Abstract: The present disclosure provides a system in which a migration operation which is different from a normal registration operation performed on a system is started in one of a terminal before replacement and a terminal after the replacement so that a registration operation performed on the terminal after the replacement is easily completed only by causing a user to consecutively perform an authentication operation on both of the terminals.

Abstract: A symmetric key that is stored at a device may be received. A public key from a remote entity may also be received at the device. Furthermore, a derived key may be generated based on a one way function between the symmetric key that is stored at the device and the public key that is received from the remote entity. The derived key may be encrypted with the public key and transmitted to the remote entity. The encryption of the derived key with the public key may provide secure transmission of the derived key to an authorized remote entity with a private key that may be used to decrypt the encrypted derived key.

Abstract: An input is received from a client device and is indicative of a desire to add a device for secure operations. Artifacts are generated and a quick response (QR) code is generated that represents the artifacts. The QR code is transmitted to the client device where it can be read by the device to be added, so the artifacts can be used in performing the secure operations.

Abstract: A first request to reserve a quantity of resources that comply with a constraint specified in the first request is obtained. A set of available resources that fulfills the constraint is determined based on current capacity usage. A token is associated with the set of available resources, with the token being associated with an expiration. The quantity of resources from the set of available resources is reserved, where the quantity allocated is unavailable, until the expiration, to fulfill resource requests that lack the token. The token is provided in response to the first request.

Abstract: A client application establishes a connection between the client application and an origin server over one or more networks. The application generates a request to establish a secure session with the origin server over the connection. The request includes information, in a header of the request, that flags traffic sent during the secure session to a network of the one or more networks as subject to one or more optimizations performed by the network. Subsequent to establishing the secure session, the application encrypts the traffic in accordance with the secure session and sends the traffic to the origin server over the connection, subject to the one or more optimizations. The infrastructure service applies the one or more optimizations to the traffic as it passes through the edge network to the origin server.

Abstract: A computer system trains an Artificial Intelligence (AI) model to generate a key generated as a same key based on multiple different feature vectors, which are based on specified target environment attributes of a target environment domain. The computer system uses the key to encrypt concealed information as an encrypted payload and distributes the encrypted payload and the trained AI model to another computer system. The other computer system extracts environment attributes based on an environment domain accessible by the other computer system and decodes a candidate key by using the trained AI model that uses the extracted environment attributes of the environment domain as input. The trained AI model is trained to generate a key that is generated as a same key from multiple different feature vectors corresponding to specified target environment attributes of a target environment domain. The other computer system determines whether the candidate key is correct.

Abstract: The present disclosure relates to a method and system for securely transferring master keying material between to a slave dongle (12). Each slave dongle (12) is connected to a data transfer system. The slave dongle (12) contains a public key and a private key and the data transfer system holds a master keying material source that contains master keying material to be transferred securely to the slave dongle (12). The slave dongle's public key is transferred to the master keying material source. The master keying material source encrypts the master keying material with the slave dongle's public key to produce an encrypted master keying material. The encrypted master keying material is sent to the slave dongle (12) and the slave dongle (12) decrypts the encrypted master keying material with the slave dongle's private key. This allows multiple users, each having a slave dongle (12a-n) that has been configured in this manner, to use the same master keying material to securely communicate with one another.

Abstract: A method of implementing a secure exchange portal system for independent medical review, and classification tools and case-level physician review tools for use in such reviews, are disclosed.

Abstract: A method alters a computer resource in response to the computer resource moving from a first geolocation to a second geolocation. One or more processors receive a message indicating that a computer resource has moved from a first geolocation to a new geolocation. In response to receiving the message that the computer resource has moved from the first geolocation to the new geolocation, the processor(s) encrypt data that is stored on the computer resource, and apply decryption information to the encrypted data from the new geolocation, where the decryption information is specifically for decrypting encrypted data at the new geolocation. In response to the decryption information failing to decrypt the encrypted data at the new geolocation, the processor(s) and/or a user alter the computer resource.

Abstract: Various embodiments relate to a key protocol exchange that provide a simple but still secure key exchange protocol. Security of key exchange protocols has many aspects; providing and proving all these properties gets harder with more complex protocols. These security properties may include: perfect forward secrecy; forward deniability; key compromise impersonation resistance; security against unknown key share attack; explicit or implicit authentication; key confirmation; protocol is (session-)key independent; key separation (different keys for encryption and MACing); extendable, e.g., against DOS attacks; support of early messages; small communication footprint; and support of for public-key and/or password authentication.

Abstract: A method and apparatus that ensures that an aircraft system network controls access by multiple users (403a, 403b, 403c) of electronic devices (402a, 402b, 402c) equipped with a related hardware device (404a, 404b, 404c), by a combination of authentication, integrity, and encryption, using hardware security such as HSE/HSM or equivalent to establish the credentials for each component that is allowed on the network.

Abstract: Systems and methods for security of industrial data streams are provided herein. Methods according to various embodiments include provisioning a fogNode that is communicatively coupled with a fog cloud manager through a forwarder of the fogNode and providing a fogLet within the fogNode, the fogLet communicating with a plurality of operational technology devices. Embodiments include providing fogLet identification information using hardware root of trust of the fogNode, the hardware root of trust of the fogNode being a Trusted Platform Module (TPM) of the fogNode. Embodiments further comprise communicating operational device authentication information with fogLet identification information to a third party tenant application, the third party tenant application validating industrial data streams from the operational technology devices by communicating the operational device authentication information with the fogLet identification information to a third party cloud application.

Abstract: The disclosure provides a method and an apparatus for acquiring an electronic file. The method for acquiring an electronic file comprises: sending a first request message for acquiring an electronic file to a platform server, wherein the first request message carries a first identifier of an information providing server providing the electronic file; receiving first prompt information returned from the platform server according to the first request message; determining first verification information for identity authentication according to the first prompt information, and sending the first verification information to the platform server; and receiving the electronic file forwarded by the platform server, wherein the electronic file is from the information providing server, and private information in the electronic file is encrypted through a first encryption key of the information providing server.

Abstract: An X2 service transmission method and a network device are disclosed. The method includes if a first IPsec tunnel is unavailable, detecting, by a first base station, whether a second IPsec tunnel between the first base station and a security gateway is available, where the first IPsec tunnel is an IPsec tunnel established between the first base station and a second base station, and the first base station can transmit X2 service data with the second base station through the second IPsec tunnel; and transmitting the X2 service data through the second IPsec tunnel if the second IPsec tunnel is available.

Abstract: In an embodiment, a computer implemented method comprises accessing, from a first data repository, identity information associated with one or more protected computing devices; creating mapped identity information by encrypting and mapping the identity information according to a different identity data format that is compatible with the one or more protected computing devices; updating stored blockchain data using the mapped identity information; storing the mapped identity information from the blockchain data in a second data repository; generating decrypted identity information from the mapped identity information stored in the second data repository; and performing one or more authentication services for a client device on behalf of the one or more protected computing devices by using the mapped identity information in the second data repository; wherein the method is performed by one or more computing devices.

Abstract: A method includes: a supervisor writes a digital certificate and a corresponding first public key into an intelligent contract of a blockchain corresponding to an asset type to be supervised, so that all institutions with asset accounts under the asset type can obtain the first public key of the supervisor through the digital certificate, so as to generate an additive homomorphic key for homomorphic encryption of the balance of an asset account; when checking the balance of a new account of a transactor, the supervisor obtains a public key in a public-private key pair corresponding to the new account, generates an additive homomorphic key based on a supervision private key corresponding to the supervisor and a predetermined key exchange protocol and the public key in the public-private key pair according to the key exchange protocol, and decrypts the encrypted balance of the new account, using the generated additive homomorphic key.

Abstract: A method, terminal and device for establishing security infrastructure, comprising: an intermediate service organization receives an organization secret key sent by a third-party service organization; the intermediate service organization encrypts the organization secret key by a first encryption means and sends the encrypted organization secret key to a security storage region of a terminal; the intermediate service organization receives a first terminal public key encrypted by the terminal using a second encryption means; and the intermediate service organization sends the first terminal public key obtained by decryption to the third-party service organization.

Abstract: In a general aspect, secure messaging between electronic modules is described. In an example, a method includes: generating, by a first electronic module, a private key and a public key associated with the private key; communicating, by the first electronic module, an unencrypted message, including the public key, to a first network-connected device using a first module-to-device communication link; receiving, from the first network-connected device, an encrypted message including a symmetric encryption key generated by a second electronic module; decrypting, by the first electronic module, the encrypted message using the private key, wherein decrypting using the private key makes the symmetric encryption key available to the first electronic module; and establishing, by the first electronic module, a secure messaging channel with the second electronic module based on at least the symmetric encryption key.

Abstract: Technologies are described for generating and validating encrypted coupons. For example, an encrypted coupon can be received. The encrypted coupon can be decrypted using a public key. The decrypted coupon can be decoded (e.g., using a pre-defined data format) to extract coupon data comprising a unique coupon identifier and a unique user identifier. The decrypted coupon can be validated based at least in part upon the unique coupon identifier and the unique user identifier. The process of receiving the encrypted coupon, decrypting the encrypted coupon, decoding the decrypted coupon, and validating the decrypted coupon can be performed offline (e.g., without access to external networks or the internet) and without accessing information indicating associations between unique coupon identifiers and unique user identifiers.

Abstract: A computer implemented method for processing a financial transaction includes the steps of transmitting one or more documents pertaining to the financial transaction, from a first intermediary server to a first document store, generating an enriched data record from the one or more documents, at the first intermediary server, and adding the enriched data record into a blockchain, from the first intermediary sever, requesting generation of a token corresponding to the financial transaction, to a token server, from the first intermediary server, via a messaging bus, generating the token at the token server and adding the token into the blockchain from the token server, transmitting the token to the first intermediary server from the token server, via the messaging bus, and transmitting the token from the first intermediary server to the first document store.

Abstract: A method for login, including making a login request to an entity through a federation server that generates a session identifier. A QR code is sent to the federation server to receive the session identifier. A secure envelope including user personal information is sent to the federation server to verify user registration with the federation server. A login token generated by the federation server is received and is associated with a smart contract generated by the federation server and stored on a blockchain. The login token is signed using user private key and sent to the blockchain for inclusion in the smart contract. A transaction identifier is received from the blockchain, and is sent to the federation server that generates a session record based on the login token. The federation server sends user verification to the entity to authorize a communication session between the user device and the entity.

Abstract: The invention relates to a method (50) for authenticating a user to a computer system (70), the method comprising the following steps executed in a token (10): generating (52) a counter value (20, 22) by utilizing a counting unit (12) implemented in the token (10), wherein at least a portion of generated counter values (20, 22) forms a strictly monotonous sequence, generating (54) a message (30) depending on the generated counter value (20, 22), signing (56) the generated message (30) by utilizing a private key (24) of the user, wherein the private key (24) is stored in the token (10), and wherein the private key (24) or a copy thereof is not provided to the computer system (70), and transmitting (58) the signed message to the computer system (70). The invention further relates to a token (10) for authenticating a user to a computer system (70) and to a method (60) executed on a computer system (70) for authenticating a user.

Abstract: A method and apparatus to protect the coded signals sent over physical twisted-pair wiring or between two (2) or more LANs connected by a Wide Area Network (WAN), from unauthorized electronic circuit/wiring monitoring. This is accomplished by varying the assignments of the standard Registered Jack communication pins, varying the transmission speed, inserting meaningless or unrelated data, encrypting data before it is sent or changing network protocol(s) on behalf of the communications adapter/controller of each computer to which it is attached on those LANs.

Abstract: Methods, apparatus, and system to verify the source of a suspect message, so that it is no longer suspect.

Abstract: The search engine optimizer transforms input information interactively and works independently and in parallel with a browser and search engine supercomputer. The optimizer reorganizes the input, and provides an optimized version as an output. The output (Optimized, reorganized input) is sent to the search engine, which responds to the end user with search results. The optimizer recognizes each request as a pattern and stores the pattern in an advanced Glyph format. This permits the optimizer to use left brain English language and right brain geospatial key featured association equation to gain factor the best results, and then using deductive reasoning feedback equation attenuate content with confounding variables in order to stabilize and reduces sensitivity parameter variations due to the environment and identify a left and right side human brain checkmate combination required to achieve certitude.

Abstract: Disclosed are some implementations of systems, apparatus, methods and computer program products for facilitating the authentication of computing system requests across tenants of at least one multi-tenant database system. Authentication is facilitated using a central registry that is accessible by and independent from the tenants of the multi-tenant database system.

Abstract: A system for processing data within a Trusted Execution Environment (TEE) of a processor is provided. The system may include: a trust manager unit for verifying identity of a partner and issuing a communication key to the partner upon said verification of identity; at least one interface for receiving encrypted data from the partner encrypted using the communication key; a secure database within the TEE for storing the encrypted data with a storage key and for preventing unauthorized access of the encrypted data within the TEE; and a recommendation engine for decrypting and analyzing the encrypted data to generate recommendations based on the decrypted data.

Abstract: A fork support is provided for duplicating an application running inside an enclave entity. In this regard, a request to duplicate an application running inside a first enclave may be received by one or more processors of a host computing device of the first enclave. A snapshot of the first enclave including the application may be generated. The snapshot may be encrypted with a snapshot key and copied to untrusted memory of the host. A second enclave may be generated. The snapshot key may be sent from the first enclave to the second enclave through a secure communication channel. The encrypted snapshot may be copied from the untrusted memory of the host into the second enclave. The encrypted snapshot may be decrypted inside the second enclave with the snapshot key.

Abstract: A method for communication in a hearing system comprising the server device and a hearing device system, the hearing device system comprising a hearing device and a user accessory device with a user application installed thereon, the method includes: obtaining hearing device data for the hearing device; securing the hearing device data using a first security scheme to obtain a first output; securing the first output using a second security scheme to obtain a second output, wherein the second security scheme is different from the first security scheme; and transmitting the second output to the user accessory device.

Abstract: Techniques are disclosed relating to the secure communication of devices. In one embodiment, a first device is configured to perform a pairing operation with a second device to establish a secure communication link between the first device and the second device. The pairing operation includes receiving firmware from the second device to be executed by the first device during communication over the secure communication link, and in response to a successful verification of the firmware, establishing a shared encryption key to be used by the first and second devices during the communication. In some embodiments, the pairing operation includes receiving a digital signature created from a hash value of the firmware and a public key of the second device, and verifying the firmware by extracting the hash value from the digital signature and comparing the extracted hash value with a hash value of the received firmware.

Abstract: One or more hardware identity circuits (which may be reconfigurable) may be employed in a device or system in order to impose a tampering penalty, preferably without relying on battery-backed volatile memory to do so. The device or system may also include a cryptographic division and distribution (‘sharing’) of a secret internal to the device or system.

Abstract: A method assigns a bootstrap server for wireless devices in a machine-to-machine environment. The method includes receiving, by a network device in a wireless access network and from a wireless device, a first request for a bootstrap server identifier. The method also includes providing, to the wireless device, a response including an address for a carrier-specific bootstrap server device. The method also includes receiving, by the carrier-specific bootstrap server device, a request for management server connection information. The request is submitted by the wireless device using the bootstrap server identifier. The method further includes assigning, by the carrier-specific bootstrap server device, the wireless device to a management server of a group of management servers and sending connection information for the management server to the wireless device.

Abstract: System and methods are disclosed that enable data sharing across networks, including peer-to-peer sharing of content over wireless networks using peer mobile devices. A database may store content associated with a first peer mobile device. A request from a requester peer mobile device for content associated with a user of the first peer mobile device may be received at a server. The encrypted request is transmitted by the server to the first peer mobile device which may decrypt the request. An authorization token may be transmitted by the first peer mobile device to the server which may then enable the requesting peer mobile device to access the requested content, which may be accessed from the first peer mobile device and/or a cloud storage system.

Abstract: A data storage method comprises sending, by a blockchain node associated with a blockchain, data to an encryption device to cause the encryption device to encrypt the data and return the encrypted data to the blockchain node; receiving the encrypted data returned by the encryption device; and sending the encrypted data to other blockchain nodes associated with the blockchain to cause each of the other blockchain nodes to store the encrypted data in the blockchain after performing consensus verification on the encrypted data with success.

Abstract: Embodiments of the present disclosure disclose a method and apparatus for processing a request. A specific embodiment of the method includes: receiving a request; determining a type of the request or an object name indicated by the request; acquiring, after determining that a current time is after a validity deadline of locally stored first request control information, the number of control servers in a preset control server set; determining, from the control server set, a target control server based on the acquired number and any one of: the type of the request, the object name indicated by the request; and forwarding the request to the target control server.

Abstract: A method includes transmitting a message to a first end point that includes an instruction to initiate a communication type in which the communication type includes sharing a randomization token between the first and a second end point. The method further includes obtaining a first communication report from the first end point and a second communication report from the second end point in response to initialization of a communication based on the communication type in which the first and second communication reports respectively include a first and second hash that corresponds to a function of the randomization token and identity information. The method further includes determining whether the first hash matches the second hash and generating a value that correlates the first and second end points with the communication across the network in response to determining that the first hash matches the second hash.

Abstract: Authenticating devices utilizing Transport Layer Security (TLS) protocol to facilitate exchange of authentication information or other data to permit or otherwise enable access to services requiring authentication credentials, certificates, tokens or other information. The authentication may utilize Digital Transmission Content Protection (DTCP) certificates, Diffie-Hellman (DH) parameters or other information available to the authenticating devices, optionally without requiring device requesting authentication to obtain an X.509 certificate.

Abstract: In one embodiment, a method includes receiving, from a computing device of a first user, a request to transfer funds from a first account associated with the first user to a second account associated with a second user. The request to transfer funds may be generated by receiving a first token at the computing device of the first user through near-field communication with a first payment card and determining that the first token is associated with the second user. The method includes sending, in response to receiving the request to transfer funds, to the computing device of the first user, a request to authorize the transfer to the second account associated with the second user. The method includes receiving, from the device of the first user, an indication of authorization, wherein the indication of authorization is generated by receiving a second token at the device of the first user.

Abstract: A packet parsing method includes a source device receives a first ciphertext from a control device, where the first ciphertext is used to verify reliability of a packet from a parsing device, and the parsing device is a trusted device selected on a path between the source device and a destination device. The source device obtains a second packet including the first ciphertext according to the first ciphertext and a first packet, and sends the second packet to the destination device. The parsing device obtains, according to the second packet and a device identifier of the parsing device, a third packet including verification information and the first ciphertext. The destination device receives the third packet from the parsing device, and verify reliability of the third packet using the verification information and the first ciphertext included in the third packet.

Abstract: The present disclosure describes techniques that allow for a client-side application, located on a first client device, to generate a random encryption key and encrypt locally-stored application data with the random encryption key. In order to ensure that the client-device application is unable to decrypt the locally-stored encrypted application data prior to authenticating with an external authentication source (i.e., SSO, IdP), the client-side application divides the random encryption key into at least a first share and a second share according to a secret sharing algorithm. The first share is transmitted to a trusted third party, while the second share is encrypted locally and stored in a secure location on the client device. Upon successful authentication, the trusted third party returns the second share to the first client device. The client-side application derives the random encryption key and decrypts the locally-stored encrypted application data to be used by the client-side application.

Abstract: Techniques are provided for secure detection and management of compromised credentials. A first candidate credential is received, comprising a first username and a first password, wherein the first candidate credential was sent in a first request from a first client computer to log in to a first server computer. A first salt associated with the first username in a salt database is obtained. A first hashed credential is generated based on the first password and the first salt. The first hashed credential is transmitted to a set model server computer, wherein the set model server computer is configured to maintain a set model that represents a set of spilled credentials, determine whether the first hashed credential is represented in the set model, and in response to determining that the first hashed credential is represented in the set model, performing additional processing on the first hashed credential.

Abstract: A responder device receives, from an initiator device, a request to initiate a cryptographic tunnel between the initiator device and the responder device. The responder device does not include a static private key to be used in an asymmetric cryptography algorithm when establishing the tunnel. The responder device transmits a request to a key server that has access to the static private key and receives a response that is based on at least a result of at least one cryptographic operation using the static private key. The responder device receives from the key server, or generates, a transport key(s) for the responder device to use for sending and receiving data on the cryptographic tunnel. The responder device transmits a response to the initiator device that includes information for the initiator device to generate a transport key(s) that it is to use for sending and receiving data on the cryptographic tunnel.

Abstract: A video packaging and origination service can process requests for content segments from requesting user devices. The video packaging and origination service can utilize various techniques to address performance of the user device responsive to detection of the presence of ad blocking software applications.

Abstract: A relay-proxy device has first and second interfaces allowing connection to a first node and a second node respectively, wherein the relay-proxy device is configured with at least one key, and the relay-proxy device is operable to: receive a traffic flow in an encrypted transport protocol on the first interface; decrypt a first part of the traffic flow with said key, wherein a second part of the traffic flow cannot be decrypted with said key; perform a management function based on a content of the decrypted first part of the traffic flow; and forward at least the second part of the encrypted traffic flow to the second interface.

Abstract: A method for execution by a dispersed storage and task (DST) processing unit includes queuing authorization requests, corresponding to received operation requests, in response to determining that first system utilization data indicates a first utilization level that compares unfavorably to a normal utilization threshold. A first batched authorization request that includes the queued authorization requests is generated for transmission to an Identity and Access Management (IAM) system in response to determining that the first request queue compares unfavorably to a first queue limit condition. A second queue limit condition that is different from the first queue limit condition is determined based on second system utilization data. A second batched authorization request that includes a second plurality of authorization requests of a second request queue is generated in response to determining that the second request queue compares unfavorably to the second queue limit condition.

Abstract: Aspects of the present disclosure relate to providing a booting key to a remote system. A policy server receives a verification that a predetermined number of user devices provided secret information for booting a remote system. The policy server provides, in response to the received verification, a message for a key server to provide a booting key to the remote system, the key server providing the booting key in response to the message and causing the remote system to complete a booting procedure, in response to the message from the policy server.

Abstract: Examples described herein include systems and methods for performing distributed encryption across multiple devices. An example method can include a first device discovering a second device that shares a network. The device can identify data to be sent to a server and calculate a checksum for that data. The device can then split the data into multiple portions and send a portion to the second device, along with a certificate associated with the server for encrypting the data. The first device can encrypt the portion of data it retained. The first device can receive an encrypted version of the second portion of the data sent to the second device. The first device can merge these two portions and send the merged encrypted data to the server, along with the checksum value. The server can decrypt the data and confirm that it reflects the original set of data.

Abstract: High performance query processing and data analytics can be performed across architecturally diverse scales, such as single core, multi-core and/or multi-nodes. The high performance query processing and data analytics can include a separation of query computation, keying data, and data movement and parallel computation, thereby enhancing the capabilities of the query processing and data analytics, while allowing the specification of complex forms of data parallel computation that may execute across real-time and offline. The decoupling of data movement and parallel computation, as described herein can improve query processing and data analytics speed, can provide for the optimization of searches in a plurality of computing environments, and can provide the ability to search through a larger space of execution plans.

Abstract: A first non-volatile memory may store first data and a second non-volatile memory may store second data. An authentication component may be coupled with the first non-volatile memory and the second non-volatile memory and may receive a request to perform an authentication operation. In response to the request to perform the authentication operation, the authentication component may access the first data stored at the first non-volatile memory and the second data stored at the second non-volatile memory and determine whether the second data stored at the second non-volatile memory has become unreliable based on a memory disturbance condition. In response to determining that the second data stored at the second non-volatile memory has become unreliable, a corrective action associated with the first data stored at the first non-volatile memory may be performed.

Abstract: A conferencing apparatus and a method for switching an access terminal therein are provided. The conferencing apparatus according to one embodiment of the present disclosure includes: a conference information management module configured to generate mapping information for terminal identification information of a first terminal and access information of a conference participant who is accessing a conference through the first terminal; and an access switch module configured to provide a token corresponding to the mapping information to the first terminal according to an access terminal switch request from the first terminal and, when the token is received from a second terminal, switch a terminal of the conference participant from the first terminal to the second terminal according to validity of the received token.