a communication channel between the devices for real-time industrial process data. The first type of negotiation could include an IKE main mode negotiation, and the second type of negotiation could include an IKE quick mode negotiation.

Abstract: Various systems and methods for using power challenges to authenticate network devices are disclosed herein. For example, one method involves initiating a power challenge to authenticate an endpoint device, which involves, at least in part, requesting the endpoint device to perform a specific power signature; receiving data indicating whether the endpoint device performed the requested power signature within a given time interval, wherein the data can be received from, e.g., a power interface or other device capable of observing the endpoint device; processing the received data to determine if the endpoint device correctly performed the requested power signature; and if the endpoint correctly performed the power signature, authenticating the endpoint.

Abstract: An information processing system includes circuitry that stores at least one secret key that corresponds to a public key. The circuitry also causes display, on a screen, of information corresponding to the public key and information corresponding to the secret key.

Abstract: In a general aspect, a supersingular isogeny-based cryptography process is performed. In some aspects, a first generator point is computed based on a secret integer of a first entity and a pair of elliptic curve points defined by a supersingular isogeny-based cryptosystem. An image curve is computed based on the secret integer, and a shared secret value is computed based on the image curve. An encrypted generator point is computed from the first generator point and the shared secret value. A public key of the first entity is sent to a second entity to enable the second entity to compute the shared secret value. The encrypted generator point is sent to the second entity to enable the second entity to validate the public key of the first entity.

Abstract: Implementations provide self-consistent, temporary, secure storage of information. An example system includes fast, short-term memory storing a plurality of key records and a cache storing a plurality of data records. The key records and data records are locatable using participant identifiers. Each key record includes a nonce and each data record includes an encrypted portion. The key records are deleted periodically. The system also includes memory storing instructions that cause the system to receive query parameters that include first participant identifiers and to obtain a first nonce. The first nonce is associated with the first participant identifiers in the fast, short-term memory. The instructions also cause the system to obtain data records associated with the first participant identifiers in the cache, to build an encryption key using the nonce and the first participant identifiers, and to decrypt the encrypted portion of the obtained data records using the encryption key.

Abstract: This invention relates to methods for correlating media streams and signaling sessions of services, for example, in a passive monitoring system of a packet-switched network. Furthermore, the invention also relates to an implementation of these methods in hardware and software, and provides a signaling plane probe, a media plane probe and a correlation unit. Moreover, a passive monitoring system comprising one or more of these hardware devices is provided. To correlate media streams and signaling sessions of services, the invention proposes to independently generate correlation keys in a media plane probe for monitored media streams and correlation keys for signaling sessions that are monitored by a signaling plane probe in a fashion that matching correlation keys are generated for a respective service.

Abstract: The systems and methods that identify fraud committed using native applications and web applications are provided. A native application executing on a client device generates a pairing identifier. The pairing identifier is associated with native attributes that are used by a fraud detection system to identify fraudulent transactions. The native application also activates a browser and passes the pairing identifier to the browser. The browser associates the pairing identifier with web attributes that store browser data collected on the client device. The client device transmits native attributes together with the pairing identifier and also the web attributes together with the pairing identifier to the fraud detection system. The fraud detection system links the native attributes and the web attributes by the pair identifier, and uses the native attributes and the web attributes to identify fraud that is initiated on the client device.

Abstract: Embodiments include a method comprising: receiving, by a system-on-a-chip (SOC) from a host, a public key of a public/private key pair; generating a first hash value of the public key; authenticating the first hash value; in response to authenticating the first hash value, transmitting, by the SOC, a first nonce to the host; receiving a signed nonce from the host, the signed nonce being signed using a private key of the public/private key pair; decrypting, using the received public key, the signed nonce to generate a second nonce; based on the first nonce and the second nonce, authenticating the host; in response to authenticating the host, receiving, from the host, a command to configure one or more parameters of the SOC; and configuring the one or more parameters of the SOC.

Abstract: Various examples described herein are directed to systems and methods for securing data. A security system may receive a first record comprising a plurality of record fields, where the plurality of record fields includes a first record field and the first record field includes a first record field data. The security system may access a source setup record corresponding to the first record from a source setup table and determine that the source setup record comprises data referencing the first record field. The security system may access first token data corresponding to the first record field data and replace the first record field data at the first record field with the first token data. The security system may store the first token data at a token table and writing the first token data to the first record field to replace the first record field data.

Abstract: A method, system, server, client and application for encrypting digital information such as documents and images for safe controlled sharing of those documents over an internet network. The method includes at least requesting and validating login credentials, generating server and client key pairs, key encryption, transmission to a sandbox environment, and decrypting for use by the first communication device.

Abstract: A multifunction peripheral system includes a server and a multifunction peripheral. The server is configured to access printing information from a first electronic device, and is further configured to generate printing verification information corresponding to the printing information. The multifunction peripheral has a communication connection with the server. The multifunction peripheral is configured to access a detectable identifier, which comprises information to be verified, from a second electronic device, and the multifunction peripheral further configured to ask the server the printing information according to the detectable identifier. When the information to be verified is identical to the printing verification information, the server provides the printing information to the multifunction peripheral.

Abstract: An information management system approves or denies user requests to access information of the system. The information includes all types of information including documents and e-mail. The information management system is driven using a policy language having policies and policy abstractions. The information management system may approve or deny many different types of requests including opening a document or file, copying a file, printing a file, sending an e-mail, reading an e-mail, cut and paste of a portion of a document, saving a document, executing an application on a file, and many others.

Abstract: Methods and systems are provided for efficient and secure “Machine-to-Machine” (M2M) between modules and servers. A module can communicate with a server by accessing the Internet, and the module can include a sensor and/or actuator. The module and server can utilize public key infrastructure (PKI) such as public keys to encrypt messages. The module and server can use private keys to generate digital signatures for datagrams sent and decrypt messages received. The module can internally derive pairs of private/public keys using cryptographic algorithms and a set of parameters. A server can use a shared secret key to authenticate the submission of derived public keys with an associated module identity. For the very first submission of a public key derived the module, the shared secret key can comprise a pre-shared secret key which can be loaded into the module using a pre-shared secret key code.

Abstract: A network can operate a WiFi access point with credentials. An unconfigured device can (i) support a Device Provisioning Protocol (DPP), (ii) record responder bootstrap public and private keys, and (iii) be marked with a tag. The network can record initiator bootstrap public and private keys, as well as derived initiator ephemeral public and private keys. An initiator can (i) operate a DPP application, (ii) read the tag, (iii) establish a secure and mutually authenticated connection with the network, and (iv) send the network data within the tag. The network can record the responder bootstrap public key and derive an encryption key with the (i) recorded responder bootstrap public key and (ii) derived initiator ephemeral private key. The network can encrypt credentials using the derived encryption key and send the encrypted credentials to the initiator, which can forward the encrypted credentials to the device, thereby supporting a device configuration.

Abstract: A method of operating a distributed storage system includes receiving, at data processing hardware of the distributed storage system, a customer-supplied encryption key from a customer device (i.e., a client). The customer-supplied encryption key is associated with wrapped persistent encryption keys for encrypted resources of the distributed storage system. The wrapped persistent encryption keys are stored on one or more non-volatile memory hosts of the distributed storage system. The method also includes unwrapping, by the data processing hardware, a wrapped persistent encryption key that corresponds to a requested encrypted resource using the customer-supplied encryption key. The unwrapped persistent encryption key is configured to decrypt the requested encrypted resource. The method further includes decrypting, by the data processing hardware, the requested encrypted resource using the corresponding unwrapped persistent encryption key.

Abstract: A method and apparatus provides for user authentication. In an example, the method and apparatus includes receiving a selected signal strength for smart card emulation authentication. The method and apparatus also includes receiving a signal from a portable wireless device radio transceiver. The method also includes measuring the signal strength of the signal. The method and apparatus also includes, if the signal is at or above the selected signal strength, transmitting one or more signals to the portable radio device radio transceiver requesting user authentication, and if the signal is not at or above a selected signal strength, refusing a request to authenticate by the portable radio device radio transceiver. The method and apparatus also includes receiving one or more authentication response signals from the portable radio device in response to the request for user authentication, the one or more response signals including at least authentication information unique to a user.

Abstract: Method and device of encrypting communication between a server and a peripheral device are disclosed. The method includes: a server receiving a session request from a control device, the session request including a predetermined device ID of a peripheral device associated with the control device; generating a first session key for encrypting and decrypting future communication between the peripheral device and the server; identifying a pre-stored encryption key corresponding to the predetermined device ID from a database, wherein the pre-stored encryption key is also pre-stored in the peripheral device; encrypting the first session key using the pre-stored encryption key; sending the encrypted first session key to the peripheral device via the control device; and encrypting communication to the peripheral device in a respective communication session using the first session key.

Abstract: An Attestation Identity Key pair (AIK pair) is created from a hardware identifier of a hardware machine and a geographical location. the AIK pair includes a private AIK and a public AIK. The public AIK and the geographical location are stored in a repository. the public AIK is matched with a key used to sign a data request. A geographical restriction policy corresponding to the geographical location associated with the public AIK is executed. When the geographical restriction policy determines that a type of the data request corresponds to an authorized request type from the geographical location, a service is instructed to process the data request.

Abstract: The present disclosure discloses a terminal access method, system and device, and a computer storage medium. The method comprises: after establishing an WiFi connection with a wireless gateway, a terminal sends a terminal identity verification request and a gateway identity verification request to the wireless gateway; and after confirming that the terminal identity verification and gateway identity verification succeed, accesses to a wireless broadband network through the WiFi connection.

Abstract: Techniques include receiving request for verification of an identity, where the request includes no authentication information associated with the identity; determining, based on a ledger shared by a plurality of decentralized verification services, a credibility score for the identity; where the ledger is developed based on receiving information associated with a plurality of different types of credibility-building actions taken by the identity in an environment; determining whether the credibility score for the identity can be validated by consensus by at least a subset of the plurality of decentralized verification services; and determining whether to verify the identity, where the determination of whether to verify the identity is performed without using authentication information associated with the identity.

Abstract: An information processing apparatus includes a detector and a receiver. The detector detects a person. The receiver receives optical communication. The receiver does not accept reception of the optical communication when no person is detected by the detector.

Abstract: A method (M) for controlling access to a production system (SIP) of a computer system not connected to an information system (SIC), includes: A) an initial phase of enrolling a user via a terminal (1) in the production system (SIP), which includes: a) providing a private encrypted key (Cph) associated with each account of the user in the production system (SIP); b) the terminal transmitting the encrypted private key (Cph) to the information system and the system (SIC) registering the encrypted private key; B) for each request to access the production system, a phase of authentication by the production system, which includes: the terminal of the user recovering a challenge (QRCb) generated by the production system, that only the encrypted key stored in the information system makes it possible to solve, the key only being capable of being obtained after the terminal has been authenticated by the information system.

Abstract: A method of obtaining addressing information may include establishing a communication path through a network between first and second peer devices with a router coupled between the first peer device and the communication path through the network. A communication may be received at the first peer device from the second peer device through the communication path and the router. Moreover, a payload of the communication received at the first peer device from the second peer device may include a public reachability address used by the second peer device to transmit the communication through the network and the router to the first peer device. Related methods of providing such addressing information and related devices are also discussed.

Abstract: A variety of different mobile computing devices, such as a laptop, tablet or smartphone, may be used in a mixed set of computing environments. At least some of the computing environments may be hostile computing environments where users of the mobile computing devices may be exposed to unknown risks. Furthermore, the mobile computing devices may be unable to determine if a network in a particular computing environment is in fact the network the mobile device determines it to be. A beacon device may be attached to a network and provide mutual authentication for mobile devices in the computing environment. Various security policies may be adjusted as a result of the user device and the beacon device successfully authenticating the other device.

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to another server for decryption. The server receives the decrypted premaster secret and continues with the handshake procedure including generating a master secret from the decrypted premaster secret and generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

Abstract: Methods and devices for NFC-tap file encryption, decryption and access via Near Field Communication (NFC) are disclosed. A user can select an unencrypted file stored in a computing device for encryption. Upon encryption, the file name of the selected file and the encryption key used to encrypt the selected file are transmitted to an NFC-enabled wireless device for storage. The user can select an encrypted file stored in the computing device for access. As the user taps the computing device with the wireless device, the file name of the selected file is transmitted to the wireless device, which in turn transmits a decryption key for decrypting the selected file to the computing device. The computing device decrypts the selected file with the decryption key. The user can now access the decrypted file.

Abstract: The present invention provides a method and apparatus for detecting that an attacker has sent one or more messages to a receiver node. The method comprises storing at least a portion of an nth message received by the receiver node from a sender node in a memory device; sending an integrity check message to the sender node comprising an indication of the value of n; receiving a reply message from the sender node including at least a portion of the nth message sent by the sender node to the receiver node; and comparing the at least a portion of the nth message sent by the sender node to the receiver node with the nth message received by the receiver node from the sender node stored in the memory device.

Abstract: A establishing method for a P2P connection includes: receiving a connection request with a remote device from a client device, detecting a validation token in a network packet from the client device according to the connection request, and when the validation token is detected to be valid, executing a connection validation procedure including: receiving a first validation code and a first address information from the client device, reading a second validation code and a second address information from a storage unit, sending the first validation code and the first address information to the remote device, and sending the second validation code and the second address information to the client device. Therefore, the P2P connection between the client device and the remote device is established according to the first validation code, the second validation code, the first address information and the second address information.

Abstract: The present disclosure relates to a pre-5th-Generation (5G) or 5G communication system to be provided for supporting higher data rates beyond 4th-Generation (4G) communication system such as Long Term Evolution (LTE). A method for downloading profiles in a terminal in a wireless communication system include generating and storing an encryption key at a time point, loading the stored encryption key, when receiving profile download start information from a profile providing server, and downloading an encrypted profile for the electronic device from the profile providing server, via the loaded encryption key, and installing the encrypted profile in the electronic device.

Abstract: A method is provided for generating a secret sequence of values in a first device as a function of measured physical properties of a transmission channel between the first device and at least one second device. With this method, movements are detected by at least one sensor, which have an effect on the physical properties of the transmission channel. The measurement of the physical properties of the transmission channel is carried out as a function of the detected movements.

Abstract: Systems and methods for securing a network, for admitting new nodes into an existing network, and/or securely forming a new network. As a non-limiting example, an existing node may be triggered by a user, in response to which the existing node communicates with a network controller node. Thereafter, if a new node attempts to enter the network, and also for example has been triggered by a user, the network controller may determine, based at least in part on parameters within the new node and the network controller, whether the new node can enter the network.

Abstract: Embodiments provide a web-based editing tool that intelligently leverages certain functionality of a browser, web client, desktop client, and native software at the client side to provide seamless user experience when editing a file over a network. Responsive to a user selecting a file for editing, the web client may send a passive content request to a web server embedded in the desktop client at a specific address on the client device. If no response, the web client prompts the user to start or install the desktop client on the client device. If a response is received, the web client sends a request to the desktop client with a user identifier and authorization to download the file from a server. The desktop client downloads the file, opens it in the native software, monitors the file being edited, and updates a delta associated with the file to the server.

Abstract: The invention solves the way of authentication of secured data channel between two sides (A, B) when there is at first established a non-authenticated protected data channel (1), with ending (3) of the data channel (1) on the first side (A) and ending (4) of the data channel (1) on the other side (B) and with target application (7) on the first side (A) and target application (8) on the other side (B), while the endings (3) and (4) have a non-authenticated shared secret (5), consequently, on both sides (A, B) of the data channel (1) there are calculated the data derived from non-authenticated shared secret (5), then the data derived from the non-authenticated shared secret (5) are passed via external communication means out of the data channel (1) to two sides (11, 12) of the external authentication system (2), which consequently performs authentication of communicating sides (A, B) including authentication of the data channel (1).

Abstract: Methods, systems, and computer program products for vehicle wireless internet security are provided. A connection request is received from a mobile device. A data request is transmitted to the mobile device. The data request includes a request for location-based data of the mobile device. A first data is received from the mobile device that corresponds to the data request. A vehicle data is generated that comprises location-based data of the vehicle. A match between the first data and the vehicle data is determined. A match is determined where the location based data of the mobile device is with a pre-determined threshold of the location-based data of the vehicle.

Abstract: The present invention provides a method of route optimization involving a first mobile device associated with a first home gateway. One embodiment of the method is implemented in a first mobility forwarding entity and includes registering the first mobile device at the first mobility forwarding entity. The first mobile device is registered using a session key included in a registration message transmitted by the first mobile device. The embodiment also includes establishing a secure route between the first mobility forwarding entity and a terminating node using the session key. The secure route bypasses the first home gateway.

Abstract: An application having an application architecture including an application programming interface (API) client capable of automatically retrieving a passphrase from a secure passphrase vault based on a user authentication ID used to access the application is provided. The passphrase is used to access a secure file transfer protocol (SFTP) authentication key via an API server communicatively connected to the API client. The SFTP authentication key is used to authenticate an SFTP file transfer request from the application to an intended file recipient.

Abstract: A variety of different mobile computing devices, such as a laptop, tablet or smartphone, may be used in a mixed set of computing environments. At least some of the computing environments may be hostile computing environments where users of the mobile computing devices may be exposed to unknown risks. Furthermore, the mobile computing devices may be unable to determine if a network in a particular computing environment is in fact the network the mobile device determines it to be. A beacon device may be attached to a network and provide mutual authentication for mobile devices in the computing environment. The beacon device may be paired with the mobile devices in order to generate secret information useable in mutual authentication of the mobile device and the beacon device.

Abstract: Certain implementations of the present disclosure relates to a method, device, and medium to perform association validation of a client device's request during an association validation phase based on a plurality of capabilities associated with the client device. The network device receives an association request to connect to a wireless network. Then, the network device extracts a parameter specific to the client device from the association request, and determines a plurality of capabilities associated with the client device based on a value of the parameter. Then, the network device transmits the plurality of capabilities to an authentication server during an association validation phase, and receives an association validation decision corresponding to the connection request from an association validation/authentication server.