Abstract: An identity is communicated by a client device to a server without requiring the identity to be disclosed to eavesdroppers and without requiring the use of symmetric or asymmetric cryptography. In one example, the identity is an identity of the client device, where the identity has been assigned to the client device by the server through the provisioning of a unique subset of client-identifying keys. In another example, the identity is an identity of a group shared secret that has been provisioned by the server to the client device.

Abstract: In one embodiment, a computer-implemented method includes, in response to an attempt by a user to perform a transaction using a computing device, accessing a communication device connected to the computing device. A presence of one or more nearby devices, with respect to the computing device, is detected through use of the communication device connected to the computing device. A mapping of nearby devices to trust levels may be applied to the one or more nearby devices. In the mapping, each group of one or more nearby devices maps to a trust level of two or more trust levels. An assigned trust level for the transaction is determined, by a computer processor, based on applying the mapping of nearby devices to trust levels. The mapping of nearby devices to trust levels is modified based on the one or more nearby devices detected. The modified mapping is used for future transactions.

Abstract: An audio/video content receiver being configured to receive media content from a content source by a broadcast data path, the media content being arranged as a plurality of media channels comprises a host module having a tuner configured to assign logical channel indices to the media channels to allow selection, at the host module, of one or more of the media channels for reproduction by selecting the corresponding logical channel index, the host module storing channel association data associating the logical channel indices with the received media channels; and a removable conditional access module (CAM), the CAM having an access control unit for decoding access-controlled encoded broadcast content, the host module and the removable CAM being arranged to provide an encrypted communication link for decoded access-controlled encoded broadcast content between the CAM and the host module; in which: the host module is configured to acquire channel association data via the broadcast data path; the CAM is configure

Abstract: A federated management identity protocol may be used with various protocols such as, for example, the Generic Bootstrapping Architecture (GBA). For example, OpenID Connect may be integrated with GBA such that the GBA protocol implements the authentication functionality of OpenID Connect. In various example embodiments, functionality of the OpenID Connect protocol and GBA may be implemented locally, such as by a secure module within a user equipment.

Abstract: The confidentiality of JavaScript Object Notation (JSON) message data is secured using an encryption scheme. The encryption scheme implements a JSON encryption syntax, together with a set of processing rules for creating encrypting arbitrary data in JSON messages in a platform/language independent manner. A method for encrypting a data item in a JSON message begins by applying an encryption method and a key to the data item to generate a cipher value. A data object is then constructed that represents an encryption of the data item. The data item in the JSON message is then replaced with the data object, and the resulting modified JSON message is then output from a sending entity. At a receiving entity, information in the data object is used to re-generate the data item, which is then placed back in the original message.

Abstract: Providing analytics information from a cloud service includes maintaining an analytics database that is separate from data and servers accessed by users of the cloud service, selectively pushing information from the cloud service to the analytics database, where data and servers accessed by users of the cloud service are inaccessible for direct access by the analytics database, and allowing users limited access to the analytics database, where users of the analytics information that are accessing the analytics database are restricted from accessing data and servers of the cloud service. The analytics database may include a first database of adapted database records and a second database of dynamic logs of service related events. The adapted database records may be initially formed using the data and servers accessed by users of the cloud service prior to being pushed to the analytics database.

Abstract: Wireless personal area network (Zigbee, Bluetooth, UWB) and wireless identification technologies (Near Field Communication (NFC), Radio Frequency Identification (RFID)) are implemented in particular client server functions and communications. Connected with an Authentication Server, a wireless HUB authenticates user identification and provides the user with access to secure data communication with a wireless terminal such as a cellular phone or a PDA. A Location Server provides user locations via methods such as RSSI, TDOA, and GPS and sends location information to a Center Control Server and the Authentication Server. With location information, the Center Control Server initiates and optimizes secure information processes and coordinates the functions of servers and user terminals.

Abstract: Apparatus and method for data security through the use of an encrypted keystore data structure. In accordance with some embodiments, first and second sets of input data are respectively encrypted using first and second encryption keys to form corresponding first and second encrypted data sets. The first and second encryption keys are combined to form a string. A hidden key stored within a system on chip (SOC) is used to encrypt the string to form an encrypted keystore data structure, and the first and second encrypted data sets and the encrypted keystore data structure are stored in a memory.

Abstract: Disclosed is a method for terminal identity verification and service authentication. After initiating a service request, the terminal generates a user unique code according to user-specific information in an SIM card, and encrypts a name of the user-specific information, and then transmits the encrypted name of the user-specific information together with the user unique code to a credible cloud control center; a service provider generates a unique code according to its own specific information, and transmits an encrypted name of its own specific information together with the generated unique code to the credible cloud control center; and the credible cloud control center authenticates the terminal and the service provider according to their respective unique codes, and when determining that both of them pass the authentication, transmits a communication code to both of them so that they communicate with each other according to the communication code to complete a current service.

Abstract: The technology described herein includes a system and/or a method for global hypothesis tracking. In some examples, a method generates one or more paired segments based on track data representing kinematic data of target objects. Each paired segment includes a list of tracks incompatible with the paired segment, which are tracks sharing common track data, and a likelihood score. The method generates a transition probability between each pair of the paired segments based on the list of tracks incompatible with the paired segment and the likelihood score associated with each paired segment. The method further generates one or more multi-segment tracks based on the one or more paired segments also based on the transition probability between each pair of the paired segments.

Abstract: A method of generating an unpredictable number in a computing device is provided. The method comprises the computing device performing the following programmed steps: obtaining a plurality of data elements; performing a first one way function on an internal value P and the plurality of data elements to update the value P; and performing a second one way function on the value P to obtain the unpredictable number. A computing device adapted to perform this method is also described.

Abstract: A network system includes a master wireless access point (mAP) connected to one or more slave access points (sAPs), the mAP configured to configure the wireless access password of the sAP(s) and including an open user interface wirelessly accessible by a wireless device, a security gateway and a secure user interface wirelessly accessible by the wireless device. The wireless device connects to the mAP via the open user interface and exchanges security credentials to bypass the security gateway to gain access to the secure user interface. The wireless device is connected to the secure user interface, the mAP is configured to: configure an SSID and/or wireless access password for a sAP and to share the SSID and/or wireless access password with the wireless device, whereupon, the wireless device disconnects from the mAP and re-connects to the network via the sAP using the wireless access password configured by the mAP.

Abstract: Disclosed are an apparatus and method of remotely communicating with a managed machine. One example method of operation may include selecting the managed machine operating in a communication network, transmitting a connection request message to the managed machine and establishing a secure connection between the managed machine and an administrator machine. The example method may also include responsive to connecting with the managed machine, executing a host service on the managed machine, and connecting to the host service over the communication network via an application client operating on the administrator machine.

Abstract: Example embodiments relate to a system to prevent manipulation of transmitted video data including an Integrated Receiver Decoder (IRD) receiving audio/video data and a display device. The IRD may include a device to transmit an HDMI compliant audio/video stream toward the display device. The system may further include a device to add an over-encryption layer to the HDMI/HDCP stream before reaching the display device and a device to remove the added encryption layer so as to recover the HDMI/HDCP stream, before processing the HDMI/HDCP stream by the display device.

Abstract: A chassis platform, such as processor or a system-on-chip (SoC), includes logic to implement a debug chassis security system including a policy generator to control access from a test access port. The policy generator may distribute a debug policy to at least one logic block that locally enforces the debug policy. The debug policy may include a delayed authentication policy in which debug assets are distributed and the chassis platform is initially locked to prevent debug access via the test access port. An authenticated debug user may unlock the chassis platform at a later time to enable debugging operations. The debug policy may also include a live execution policy and an immediate debug policy.

Abstract: A device certificate binds an identity of a first device to a public key of the first device. The first device comprises a certificate authority service that creates for a process on the first device a process certificate certifying one or more capabilities of the process on the first device. The process certificate is presented to the second device. Upon validating the process certificate using the device certificate, the second device permits the process on the first device to have on the second device one or more of the verified certified capabilities.

Abstract: Embodiments of systems, apparatuses, and methods to securely download digital rights managed content with a client are described. In some embodiments, a system establishes a secure root of trust for the client. In addition, the system establishes a secure tunnel between an agent of the client and a storage system of the client. Furthermore, the system securely downloads the digital rights managed content to the storage system via the secure tunnel and securely provides the digital rights managed content from the storage system to a display.

Abstract: The present invention relates to a method for performing an iterative calculation of exponentiation of a large datum, the method being implemented in an electronic device (DV1) and comprising calculations of squaring and multiplying large variables performed in parallel, by squaring (SB1) and multiplication (SM1) blocks, the method comprising steps of: while a temporary storage buffer memory is not full of unused squares, triggering a calculation by the squaring block for a bit of the exponent, when the squaring block is inactive, storing each square provided by the squaring block in the buffer memory, if the bit of the corresponding exponent is on 1, and while the buffer memory contains an unused square, triggering a calculation by the multiplication block concerning the unused square, when the multiplication block is inactive.

Abstract: A system for automatically completing fields in online forms, such as login forms and new user registration forms, which employs a Master Cookie File containing sets of records associated with the user, his or her accounts or web sites, and registered values associated with form tags (e.g. username, password, address, email, telephone, etc.). When the user encounters another form, the MCF is automatically searched for matching values and form tags, primarily from the same account or web site, or alternatively from other accounts or sites. A flowing pop-up menu is displayed nearby the form fields from which the user can select values to automatically complete the form. Automatic account information updating, value expiration management, mapping of favorite values, and sharing of values are optional, enhanced functions of the invention.

Abstract: In general, one aspect of the subject matter described in this specification can be embodied in methods that include transmitting a certificate signing request to a certificate authority system, the certificate signing request comprising a public key, a unique identifier for a mobile device, and a unique identifier for a user associated with the mobile device, wherein the public key is associated with a credential management account that is maintained by a credential management system; receiving a digital certificate from the certificate authority system, the digital certificate comprising the public key and the unique identifier for the user; transmitting a request for a credential to a credential issuing organization system, the request for a credential comprising the digital certificate; receiving a token for a credential from the credential issuing organization system; transmitting a request to retrieve the credential to the credential management system, the request to retrieve the credential comprising t

Abstract: A device may be configured to communicate with a mobile device using a short range communication protocol. The device may open a port based on communicating with the mobile device using the short range communication protocol. The device may receive a request from the mobile device via the port. The request may request security information for setting up a secure connection. The device may provide the security information to the mobile device. The device may establish a secure connection with the mobile device based on the security information. The device may provision the mobile device to receive media content from the device based on the secure connection. The device may provide the media content to the mobile device based on provisioning the mobile device.

Abstract: In general, one aspect of the subject matter described in this specification can be embodied in methods that include receiving a registration request from a mobile device to create a credential management account for a user associated with the mobile device; generating a public key and a paired private key associated with the credential management account; transmitting a certificate signing request to a certificate authority system; receiving a digital certificate from the certificate authority system; receiving a request to retrieve a credential for the user from a credential issuing organization; transmitting a request for the credential for the user to the credential issuing organization system; receiving, from the credential issuing organization; transmitting the decrypted data to the credential issuing organization; receiving data for the credential for the user from the credential issuing organization system; and transmitting data encoding a portion of a badge representing the credential.

Abstract: A novel architecture for a data sharing system (DSS) is disclosed and seeks to ensure the privacy and security of users' personal information. In this type of network, a user's personally identifiable information is stored and transmitted in an encrypted form, with few exceptions. The only key with which that encrypted data can be decrypted, and thus viewed, remains in the sole possession of the user and the user's friends/contacts within the system. This arrangement ensures that a user's personally identifiable information cannot be examined by anyone other than the user or his friends/contacts. This arrangement also makes it more difficult for the web site or service hosting the DSS to exploit its users' personally identifiable information. Such a system facilitates the encryption, storage, exchange and decryption of personal, confidential and/or proprietary data.

Abstract: A method of interoperating link layer encrypted (LLE) and non-LLE communications in a radio network include receiving, at a radio controller (RC), a new call request for an LLE call, determining that there are one or more currently active non-LLE calls, and causing a message to be transmitted on each channel carrying one of the one or more currently active non-LLE calls informing mobile stations (MSs) participating in the non-LLE calls that a new LLE call has been or is-to-be granted. MSs participating in one of the non-LLE calls and receiving the message determine from the message or via a call grant obtained via a control channel, whether the new LLE call is of interest, and if so, switching to a channel assigned to the new LLE call and participating in the new LLE call.

Abstract: A security module is provided in a data recording medium, data to be written to the data recording medium is encrypted with an content key different from one data to another, and the content key is safely stored in the security module. Also, the security module makes a mutual authentication using the public-key encryption technology with a drive unit to check that the counterpart is an authorized (licensed) unit, and then gives the content key to the counterpart, thereby preventing data from being leaked to any illegal (unlicensed) unit. Thus, it is possible to prevent copyrighted data such as movie, music, etc. from being copied illegally (against the wish of the copyrighter of the data).

Abstract: Technologies are generally described for a system to establish a secure connection between a wireless device and another device or a recognized service using device network records. According to some examples, the wireless device may send an authentication request to initiate a communication session with another wireless or a recognized service. The authentication request may be encrypted with a first secret, or a hash, synthesized by the device based on the network records associated with the device. The device may be authenticated using the network's copy of the network records. The network may similarly authenticate the identity of the recognized service or other device. The network may synthesize a second secret based on the network records, and may provide the second secret to the recognized service or other device to enable a communication session secured by the second secret.

Abstract: An image forming apparatus capable of providing security for print right-associated image data. An image forming apparatus is capable of communicating with a management server that manages print rights. When printing image data stored in the storage section, a CPU determines whether a print right is associated with the image data. Whenever it is determined that a print right is associated with image data, the CPU makes an inquiry of the management server about print permission of the image data associated with the print right. A printer section prints an image represented by the image data when a response from the management server indicates that the image data associated with the print right is permitted to be printed.

Abstract: A security module securely manages keys. The security module is usable to implement a cryptography service that includes a request processing component. The request processing component responds to requests by causing the security module to perform cryptographic operations that the request processing component cannot perform due to a lack of access to appropriate keys. The security module may be a member of a group of security modules that securely manage keys. Techniques for passing secret information from one security module to the other prevent unauthorized access to secret information.

Abstract: Techniques for proving enterprise mode security for relays are disclosed. For example, enterprise mode security based on IEEE 802.1x is provided for relays or other similar devices to extend the coverage of access point hotspots or other similar access point use cases. According to one aspect, a relay incorporates an authentication client associated with an authentication server. According to another aspect, a four address format is employed for tunneling messages via a relay between a station and an access point. According to another aspect, a cryptographic master key associated with an access point and a station is provided to a relay to enable the relay to be an authenticator for the station.

Abstract: A mobile device may include an authenticator and a processor. The authenticator may store one or more profiles associated with one or more keys to access one or more servers. The processor may embed one of the keys in data to be communicated to one of the servers to request access from the one of the servers. The authenticator may compare the one or more profiles to a set of parameters based upon at least one of a user's identification information, a selected program to request access, identification information of the one of the servers, identification information of an authentication register, to determine whether to select one of the profiles. If the authenticator selects one of the profiles, the authenticator may generate the one of the keys based on the selected one of the profiles.

Abstract: The present invention relates to application-level secure end-to-end communication. Specifically it relates to methods apparatuses and computer program products for creating and distributing a shared secret and to sending or receiving messages between an embedded device and a user device via a cloud server.

Abstract: A system and method for providing authenticated access to an initiating terminal in relation to the services provided by a terminating terminal via a communications network are disclosed. In one aspect, a global server comprises a communications module, which receives and processes a key exchange initiation message from the initiating terminal so as to establish an encrypted communications channel with the terminating terminal. The communications module, responsive to a received key exchange initiation message, performs an encrypted communication establishment process in respect of the received key exchange initiation message. The encrypted communication establishment process comprises authenticating the initiating terminal, and in the event that the initiating terminal is successfully authenticated, transmitting keying data corresponding to the received key exchange initiation message to the terminating terminal. The keying data is identified on the basis of data associated with the initiating terminal.

Abstract: Devices, system, and methods of secure entry and handling of passwords and Personal Identification Numbers (PINs), as well as for secure local storage, secure user authentication, and secure payment via mobile devices and via payment terminals. A computing device includes: a secure storage unit to securely store a confidential data item; a non-secure execution environment to execute program code, the program code to transport to a remote server a message; a secure execution environment (SEE) to securely execute code, the SEE including: a rewriter module to securely obtain the confidential data item from the secure storage, and to securely write the confidential data item into one or more fields in said message prior to its encrypted transport to the remote server.

Abstract: A method for routing calls between a third party telecommunications device (“TD”) and a subscriber TD associated with a primary service and a second line service (“SLS”) involves associating the SLS number of the subscriber, the primary number of the subscriber and the primary number of a third party via a common relationship number. Calls directed from a third party to the SLS number of a subscriber are routed to an SLS platform and redirected to the subscriber TD. Calls directed from the subscriber TD to the third party use the relationship number to route the call to the SLS platform. The combination of the primary service number and the relationship number identifies the third party number for call completion. Calls can be directed to and from an SLS number of a subscriber TD using a combination of protocols such as ISUP, CAP and SIP.

Abstract: Methods and apparatuses for a computerized system are disclosed. A data processing device receives information from at least one source of log information in the computerized system and detects, based at least in part on said received log information, at least one security protocol related event at a first host device, the at least one security protocol related event being initiated by a second host device. Information is then stored for determination of a trust relationship record based on the detected at least one security protocol related event and information of the second host device.

Abstract: An authentication method and apparatus in a communication system are provided. In a method for authenticating a first node at a second authentication server in a communication system comprising the first node registered to a first authentication server and a second node registered to the second authentication server, an authentication request message requesting authentication of the first node is received from the second node, the authentication request message is transmitted to the first authentication server, and upon receipt of an authentication success message indicating successful authentication of the first node from the first authentication server, the authentication success message is transmitted to the second node.

Abstract: A mobile device enables its user to retroactively “check in,” on social media, to locations to which the device has previously been. The mobile device automatically tracks the locations to which it goes during some time interval. As the mobile device goes to each location, the mobile device stores data that specifies that location. Following the time interval, and potentially in response to a request by the device's user to view the locations previously visited, the mobile device presents a list of at least some of the locations on its display. The device's user can select one or more of the presented locations. The selection of a location causes the mobile device to post, to an Internet-based social media service, information pertaining to the selected location. For example, such information can indicate that the device's user had been at the selected location.

Abstract: In an example embodiment, a demand signal management system is configured to coordinate data harmonization among a plurality of entities. The demand signal management system may obtain unharmonized data through third party entities. Global records based on internal master records and taxonomy information may be distributed to the entities. In some embodiments certain entities may have authority to create new global records. In other embodiments, some entities may have authority to approve proposed new global records. In still other embodiments, some entities may not have authority to create new global records. Unharmonzied data sent to the entities for harmonization in accordance with the global records. The entities may accept or reject the harmonization request. If accepted, the entity may return an updated global record, a proposed new global record, and/or a new global record depending on the unharmonized data, the global records and the entities' authority.

Abstract: A wireless communication apparatus includes an optical wireless receiving unit receiving a pseudo random number; an authentication code generator generating an authentication code based on the pseudo random number received by the optical wireless receiving unit; and a wireless communication unit determining whether authentication using the authentication code with a given wireless communication apparatus is successful, and performing wireless communications with the given wireless communication apparatus when determining that the authentication using the authentication code with a given wireless communication apparatus is successful.

Abstract: Techniques for the secure generation of a set of encryption keys to be used for communication between a wireless terminal and an assisting base station in a dual-connectivity scenario. An example method includes generating (810) an assisting security key for the assisting base station, based on an anchor base station key. The generated assisting security key is sent (820) to the assisting base station, for use by the assisting base station in encrypting data traffic sent to the wireless terminal or in generating one or more additional assisting security keys for encrypting data traffic sent to the wireless terminal while the wireless terminal is dually connected to the anchor base station and the assisting base station. The anchor base station key, or a key derived from the anchor base station key, is used (830) for encrypting data sent to the wireless terminal by the anchor base station.

Abstract: A method of supervising device-to-device communication may include determining that a first wireless device and a second wireless device are configured to communicate with each other through device-to-device communication as a device-to-device pair. The method may further include assigning a pair identifier to the device-to-device pair. The pair identifier may be configured to allow the device-to-device pair to communicate with each other and an access point of a wireless communication network while protecting from eavesdropping. Further, the method may include directing the first wireless device and the second wireless device to use the pair identifier while participating in the device-to-device communication.

Abstract: A password-encrypted key (PEK) is generated from a user-supplied password or other identifying data and then used to encrypt the user's password. The encrypted password is stored in a user record on a server. At login a would-be user's password is again used to make a key, which is then used to decrypt and compare the stored encrypted password with the would-be user's password to complete the login. The successful PEK is stored in a temporary session record and can be used to decrypt other sensitive user information previously encrypted and stored in the user record as well as to encrypt new information for storage in the user record. A public/private key system can also be used to maintain limited access for the host to certain information in the user record.

Abstract: Methods and systems are provided for detecting dead tunnels associated with a VPN. An indicator of a tunnel capability, for example, a DPD vendor ID, is received from a peer through a VPN connection. The tunnel capability is associated with one or more phase II tunnels associated with the VPN. Traffic generated by the peer is detected, and if traffic is detected at a tunnel, the tunnel is presumed to be alive. When no traffic is detected in a tunnel, a DPD packet exchange with the tunnel is initiated. A determination is made, based on the packet exchange, whether the tunnel is alive.

Abstract: Devices, methods and instructions encoded on computer readable medium are provided herein for creation of an overlay network on a non-multicast or source specific multicast (SSM) core. In one example, virtual private network (VPN) adjacencies are established between an adjacency server and one or more edge devices each located at different network sites. A unicast replication list is then generated at the adjacency server. The unicast replication list includes the Internet Protocol addresses for each of the edge devices having VPN adjacencies with the adjacency server. The unicast replication list is then advertised to each of the edge devices for use in establishing VPN adjacencies with one another.

Abstract: A real-time frame authentication protocol is presented for in-vehicle networks. A frame identifier is made anonymous to unauthorized entities but identifiable by the authorized entities. Anonymous identifiers are generated on a per-frame basis and embedded into each data frame transmitted by a sending ECU. Receiving ECUs use the anonymous identifiers to filter incoming data frames before verifying data integrity. Invalid data frame are filtered without requiring any additional run-time computations.

Abstract: In one embodiment, a device in a frequency hopping communication network transmits responsive beacon messages based on adaptive types of responsive beacon message transmission based on a number of received beacon requests within a given time period: the number below a threshold results in synchronized unicast messages; the number above the threshold results in unsynchronized broadcast messages. In another embodiment, the device suppresses unsolicited beacon message transmission based on a density-aware redundancy count of other unsolicited beacon message transmissions from neighboring devices. In another embodiment, the device may transmit unsolicited beacon messages according to an adaptive interval based on stability of the network.

Abstract: A method, computer-readable storage device and apparatus for establishing an ad hoc communication with an unknown contact are disclosed. For example, the method receives an authentication token from a recipient endpoint device for authentication of an unsolicited message from a sender endpoint device, wherein the recipient endpoint device is an unknown contact to the sender endpoint device and the unsolicited message is sent over an open communications protocol, authenticates the authentication token, and sends a confirmation that the authentication token is authenticated to the recipient endpoint device to allow the recipient endpoint device to establish a connection to the sender endpoint device to begin the ad hoc communication.

Abstract: Aspects of the disclosure relate generally to reducing latency for consensus in geographically distributed disaster-safe persistent data-store systems. These distributed systems may include registry system having redundant storage for maintaining the system status. Each registry system may include a server and a storage component. Consensus may be achieved by querying all of other servers of the registry system. In one example, the consensus data may be sharded into independent small groups. This may allow for multiple consensus transactions to be generated and run in parallel, which, in turn may reduce the latency. In addition, or alternatively, requests to a server to write or otherwise change the data-store may be batched at the server side. Thus, for the consensus, the server need only communicate with the other servers only once per batch. This may also reduce the latency of the distributed system.

Abstract: A computing device can obtain a session key for encrypting data that is communicated between a client device and the computing device. The computing device can receive, from the client device, an encrypted request for data. The encrypted request can be encrypted by the client device using the session key. The data requested can be stored on a second computing device. The computing device can send, to the second computing device, a copy of the session key and the encrypted request for data. The second computing device can decrypt the data using the session key and can also encrypt data responsive to the request using the session key.

Abstract: Techniques are provided to authenticate components in a system. Users may enter credentials into an input device and the credentials may be authenticated and/or securely transmitted to the components. The components may then provide the credentials to a server in the system. Strong authentication may thus be provided to the effect that credentials associated with specific users have been received from specific components in the system. The server may then enable the components to access selected services.