Abstract: This disclosure includes utilizing a token cryptogram with a browser to facilitate a transaction. A webpage of a website is configured to accept a token cryptogram in fields of the webpage. The webpage of the website may indicate that it is token-aware and is configured to accept the token cryptograms.

Abstract: Provided are a method and apparatus. A method, performed by a primary terminal, of providing a communication service may include: identifying and accessing, by performing a discovery process, an Internet of Things (IoT) terminal operating as an access point, transmitting, to the IoT terminal, authentication information for performing a second embedded Subscriber Identity Module (eSIM) setup process following a first eSIM setup process while performing the first eSIM setup process on the IoT terminal, disconnecting first connection with the IoT terminal after terminating the first eSIM setup process, performing second connection with the IoT terminal based on the authentication information, in response to an access request from the IoT terminal and performing the second eSIM setup process as a subsequent procedure to the first eSIM setup process.

Abstract: A network terminal, e.g., LTE or 5G, can connect to a home network via a serving network. The terminal can have a terminal identifier (TID), such as an IMEI or other PEI, and a network subscriber can have a subscriber identifier (SID), such as an IMSI or other SUPI. In some nonlimiting examples, a network node can determine that a SID and a TID are authorized for joint use and, in response, transmit authorization information. In some nonlimiting examples, a network node can receive an attach request having verification data and encrypted identification data. The network node can receive decrypted identity data and determine that the identity data corresponds with the verification data. In some nonlimiting examples, the terminal can send an attach request comprising encrypted SID and TID data, and a cryptographic hash, to a network node.

Abstract: An internet-of-things (IoT) distribution hub enables delivery of formatted IoT data to any of multiple hosting platforms as dynamically configurable by an IoT device owner. A service node in a distributed network provides, to an IoT device, a device key for accessing an IoT distribution network. The service node receives a selection of a hosting platform for the IoT device, wherein the selected hosting platform is one from a group of available hosting platforms available through the IoT distribution network. The service node maps the IoT device to a virtual device proxy for the selected hosting platform and receives a request from the IoT device to forward IoT data. The request includes the device key. The service node forwards the IoT data to the selected hosting platform via the virtual device proxy.

Abstract: One embodiment provides a system and method for sharing a security application. During operation, the security application receives a service key associated with a first application executed on a terminal device. The security application resides in a secure element within the terminal device. The security application receives service data associated with the first application; processes the service data based on the service key; and returns the processed service data to the first application, thereby facilitating the first application in performing service based on the processed service data.

Abstract: Approaches presented herein enable credentials to be revoked or otherwise modified while limiting the impact of inadvertent or unintended changes in access. In some embodiments, the revocation of a credential can occur over a period of time with the level of access being diminished over that period, in order to prevent an inadvertent denial of access while indicating to the requestor that there is an issue with the credential. When a new policy is created for a new credential, a prior policy can be retained for at least a period of time such that users with inadvertently revoked access can obtain a level of access per the previous policy. Various embodiments trace the calls for a credential throughout the system in order to determine which services, processes, or components might be affected by the revocation, such that an appropriate remedial action can be taken.

Abstract: A first set of device authentication parameters for a to-be-authenticated Bluetooth device in a Bluetooth mesh network is determined based at least in part on device identification information associated with the to-be-authenticated Bluetooth device. First authentication information is generated based at least in part on the first set of device authentication parameters and a first random number. The first authentication information and the first random number are forwarded to the to-be-authenticated Bluetooth device. Second authentication information and a second random number associated with the to-be-authenticated Bluetooth device are received, wherein the second authentication information is generated based at least in part on a second set of device authentication parameters and the second random number. The to-be-authenticated Bluetooth device is authenticated based at least in part on the second authentication information and the second random number.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for performing data management. One of the methods includes: obtaining authentication information of a login user; generating a digital abstract of the authentication information of the login user; and authenticating the login user based on a comparison between the digital abstract of the authentication information of the login user and one or more digital abstracts stored on a blockchain.

Abstract: Methods, system and devices for sharing a secret between an isolated device connected to a network through a transmit-only unidirectional secure channel and a network connected user device, comprising generating a secret value divided to first and second components, transmitting the first component, via the unidirectional secure channel, to one or more computing nodes of a distributed system, and transferring the second component, via a tamper-resistant unidirectional insecure channel, to the network connected user device associated with the user to enable the network connected user device to reproduce the secret value by combining the first component received from one or more of the computing nodes with the second component.

Abstract: A method for accessing content of encrypted data item(s) by a terminal device operating in a digital environment, according to which before the data item is being accessed by the terminal device, it is modified after being intercepted if found to be encrypted. The wrapper of the data item is modified or replaced by embedding a URL with a unique identifier and a message into the wrapper of the data item. If a supported terminal device attempts to accesses the modified data item, the client application natively consumes the data from the modified data item and ignores its wrapper. If not, the message and the URL are displayed on the terminal device and the user browses the URL. Then after authentication, a web server locates the modified data item using the unique identifier, retrieves and decrypts the modified item and converts the decrypted modified data item to a format that can be consumed by the browser.

Abstract: Provided herein may be a controller and a data storage system having the controller. The controller may include a mapping time generator configured to generate a first mapping time at which a logical block address and a physical block address are mapped to each other, an internal memory configured to store first address mapping information including an address map, and the first mapping time, a host interface configured to transmit the first address mapping information to a host, and receive second address mapping information from the host, and a central processing unit configured to generate the address map, store the first address mapping information in the internal memory, compare a second mapping time included in the second address mapping information with the first mapping time, and select a read mode based on a result of the comparison.

Abstract: A device and a method for authenticating an application in an execution environment in a trust zone are provided. The method includes executing a client application (CA) in a normal world, receiving, in the normal world, a request for receiving a service of a trusted application (TA) of a secure world from the CA, acquiring, when the request is received in the normal world, source information of the CA loaded in a memory of the device, acquiring, in the normal world, first hash information from the source information, providing, to the secure world, the first hash information together with signature information and a sub certificate included in the CA, and authenticating the CA based on the sub certificate and a root certificate of the TA in the secure world.

Abstract: Method and system of secured direct link set-up (DLS) for wireless networks. In accordance with aspects of the method, techniques are disclosed for setting up computationally secure direct links between stations in a wireless network in a manner that is computationally secure. A direct link comprising a new communication session is set up between first and second stations in a wireless local area network (WLAN) hosted by an access point (AP), the direct link comprising a new communication session. The AP generates a unique session key for the new communication session and transfers secured copies of the session key to each of the first and second stations in a manner under which only the first and second stations can obtain the session key. A security mechanism is then implemented on the unsecured direct link to secure the direct link between the first and second stations using a secure session key derived from the session key.

Abstract: A method for use in a hybrid network ecosystem comprising an enterprise network and a reconciliation network is presented. The method comprises generating, by at least one first computing node in the enterprise network or the reconciliation network, a first digital facilitator, wherein the first digital facilitator provides one or more parameters for accessing or distributing data on a distributed ledger in the enterprise network, and wherein a private key is used for performing a computing operation, based on the data, in the enterprise network. The method also comprises generating, by the at least one first computing node in the enterprise network or the reconciliation network or at least one second computing node in the enterprise network or the reconciliation network, a second digital facilitator, wherein the second digital facilitator provides the one or more parameters for accessing or distributing the data in the reconciliation network.

Abstract: A method includes: a first device sending to a second device a deployment request for deploying a homomorphically-encrypted data model on the second device, wherein the deployment request comprises ciphertext model parameters and a public key for the homomorphic encryption; the second device obtaining a first ciphertext security assessment index through computation using the ciphertext model parameters, and sending the same to the first device; the first device decrypting the received first ciphertext security assessment index using a private key corresponding to the public key to generate a plaintext security assessment index, and forwarding the plaintext security assessment index to the second device; and the second device encrypting the plaintext security assessment index using the public key to generate a second ciphertext security assessment index, comparing both indices to determine consistency for determining whether to deploy the homomorphically-encrypted data model.

Abstract: The methods, systems, and computer readable media discussed herein are directed to enabling a fifth generation cellular-wireless access technology (5G) user equipment (UE) to receive 5G service using a fourth generation cellular-wireless access technology (4G) subscriber identity module (SIM). Upon powering on, the 5G UE may determine whether a mobile network operator (MNO) public key file exists in the 4G SIM. Upon determining that the MNO public key file exists in the 4G SIM, the 5G UE may retrieve a MNO public key value from the MNO public key file, read a subscription permanent identifier (SUPI) from the 4G SIM, generate a subscription concealed identifier (SUCI) based on the SUPI and the MNO public key value, send the SUCI to a 5G mobile network for registering the 5G UE, and begin receiving 5G services from the 5G mobile network.

Abstract: Techniques for efficient roaming of clients between access points (APs) of a wireless data communications network are described. A first AP receives a request for a first client device to join the network. The request specifies at least a unique identifier for the first client device. An identifier for a second AP is identified by processing the unique identifier using a predefined hash function. The second AP is one of at least two APs configured to each redundantly store network state information relating to the first client device. A network address of the second AP is determined. A first request to is transmitted to the network address, for network state information including a pairwise master key (PMK) and profile information. The PMK and the profile information are received. The first client device is authenticated and a connection is established between the first client device and the network.

Abstract: A trusted device is positioned within a private consensus network. The trusted device includes a memory and processing circuitry in communication with the memory. The processing circuitry is configured to obtain, from a private distributed ledger associated with the private consensus network, rules associated with the private consensus network, the private distributed ledger being accessible only to devices positioned within the private consensus network, to identify one or more other trusted devices positioned within the private consensus network, to receive, from an unidentified device positioned within the private consensus network, an identity verification request to identify the unidentified device within the private consensus network, to determine, based on the obtained rules, whether to approve or deny the identity verification request, and to communicate, to the one or more other trusted devices, a vote indicative of the determination of whether to approve or deny the identity verification request.

Abstract: Disclosed is a computer-implemented method for establishing a secure connection between two electronic computing devices which are located in a network environment, the two electronic computing devices being a first computing device offering the connection and a second computing device designated to accept the connection, the method comprising executing, by at least one processor of at least one computer, a connection-establishing application for exchanging an information packet between the first computing device and the second computing device comprising a secret usable for establishing the connection, and evaluating a response from the second computing device for establishing the secure connection.

Abstract: This specification describes techniques for managing assets in a blockchain. One example method includes receiving, from a target user recorded in a distributed database of a blockchain network, a user input including a request to update a status of a target object, determining, based on a contract object, whether the target user is a member user with an update permission for the target object, the contract object being published in the blockchain network and corresponding to an asset type of the target object, wherein the target object was created using the contract object, and in response to determining that the target user has the update permission for the target object, performing a status update on the target object by using the contract object.

Abstract: Systems, devices, and techniques are disclosed for endpoint security. A user identifier entered into a first authentication screen used to access endpoints hosted on a server system may be received from a user computing device. The user identifier may be determined to be an invalid user identifier for the server system. The user identifier may be hashed to generate a hashed user identifier. An endpoint number may be determined as the hashed user identifier modulo a number of endpoint records assigned numbers on the server system. An endpoint URL may be retrieved from an endpoint record of the server system that is associated with a number equal to the endpoint number. The endpoint URL and data for a second authentication screen including a control for password entry may be sent to the user computing device. The endpoint URL may be displayed on the second authentication screen.

Abstract: Some embodiments relate to an electronic network node (110) configured for a cryptographic operation. The network node obtains a shared matrix (A) by selecting integers, polynomials, and/or polynomial-coefficients from a shared pool, the shared pool being shared with the second network node, wherein the selecting is done according to one or more selection functions.

Abstract: In a general aspect, a distributed ledger transaction is generated on a cold hardware wallet. Generating the distributed ledger transaction includes receiving, at the cold hardware wallet, ledger information from a network-connected device via a private module-to-device communication link. The ledger information may include account information for the distributed ledger transaction, and a timestamp identifying when the account information was received by the network-connected device from a public network. The cold hardware wallet may generate a message based on the account information, identify a private key stored in the cold hardware wallet, generate a digital signature based on the message and the private key, and generate the distributed ledger transaction based on the message and the digital signature. The cold hardware wallet may send the distributed ledger transaction to the network-connected device via the private module-to-device communication link for forwarding to the public network for settlement.

Abstract: A method and apparatus for providing tenant specific encryption is described herein. According to an embodiment, a transmission site receives a data packet for transmission or forwarding. The transmission site determines, based on information in a header of the data packet, that the data packet is to be encrypted before transmission or forwarding. Using the information in the header, the transmission site identifies an encryption key for the data packet. The transmission site generates, for the data packet, an additional header and populates the additional header with a destination port number based on a destination port header value of the data packet. The transmission site overwrites the destination port header value of the packet with data indicating that the data packet is encrypted and then encrypts an encapsulated packet within the data packet using the encryption key prior to transmitting or forwarding the data packet.

Abstract: A system for a time-based one-time password security system operating at a provisioning server may comprise transmitting one or more first locally generated random-string numbers for generation of a first time-based one-time password to a remotely connected internet of things sensor and a remotely connected internet of things sensor hub. The system may also comprise executing code instructions to associate the internet of things sensor with a first client key in a table stored in a memory operatively connected to the processor, associate the internet of things sensor hub with a second client key in the table, and associate the internet of things sensor and internet of things sensor hub with the one or more first locally generated random-string numbers in the table. Further the first remotely generated random-string numbers may identify a first preset function for generation of a first session key used in encrypting and decrypting sensor data records.

Abstract: Embodiments can provide methods for securely provisioning sensitive credential data, such as a limited use key (LUK) onto a user device. In some embodiments, the credential data can be encrypted using a separate storage protection key and decrypted only at the time of a transaction to generate a cryptogram for the transaction. Thus, end-to-end protection can be provided during the transit and storage of the credential data, limiting the exposure of the credential data only when the credential data is required, thereby reducing the risk of compromise of the credential data.

Abstract: A system includes a hardware processor, a virtual host, and a first subsystem. The processor receives a request indicating that a user is seeking to access the first subsystem. The processor uses the virtual host to perform a first authentication of the user, without yet connecting the user to the first subsystem, based on the login credentials of the user. In response to performing the first authentication, the virtual host provides the user with access to the first subsystem. The first subsystem then generates a key associated with the user and stores the key in a database. The first subsystem splits the key into a first part and a second part. The first subsystem additionally sends the first part to the user, for storage in an authentication string stored in a device of the user. The first subsystem also stores the second part in a second authentication server.

Abstract: A unique transaction key (Tk) is established amongst multiple entities using a common hardware security module (HSM) with a common HMAC key (HK) and transaction scheme name (T). The transaction key (Tk) can be used for various cryptographic functions (e.g. encryption, MAC, HMAC, key management) with one or more messages at the transaction or session level.

Abstract: A method of sharing encrypted data includes, by an electronic device, receiving a password from a user to perform an action, receiving a salt value, generating a user key using the password and salt value, receiving an encrypted key location identifier value, decrypting the encrypted key location identifier value to obtain a key location identifier, receiving an encrypted read token value, decrypting the encrypted read token value using the user key to obtain a read token value, and transmitting the read token value and the key location identifier to a server electronic device.

Abstract: The invention described herein is directed to a secure text messaging and object sharing mobile application connected to a DRM cloud service that provides encryption, digital rights management (DRM) of the text and of the attachments, blockchain transactions, the capability of attaching documents, photos and so forth, the capability of interfacing with a user's contacts application, and that operates in both Android and iOS environments.

Abstract: A method and apparatus of a device that stores an object on a plurality of storage servers is described. In an exemplary embodiment, the device receives an object to be stored and encrypts the object with a first key. The device further creates a plurality of bit vectors from the encrypted object. In addition, the device randomizes the plurality of bit vectors to generate a plurality of randomized bit vectors. Furthermore, the device sends the plurality of randomized bit vectors and the plurality of second keys to the plurality of storage servers, wherein each of the plurality of storage servers stores at least one each of the plurality of randomized bit vectors and the plurality of second keys.

Abstract: In a method of Local Peer to Peer Direct Connection in NAT and overlay network. A request is received from a first peer at a relay gateway to establish a direct connection with a second peer. The first peer and the second peer are located behind a NAT firewall. An authentication request is relayed from the first peer at the relay gateway. The authentication request is forwarded from the relay gateway to the second peer. Upon performing authentication at the second peer, an authentication response is received at the relay gateway. The authentication response is received from the relay gateway at the first peer. An internal route propagation is performed from the second peer to the first peer via the relay gateway. A Local Peer to Peer Direct Connection is established between the first peer and the second peer for packet flow through the direct connection.

Abstract: A method and a system for authorizing acquisition of an attack alarm information log of a terminal, belonging to the field of communication technology, the method includes: after obtaining the authentication account with an authority to obtain the attack alarm information log, a server authenticates the legality of a client tool; after the legality passes the authentication, the terminal sends a second to-be-authenticated data to the client tool, and the client tool sends the second to-be-authenticated data to the server; after the second to-be-authenticated data passes the authentication, the server encrypts the second to-be-authenticated data to generate a second authentication data, and sends the second authentication data to the terminal; if the second authentication data passes the authentication, the terminal obtains and encrypts the attack alarm information log, and then sends it to the client tool after encryption.

Abstract: A method, apparatus and computer program product are provided for generating a registered certified seal, sealing an asset, and verifying a sealed asset. In an example embodiment, a method is provided for receiving a request to generate a registered certified seal from an entity, accessing certifier entity data via a uniform resource locator of a certification authority identified by a certifying certificate, and verifying a digitally signed entity certifying certificate. The method further comprises upon verifying the digitally signed entity certifying certificate, receiving seal data comprising a seal data key for a certified seal, and saving the seal data for the entity within a digital seal registry, wherein the digital seal registry is searchable based at least in part on at least a portion of the seal data key.

Abstract: A system for establishing and maintaining a bi-directional chain of trust includes a root of trust (RoT) executing a root trusted server that can establish a trusted relationship between the RoT and a given node, and monitor the given node to ensure that the given node executes trusted operations and to ensure that authenticated code and static data for the given node are unchanged. The given node can include a trusted server that can monitor another node to ensure that the other node executes trusted operations and to ensure that authenticated code and static data for the other node are unchanged. The other node can include a trusted server that can monitor the given node to ensure that the given node executes trusted operations and to ensure that the authenticated code and static data for the given node are unchanged based on maintenance information received for the given node.

Abstract: Exemplary embodiments are directed to a method for allowing a user at a first client device to provide access to restricted content on a content provider server to a user at a second client device without providing identifying information of the second client device or the user to the content provider. The second client device receives, in a messaging app, a message from the first client device comprising a link to a content item at a content provider and an identifier of a private/public key pair on the second client device. Second client device displays the link in the user interface of the messaging app and receives a user selection of the link. Second client device generates generating a digital signature for the link using the private key of the private/public key pair and sends the link and the digital signature to the content provider. The content item is then received from the content provider and displayed on the second client device.

Abstract: An information processing apparatus connected with one or more apparatuses through a network, comprises: a first acquiring unit configured to acquire first address information for indicating one of addresses in the network among addresses of the apparatuses and first apparatus specific information for identifying the apparatuses; a second acquiring unit configured to acquire second apparatus specific information for identifying an apparatus indicated by the first address information acquired by the first acquiring unit; a determining unit configured to determine whether the first apparatus specific information acquired by the first acquiring unit is the same as the second apparatus specific information acquired by the second acquiring unit or not; and a process requesting unit configured to request the apparatus indicated by the first address information to perform a certain process upon the determining unit determining the first apparatus specific information to be the same as the second apparatus specific i

Abstract: A communication apparatus automatically establishes a wireless communication connection with an image processing apparatus. The communication apparatus captures one of more images of the image processing apparatus and determines, via image recognition process the identification information associated with the image processing apparatus. The communication apparatus automatically searches configuration information matching the identification information of the image processing apparatus and initiates the communication connection request. Communication apparatus provides the status information on a display screen of the communication apparatus and establishes a connection between the image processing apparatus and the communication apparatus.

Abstract: This specification describes techniques for managing assets in a blockchain. One example method includes receiving, from a target user recorded in a distributed database of the blockchain network, a user input including a request to generate an asset object in the blockchain network, the blockchain network including an account object and a contract object, determining, based on the user input, an asset type of the asset object, initiating, in the blockchain network, the contract object corresponding to generate the asset object based on the asset type, the asset object including a digital asset corresponding to a physical asset associated with the target user, assigning the asset object to a target object of the target user, and adding address information of the asset object to the target object.

Abstract: Provided is a security communication method in a NFV environment and a system thereof. A security communication method in the NFV environment according to an exemplary embodiment of the present invention is a security communication method between virtualized network functions (VNF) in a network function virtualization (NFV) environment including: performing authentication between a first VNF and a second VNF by an element manager using a hash chain; generating secret keys based on its own hash chains by the first VNF and the second VNF which are authenticated; and performing the communication by the first VNF and the second VNF using its own secret keys.

Abstract: Systems and methods for moving encrypted storage blocks in a security enhanced manner. An example method may comprise: selecting, by a processing device, a storage block stored by a storage device, wherein the storage block comprises encrypted content and is associated with a computing process; causing the encrypted content of the storage block to be decrypted using a first cryptographic input that is location dependent and encrypted using a second cryptographic input that is location independent; and copying the storage block comprising the encrypted content from a first location within the storage device to a second location within the storage device.

Abstract: Binding a public cloud account and a personal cloud account is described. A pre-approval list indicates that a user's public cloud account and personal cloud account are approved for binding. A copy of the pre-approval list is stored on the personal cloud device; another copy is stored on the public cloud service. The user logs into the public cloud account using a client device. Based on the pre-approval list stored on the public cloud service, the client device obtains information identifying the user's personal cloud account. The personal cloud device verifies the pre-approval of the binding based on the pre-approval list stored on the personal cloud device. The personal cloud device transmits a verification to the public cloud service. Each of the public cloud service and the personal cloud device stores information indicating the binding.

Abstract: Systems and methods for securing user location data are described. A method includes receiving, by a location server computer, an encrypted location from a mobile device. The encrypted location is a location of the mobile device encrypted with a public key. The method then includes receiving, by the location server computer, a location request message from an interaction processing server and partially decrypting, by the location server computer, the encrypted location with a first private key share to form a partially decrypted location. The method further includes transmitting, by the location server computer to the interaction processing server, a location response message with the encrypted location and the partially decrypted location. The interaction processing server then uses the partially decrypted location and the second private key share to form a decrypted location.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for proximity-based access. In some implementations, an electronic device receives a first message over a network over a first communication channel. In response to receiving the first message, the electronic device increases a frequency that the electronic device scans for messages over the second communication channel. After increasing the frequency that the electronic device scans for messages over the second communication channel, the electronic device receives a second message from a secured resource over the second communication channel. The electronic device determines that the electronic device is located within a predetermined level of proximity to the secured resource, and in response, sends authentication data to the secured resource over the second communication channel.

Abstract: A method for generating an encryption key for use in an encryption process at a device, the method comprising: measuring respective values of a plurality of features of the device to generate a plurality of feature values, normalising the feature values using a respective normalisation map for each feature to generate a plurality of normalised values, and generating the encryption key in dependence on the normalised values.

Abstract: A system and method for accelerating compaction includes a compaction accelerator. The accelerator includes a compactor separate from a processor performing read and write operations for a database or a data store. The compactor is configured to receive a table to be compacted and entries written in the table, each of the entries being associated with a timestamp indicating when they were respectively written; identify, using a plurality of sort engines operating in parallel, the entries that were written last based on the timestamps; mark, using a plurality of marker engines operating in parallel, older copies of the entries for deletion; create, using the plurality of marker engines, tombstones for the older copies; create a compacted table, including the entries that were last written; delete the tombstones and the entries associated with the tombstones; and generate a freemap based on storage locations of the entries associated with the tombstones.

Abstract: [Problem] To provide an anonymous communication system which ensures anonymity, with which a user can be identified if necessary, and which has a high degree of social credibility. [Solution] A user computer 11 transmits to a management computer 21 electronically signed subscription application data signed using a first signature key capable of being used with another communication system. The management computer 21 verifies the electronic signature of the subscription application data using a first public key, and if the validity of the electronic signature can be verified, generates and encrypts a second signature key and transmits the encrypted second signature key to the user computer 11. The user computer 11 generates electronically signed receipt data that have been signed in duplicate using the first and second signature keys, and transmits the receipt data to the management computer 21.

Abstract: Method and system of encrypting data using device authentication key disclosed. The system of encrypting data may include a transmitting device, configured to transmit a device identification information to request an authentication and a receiving device, configured to perform the authentication, and to generate an authentication key to provide to the transmitting device when the authentication is successful.

Abstract: A cryptographic service device includes: a processor; and a memory storing instructions executable by the processor, wherein the processor is configured to execute the instructions to operate as a registration module, a working key creation module, and a cryptographic operation calling module. The registration module is configured to call a primary security module to generate a master key for a newly added secondary security module. The working key creation module is configured to receive a working key creation request of a business system, call the primary security module to generate a working key for the business system, and acquire a working key ciphertext. The cryptographic operation calling module is configured to receive a cryptographic operation request of the business system; call a target security module, and obtain an operation result of the target security module.

Abstract: Techniques are described for determining account features based on a risk assessment. A first set of account features may be determined, including security feature(s) such as mode(s) for authenticating and/or verifying the identity of a user associated with account(s). Based on the first set of features, a risk metric may be determined for the account(s). The risk metric may indicate a risk that fraud may be committed against the account or using the account. Based on the determined risk metric, a second set of account features may be determined for the account(s). The first and second sets of account feature(s) may be applied to the account(s). Disabling a particular feature may cause a reevaluation of the risk metric and a redetermination of the feature sets to be applied to the account(s).