Abstract: Systems and methods for securing a network, for admitting new nodes into an existing network, and/or securely forming a new network. As a non-limiting example, an existing node may be triggered by a user, in response to which the existing node communicates with a network controller node. Thereafter, if a new node attempts to enter the network, and also for example has been triggered by a user, the network controller may determine, based at least in part on parameters within the new node and the network controller, whether the new node can enter the network.

Abstract: Embodiments provide a web-based editing tool that intelligently leverages certain functionality of a browser, web client, desktop client, and native software at the client side to provide seamless user experience when editing a file over a network. Responsive to a user selecting a file for editing, the web client may send a passive content request to a web server embedded in the desktop client at a specific address on the client device. If no response, the web client prompts the user to start or install the desktop client on the client device. If a response is received, the web client sends a request to the desktop client with a user identifier and authorization to download the file from a server. The desktop client downloads the file, opens it in the native software, monitors the file being edited, and updates a delta associated with the file to the server.

Abstract: The invention solves the way of authentication of secured data channel between two sides (A, B) when there is at first established a non-authenticated protected data channel (1), with ending (3) of the data channel (1) on the first side (A) and ending (4) of the data channel (1) on the other side (B) and with target application (7) on the first side (A) and target application (8) on the other side (B), while the endings (3) and (4) have a non-authenticated shared secret (5), consequently, on both sides (A, B) of the data channel (1) there are calculated the data derived from non-authenticated shared secret (5), then the data derived from the non-authenticated shared secret (5) are passed via external communication means out of the data channel (1) to two sides (11, 12) of the external authentication system (2), which consequently performs authentication of communicating sides (A, B) including authentication of the data channel (1).

Abstract: Methods, systems, and computer program products for vehicle wireless internet security are provided. A connection request is received from a mobile device. A data request is transmitted to the mobile device. The data request includes a request for location-based data of the mobile device. A first data is received from the mobile device that corresponds to the data request. A vehicle data is generated that comprises location-based data of the vehicle. A match between the first data and the vehicle data is determined. A match is determined where the location based data of the mobile device is with a pre-determined threshold of the location-based data of the vehicle.

Abstract: The present invention provides a method of route optimization involving a first mobile device associated with a first home gateway. One embodiment of the method is implemented in a first mobility forwarding entity and includes registering the first mobile device at the first mobility forwarding entity. The first mobile device is registered using a session key included in a registration message transmitted by the first mobile device. The embodiment also includes establishing a secure route between the first mobility forwarding entity and a terminating node using the session key. The secure route bypasses the first home gateway.

Abstract: An application having an application architecture including an application programming interface (API) client capable of automatically retrieving a passphrase from a secure passphrase vault based on a user authentication ID used to access the application is provided. The passphrase is used to access a secure file transfer protocol (SFTP) authentication key via an API server communicatively connected to the API client. The SFTP authentication key is used to authenticate an SFTP file transfer request from the application to an intended file recipient.

Abstract: A variety of different mobile computing devices, such as a laptop, tablet or smartphone, may be used in a mixed set of computing environments. At least some of the computing environments may be hostile computing environments where users of the mobile computing devices may be exposed to unknown risks. Furthermore, the mobile computing devices may be unable to determine if a network in a particular computing environment is in fact the network the mobile device determines it to be. A beacon device may be attached to a network and provide mutual authentication for mobile devices in the computing environment. The beacon device may be paired with the mobile devices in order to generate secret information useable in mutual authentication of the mobile device and the beacon device.

Abstract: Certain implementations of the present disclosure relates to a method, device, and medium to perform association validation of a client device's request during an association validation phase based on a plurality of capabilities associated with the client device. The network device receives an association request to connect to a wireless network. Then, the network device extracts a parameter specific to the client device from the association request, and determines a plurality of capabilities associated with the client device based on a value of the parameter. Then, the network device transmits the plurality of capabilities to an authentication server during an association validation phase, and receives an association validation decision corresponding to the connection request from an association validation/authentication server.

Abstract: A method for connecting an external apparatus and a multimedia replaying apparatus using the same. The method includes determining whether a command for displaying menus is input while multimedia content is replayed, determining a multimedia content replay state indicating whether a part or the whole of the multimedia contents is being replayed at an external apparatus if it is determined that the command for displaying menus is input, and displaying the menus comprising the multimedia content replay state on an area displaying a video of the multimedia contents. Therefore, a part or entire of replayed multimedia contents is readily transmitted to an external apparatus for wireless communication.

Abstract: A system and method of security for emoji based actions. The system and method may include processes such as obtaining a first text associated with an emoji image and a second text, determining to implement a security measure based at least in part on the first text associated with the emoji image, and determining a security level based at least in part on the second text.

Abstract: In a technology stack including members provided in communication, a system and method are provided for managing keys for use in encrypting and decrypting data. The system comprises a key manager configured to define a group of members and to create at least one encryption key associated with the defined group, and a communications manager configured to transmit the at least one encryption key associated with the group to members in the group. Data encrypted by a member in the group using the at least one encryption key received by the member from the communications manager is transmitted to another member in the group for decryption using the at least one encryption key received by the another member from the communications manager.

Abstract: A first electronic device is provided. The first electronic device includes a transceiver, and a processor configured to encrypt a part of information related to a second communication based on information related to a first communication performed between the first electronic device and a second electronic device and control the transceiver to transmit information related to the second communication to the second electronic device through the transceiver.

Abstract: Systems and methods to manage a tokenization manifest that can be used for managing a redaction through tokenization of a set of field level tokenization values applied to an arbitrary information object of an arbitrary file (e.g., database cells, XML and other document elements, areas of graphics images, etc.). The methods and system extend the use of tokenization to the protection of arbitrary fields or information objects of any type or format. This allows the tokenized components of the information object to be located and provided to a Tokenization Service Provider that can recover, for an authorized requestor, the original content protected by the token. The tokenization schema processes the unrestricted content into a corresponding restricted token. The token can include an embedded URL, where the URL is a link to submit a request to the Tokenization Service Provider to view the token as the unrestricted content.

Abstract: The present invention relates to a location-based charging/discharging power mediation system of an electric vehicle, and more particularly to a module, an electric vehicle, and an intermediate server for location-based charging/discharging power mediation. The present invention also relates to a user authentication socket or connector used in the power mediation system. A module for location-based power mediation comprises: a location and time identification unit that identifies a location and a time of an electric vehicle from one or more of information from a global navigation satellite system, Local Positioning System (LPS) information, and earth magnetic field information; a power measurement unit that monitors input/output power to/from the electric vehicle in real time; and a wireless communication unit that transmits location and time information of the electric vehicle and information on the input/output power to the outside.

Abstract: Security is simply and safely secured when communication is performed by an information processing device including: a communication unit configured to wirelessly communicate with another terminal; an identification information acquisition unit configured to acquire first identification information that is acquired through the communication unit and encrypted for specifying the other terminal, and that is decrypted with a first decryption key managed in a network service; and a key acquisition unit configured to acquire a first encryption key associated with the first identification information in the network service when second identification information for specifying an own terminal is associated with the first identification information in the network service. The communication unit transmits information encrypted with the acquired first encryption key to the other terminal.

Abstract: Provided is a network self-healing method in which, when a link between a parent device and a child device breaks down in a wireless communication network of a cluster-tree structure in which a main communication device (referred to an access point (AP)) manages network operation, routers that are devices capable of having their child devices, and end devices that are devices incapable of having their child devices are associated with each other in a parent-child device relationship, the link is restored. When a router becomes an orphan device, the router makes network re-association in a cluster unit while maintaining synchronized operation with its child devices, and thus time, energy and signaling burden for network self-healing is largely reduced.

Abstract: Methods and systems are provided for efficient and secure “Machine-to-Machine” (M2M) between modules and servers. A module can communicate with a server by accessing the Internet, and the module can include a sensor and/or actuator. The module and server can utilize public key infrastructure (PKI) such as public keys to encrypt messages. The module and server can use private keys to generate digital signatures for datagrams sent and decrypt messages received. The module can internally derive pairs of private/public keys using cryptographic algorithms and a set of parameters. A server can use a shared secret key to authenticate the submission of derived public keys with an associated module identity. For the very first submission of a public key derived the module, the shared secret key can comprise a pre-shared secret key which can be loaded into the module using a pre-shared secret key code.

Abstract: Techniques for exchanging security keys via a trusted proxy are provided. For example, a method may include receiving, at a computing device, a communication including a unique identifier for an access device connected to a network, wherein unique identifiers include an expiration time. The method may further include using the unique identifier to determine a security key for the access device. The method may also include receiving, at the computing device, a new communication, wherein the new communication includes the unique identifier. The method may further include validating the unique identifier for the access device, wherein validating includes determining whether the unique identifier has expired, and then using the validated identifier to retrieve the security key for the access device. The method may also include transmitting the security key, wherein when the security key is received, the security key facilitates generating a signature.

Abstract: A set of Content Store nodes of an information-centric network (ICN) can cache data, and can processes an Interest for this data based on a domain assigned to the requested data. During operation, a CS node can receive a Content Object that is to be cached, and processes the Content Object by determining a domain associated with the Content Object. The CS node selects a storage repository associated with the domain, and stores the Content Object in the selected repository. The CS node can also receive an Interest for a piece of content, and processes the Interest by performing a lookup operation for a rule associated with the Interest's name. The rule can include a set of commands for performing a programmatic operation. Then, if the CS node finds a matching rule, the CS node can execute the rule's commands to perform the programmatic operation.

Abstract: A user terminal 10 for screen sharing with a destination user terminal 100 receives a connection request for screen sharing from a user; issues an authentication number to specify the destination user terminal 100 with which the user terminal 10 is to perform screen sharing, in response to the connection request; directly connects with the destination user terminal 100; allows the destination user terminal 100 to display a prompt to ask for an input of the authentication number; authenticates the authentication number in response to receiving the authentication number from the destination user terminal 100; and sequentially transceives shared screen data to and from the destination user terminal 100 if the authentication number is appropriate.

Abstract: This invention regards a method of key-fingerprint visualization that is unique, reproducible, and nearly impossible to forge which aims to improve the usability of crypto-systems by creating a visual representation of the key-fingerprint as a face. First, the cryptographic identification (either PKI or fingerprint) is converted into a standardized format. Then, the standardized cryptographic identification information is segmented into smaller parts. Each of the parts is pragmatically translated to facial features. Thus, an image of a face is produced from the original cryptographic identification information.

Abstract: In one example, a method of protecting customer data in a networked system comprises collecting sensor data available at sensor nodes within a sensor network in communication with a service data platform over a network. The method includes encrypting the sensor data using a certified public key associated with a customer key-pair, the sensor data representing the customer data associated with sensitive identification information. The sensor data is cryptographically signed with a device private key. The method includes transporting the encrypted sensor data to the service data platform for storage, and decrypting at the service data platform, the encrypted sensor data using a private key sharing scheme that reconstructs the private key associated with the customer key-pair using a first share and a password encrypted second share, the first share assigned to the service data platform and the password encrypted second share assigned to a customer of the customer key-pair.

Abstract: The RFID phone-unlocking system is adapted for use with a personal data device. The personal data device further comprises an interrogator, a security code, and a logic module. The RFID phone-unlocking system is an application that is adapted to run on the personal data device. The RFID phone-unlocking system is a token based identification system that: 1) generates an interrogation signal using the interrogator; and, 2) upon receipt of a response from a previously identified RFID tracking tag the application will unlock a security code protecting access to the personal data device without requiring physically entering the security code directly into the personal data device. The RFID phone-unlocking system comprises an application and one or more tokens. The application comprises a set of programmed instructions implemented by the logic module. The RFID tracking tag is a token contained within the one or more tokens.

Abstract: A single sign-on is implemented in an online transaction processing system. A security token extracted from a transaction request is received. The security token is validated and, in response to a positive validation, security information is extracted. The security information is processed to validate the transaction request and a set of validation attributes is generated. The set of validation attributes is stored in a read-only data object. A transaction server is notified of the read-only data object to authorize processing of the transaction request by the transaction server.

Abstract: The present disclosure generally relates to the use of loyalty accounts, private label payment accounts, and general payment accounts using an electronic device with an electronic wallet. Various accounts are linked to the electronic device. In some examples, the electronic device is NFC-enabled. The electronic device may be used to provide loyalty account information and payment account information to a payment terminal, such as an NFC-enabled payment terminal.

Abstract: In a general aspect, approximate modular reductions are applied in cryptographic protocols. In some aspects, an array of integers defined for a lattice-based cryptography system is obtained. A transformation is applied to the array of integers, which includes applying a modular reduction to a product of a first integer and a second integer. The first integer is based on the array of integers, and the second integer is based on the transformation. Applying the modular reduction includes operations mathematically equivalent to multiplying the product by a first constant to yield a first intermediate value, applying a bit shift operation to the first intermediate value to yield a second intermediate value, multiplying the second intermediate value by a modulus value to yield a third intermediate value, and subtracting the third intermediate value from the product.

Abstract: There is disclosed a method of controlling use of encrypted content by a plurality of client terminals each provided with a digital rights management (DRM) client and a content decryption module separate to the DRM client. First key information is provided for use by one or more selected ones of the DRM clients, and second key information is provided for use by one or more selected ones of the content decryption modules. Content key information is encrypted to form encrypted content key information such that the selected ones of the content decryption modules are enabled by the second key information to recover the content key information from the encrypted content key information. The encrypted content key information is further encrypted to form super-encrypted content key information such that the selected ones of the DRM clients are enabled by the first key information to recover the encrypted content key information from the super-encrypted content key information.

Abstract: The subject matter described herein includes methods, systems, and computer readable media for access network protocol interworking and authentication proxying. One method includes receiving an authentication request from a node in an access network for authenticating a user using cellular network authentication. The method further includes, in response to the request, using a native protocol of the cellular network to obtain an authentication challenge from a node in the cellular network. The method further includes communicating the authentication challenge to the node in the access network. The method further includes receiving a response to the authentication challenge from the node in the access network. The method further includes determining whether the response matches an expected response. The method further includes, in response to determining that the response matches the expected response, communicating an indication of successful authentication to the node in the access network.

Abstract: A processing device is configured to obtain an address and a public key, both associated with an authentication service, to generate a symmetric key as a function of the public key, to configure an authentication token to incorporate the symmetric key, to encrypt the symmetric key utilizing the public key, and to transmit the encrypted symmetric key to the address so as to permit the authentication service to bind the symmetric key to an identifier of the authentication token. By way of example, the authentication token may comprise a software authentication token implemented on the processing device. One or more tokencodes generated by the authentication token utilizing the symmetric key are transmitted to the authentication service for authentication. The authentication by the authentication service is based on the symmetric key bound to the identifier of the authentication token.

Abstract: Disclosed herein are systems, methods, and non-transitory computer-readable storage media for encryption and key management. The method includes encrypting each file on a computing device with a unique file encryption key, encrypting each unique file encryption key with a corresponding class encryption key, and encrypting each class encryption key with an additional encryption key. Further disclosed are systems, methods, and non-transitory computer-readable storage media for encrypting a credential key chain. The method includes encrypting each credential on a computing device with a unique credential encryption key, encrypting each unique credential encryption key with a corresponding credential class encryption key, and encrypting each class encryption key with an additional encryption key. Additionally, a method of generating a cryptographic key based on a user-entered password and a device-specific identifier secret utilizing an encryption algorithm is disclosed.

Abstract: Shared file systems and methods ensuring high availability of cryptographic keys. The keys are encrypted with at least one shareable master key to generate corresponding encrypted cryptographic keys, which are stored in a key database in the shared file system. A master key manager with access to the key database is elected from among master key manager candidates and is assigned a common virtual address. All master key manager candidates have the shareable master key such that during a failover event the availability of the encrypted cryptographic keys is not interrupted as a new master key manager takes over the common virtual address from the previous master key manager. Additionally, a message authentication code (MAC) is deployed for testing the integrity of keys during their retrieval.

Abstract: User identity is verified as a user migrates among different devices. When the user migrates from a device to a different device, key pairs may be generated. If the key pairs validate, the user may be verified to the different device.

Abstract: The embodiments herein relate to a method in a first device (101) for informing a second device (105) that an identity associated with the first device (101) is at a certain location. The first device (101) obtains information about the location of the first device (101). The first device (101) broadcasts, by means of device to device, D2D, communication, a message to be received by the second device (105). The message comprises the location information and an identity information associated with a user of the first device (101). The location information is transmitted on a first communications resource and the identity information is transmitted on a second communications resource.

Abstract: A key manager provides a way to separate out the management of encryption keys and policies from application domains. The key manager may create cipher objects that may be used by the domains to perform encryption or decryption, without exposing the keys or encryption/decryption algorithms to the domains. A master key managed by the key manager may be used to encrypt and decrypt the domain keys that are stored under the control of the key manager. The key manager supports the rekeying of both the master key and the domain keys based on policy. Multiple versions of domain keys may be supported, allowing domains to access data encrypted with a previous version of a domain key after a rekeying.

Abstract: In one embodiment, a method includes selecting at a network device, seed access points from a plurality of access points and assigning each of the seed access points to a wireless network controller. The seed access points join the assigned wireless network controllers before the remaining access points join the wireless network controllers. Each of the remaining access points is associated with one of the seed access points and joins the same wireless network controller as the seed access point. An apparatus and logic are also disclosed herein.

Abstract: A method and apparatus for digital rights management (DRM) with steps and means for receiving a registration request from one of a plurality of DRM agent devices requesting to register one of a plurality of user accounts and the one DRM agent device to one of a plurality of rights issuers, completing a registration process in the one rights issuer, including establishment of a relationship among the one user account, the one DRM agent device and the one rights issuer; and returning a registration completion response to the one DRM agent device. The invention provides support to the many-to-many relationships among DRM entities, such as DRM agent device, user account and rights issuer, so that the DRM system can be applied to more business modes.

Abstract: A system, method, and computer-readable medium are disclosed for providing enhanced security to a wireless monitor, comprising: establishing a connection between the wireless monitor from a first device; generating a session identification for a human interface design (HID) input after the connection is established, the session identification enabling activities of an I/O device to be accepted by the wireless monitor; encrypting the activities of the I/O device to provide encrypted I/O device activities; providing the encrypted I/O device activities to the first device; and, decrypting the encrypted I/O device activities at the first device.

Abstract: Embodiments of systems and methods for client and/or server authentication are provided. In one embodiment, a method includes sending information from a mobile network device to a server, wherein the information comprises a seed that is used by both the mobile network device and the server to compute a series of one time passwords. The method also includes receiving, by the mobile network device, a succession of one time passwords generated by the server throughout a session. And the method further includes comparing the received one time passwords generated by the server throughout the session to corresponding one time passwords generated at the mobile network device. In this manner, the server can be authenticated. In various embodiments, the process may be reversed to facilitate client, e.g., mobile network device, authentication.

Abstract: Methods and apparatus to provide extended object notation data are disclosed. An example apparatus includes a data handler having a first input to receive object data and a first output to output an object notation key-value pair for the object data; a string processor having a second input coupled to the first output and a second output to convey the object notation key-value pair without string literals; and a hashing and encryption handler having a third input coupled to the second output and a third output to convey the key-value pair signed with a private key, to convey the key-value pair encrypted with a public key, and to convey an indication that the encrypted key-value pair is encrypted in a key of the encrypted key-value pair.

Abstract: The present application describes a computer-implemented method for discovering a router on a network. The method includes a step of determining whether to discover the router. Next, a message is sent to the router including context information. Further, a message is received from the router including router specific context information. The application also describes an endpoint device for discovering a router on a network.

Abstract: Securing a server before connecting the server to a data communications network in a data center may include: establishing a proximity-based communications connection with a service processor of a server, where the server is not coupled to a data communications network; and transmitting, via the proximity-based data communications connection, a digital certificate to the service processor of the server, where the digital certificate is configured to enable access to the server only by a system management server.

Abstract: Systems, methods, and non-transitory computer-readable storage media for a non-replayable communication system are disclosed. A first device associated with a first user may have a public identity key and a corresponding private identity. The first device may register the first user with an authenticator by posting the public identity key to the authenticator. The first device may perform a key exchange with a second device associated with a second user, whereby the public identity key and a public session key are transmitted to the second device. During a communication session, the second device may transmit to the first device messages encrypted with the public identity key and/or the public session key. The first device can decrypt the messages with the private identity key and the private session key. The session keys may expire during or upon completion of the communication session.

Abstract: A communication control method according to a first aspect is a method for performing offloading to switch traffic to be transmitted and received between a user terminal and a cellular base station to a wireless LAN system. The communication control method comprises: a step A in which the user terminal transmits a wireless LAN terminal identifier being an identifier of the user terminal in the wireless LAN system, to the cellular base station; and a step B in which the cellular base station, before performing the offloading, transmits the wireless LAN terminal identifier received from the user terminal to an access point of the wireless LAN system. The wireless LAN terminal identifier is used for wireless authentication of the user terminal at the access point.

Abstract: A method and device for identifying 2-dimensional (2-D) barcodes contained within a retrieved webpage are disclosed. The method includes the operations of: launching a browser to retrieve at least one webpage; receiving an instruction input by a user for identifying at least one 2-D barcode contained within the at least one retrieved webpage; determining according to the input instruction, whether the at least one 2-D barcode may be available within the at least one retrieved webpage; if the at least one 2-D barcode may be available within the at least one retrieved webpage, obtaining at least one 2-D barcode image; and identifying the least one 2-D barcode image, and obtaining 2-D barcode information associated with the identified least one 2-D barcode image. The disclosed method and device simplifies operations of 2-D barcodes identification within the retrieved webpage.

Abstract: Methods and apparatus for private network peering in virtual network environments in which peerings between virtual client private networks on a provider network may be established by clients via an API to a peering service. The peering service and API 104 may allow clients to dynamically establish and manage virtual network transit centers on the provider network at which virtual ports may be established and configured, virtual peerings between private networks may be requested and, if accepted, established, and routing information for the peerings may be specified and exchanged. Once a virtual peering between client private networks is established, packets may be exchanged between the respective client private networks via the peering over the network substrate according to the overlay network technology used by the provider network, for example an encapsulation protocol technology.

Abstract: Techniques from the proposed invention relate to providing enhanced security. For example, techniques described herein allow a computer system, such as a mobile device, to support a wide variety of security functions and security sensitive applications on a mobile device by providing enhanced security via secure input and output data transmission and verification through a secure module. The secure module may cause user interfaces to be provided to users by providing obfuscated user interface data to the operating system that do not reveal elements that are part of the user interfaces. The secure module may receive obfuscated user input values representing user input values, and de-obfuscate these user input values, whereby the actual input values are not exposed to the underlying operating system. The secure module may track the flow of user input/output data through the computing device to ensure the integrity and authenticity of this data.

Abstract: An example method for managing data in accordance with aspects of the present disclosure includes receiving from a user in the computer network environment a policy about how a piece of data should be treated, an encryption of the piece of data, a signature of a cryptographic hash of the policy and a cryptographic key, requesting from a trust authority the cryptographic key to access the piece of data, transmitting an encryption of at least one share to the trust authority, wherein the at least one share is created by and received from the trust authority, receiving from the trust authority the cryptographic key, wherein the cryptographic key is recreated by a combiner using a subset of the at least one share, shares associated with the trust authority and shares associated with the combiner, and decrypting the encryption of the piece of data using the recreated cryptographic key.

Abstract: A method of managing secure communications states in an endpoint within a secure network is disclosed. The method includes, in a disconnected state, transmitting from a first endpoint to a second endpoint a first message including an authorization token. The method further includes, in the pending state, receiving from the second endpoint a second message including a second authorization token at the first endpoint. The method includes, based on the receipt of the second message, entering an open state and initializing a tunnel between the first and second endpoints using an IPsec-based secured connection. The method also includes, upon termination of the tunnel due to a termination or timeout message issued by at least one of the first and second endpoints, entering a closed state.

Abstract: Techniques are provided for a method of installment payment transactions associated with a credit card account. An installment service having one or more servers receives a credit card transaction. An installment payment amount for the transaction is calculated. Based on the calculated payment amount, an installment payment offer is presented to a confirmation device.

Abstract: Methods, systems and apparatus for performing client-server authentication using a device authentication and optional user authentication approach. In a device authentication stage, the client is unlocked to provide access to a cryptographic key used for authentication. In a user authentication stage, the user provides a personal data credential used to generate an additional cryptographic key.