Abstract: A mobile device performs authentication with blinded tokens and swaps its international mobile subscriber identity (IMSI) value. For authentication with blinded tokens, the mobile device generates a blinded token and provides it to a server to encrypt. To redeem the token, the mobile device unblinds the encrypted blinded token and provides it to the server along with a public key. To complete authentication, the mobile device receives, from the server, a nonce encrypted with the public key and decrypts the nonce with a private key. For swapping its IMSI value, the mobile device retrieves two eSIM profiles with corresponding IMSI values and configures the first of the two profiles as active. In response to a trigger, the mobile device changes the active profile from the first to the second, swaps the first IMSI value with a new IMSI value, and changes the active profile back to the first profile.

Abstract: Disclosed are various embodiments for issuing virtual cards to client devices. Also disclosed are embodiments for provisioning a transaction terminal to process transactions with virtual cards. A zero-knowledge proof algorithm can be utilized to validate the transactions. A virtual card can be based upon a public key of a client device that is managed by a hardware security module.

Abstract: Systems and methods for authenticating public key infrastructure certificate enrollment using certificate entitlement licenses. One example system includes a device manager including an electronic processor. The electronic processor is configured to receive a request for software for an electronic device including a unique electronic device identifier. The electronic processor is configured to determine, based on the request, whether the electronic device is entitled to participate in a certificate management service. The electronic processor is configured to, responsive to determining that the electronic device is entitled to participate in a certificate management service, transmit a certificate entitlement license request including the unique device identifier to a certificate entitlement license manager. The electronic processor is configured to receive, from the certificate entitlement license manager, a certificate entitlement license for the unique device identifier.

Abstract: A method of validating the contents of an electronic file. The method comprises requesting an electronic file by an application executing on a computer system by providing a multi-segment filename, wherein the multi-segment filename comprises a unique delimiter between each of the segments of the multi-segment filename and one of the segments of the multi-segment filename is a hash of a content of the electronic file referenced by the multi-segment filename, receiving by the application the electronic file referenced by the multi-segment filename, determining a hash over the content of the electronic file by the application, comparing by the application the hash determined by the application to the hash of the content stored in the one of the segments of the multi-segment filename, and, based on the two hashes agreeing, opening by the application the contents of the electronic file for use.

Abstract: An automated teller machine (ATM) has a display and a wireless communication interface. The ATM may detect a proximity of a mobile computing device and exhibit on its display an indication of the proximity of mobile computing device to the ATM. The ATM may also be configured to detect when the mobile computing device and the ATM have established a wireless communication connection and display a visual cue on the display that the wireless connection has been established. The ATM is configured to synchronize the display of the ATM with a display of the mobile computing device. The displays may be synched temporally and positionally and may display the same or related content, such as an image or animation at the same time.

Abstract: A physiological test credit method determines if test credits are available to the monitor and checks if a Wi-Fi connection is available. If test credits are less than a test credit threshold, the monitor connects to a test credit server, processes server commands so as to download test credits and disconnects from the server. In various embodiments, the monitor is challenged to break a server code, the server is challenged to break a monitor code. The server validates monitor serial codes, and saves monitor configuration parameters.

Abstract: Systems, apparatuses, methods, and computer program products are disclosed for authentication of devices. An example method includes an authentication technique utilizing authentication tokens. Authentication tokens may be bit strings associated with time intervals and may be derived from quantum particles. Quantum particles may be obtained by two or more devices in a continuous stream via quantum key distribution. Devices throughout a distributed system may read the quantum particles at previously established time intervals, obtain bit strings, and use the bit strings as authentication tokens to perform one, multiple, and/or continuous authentication processes. Each device may have access to matching authentication tokens without exchanging any authentication tokens between devices and, therefore, the authentication tokens may be used as shared secrets to facilitate a more secure connection between devices.

Abstract: Embodiments of systems and methods to provide a firmware update to devices configured in a redundant configuration in an Information Handling System (IHS) are disclosed. In an illustrative, non-limiting embodiment, an IHS may include computer-executable instructions to receive a password comprising a first plurality of characters, concatenate a second plurality of characters to the hashed password to form a patched password, encrypt the patched password, and send the hashed patched password to a server IHS for authentication. The second characters are configured to continually change value over time.

Abstract: Methods, systems, and media for protecting and verifying video files are provided.

Abstract: A contactless card can include a plurality of keys for a specific operation, e.g., encryption or signing a communication. The contactless card can also include an applet which uses a key selection module. The key selection module can select one of the plurality of keys and the applet can use the key to, e.g., encrypt or sign a communication using an encryption or signature algorithm. The contactless card can send the encrypted or signed communication to a host computer through a client device. The host computer can repeat the key selection technique of the contactless device to select the same key and thereby decrypt or verify the communication.

Abstract: A method and apparatus for processing biometric information in an electronic device including a processor that operates at a normal mode or at a secure mode, the method comprising, detecting a biometric input event from a biometric sensor module at normal mode, creating biometric data based on sensed data from the biometric sensor module at the secure mode, performing biometric registration or biometric authentication based on the created biometric data at the secure mode, and providing result information of biometric registration or biometric authentication at the normal mode.

Abstract: A user authentication method performed in an unmanned delivery system including a server, a buyer customer device, a deliveryman customer device, and an autonomous delivery vehicle includes: generating, by the server, a session key based on order information received from the buyer customer device, and transmitting the generated session key to the deliveryman customer device and the buyer customer device; generating, by the deliveryman customer device, a One-Time Password (OTP) based on the session key; applying, by the deliveryman customer device as a first application step, a hash function to the OTP a first predetermined number of times; additionally applying, by the deliveryman customer device as a second application step, the hash function to the OTP generated in the first application step a second predetermined number of times; and generating, by the deliveryman customer device, a first Quick Response (QR) code based on the OTP generated in the second application step.

Abstract: A computer implemented system for controlling access to data associated with an entity includes a data storage device having a computer memory, and one or more processors. The one or more processors are configured for: storing a secret key associated with the entity in a computer memory associated with the entity; upon receiving entity data, storing the entity data in the computer memory; and upon receiving an access grant signal, enabling communication of information relating to the entity data.

Abstract: A method for accessing secured data stored in an eID card using combined MoC and MRZ technology is provided. The eID card receives from a card reader an extracted biological feature that is obtained by a biometric device extracting a biological feature of a user. When the extracted biological feature matches a pre-stored biometric template, the eID card permits the card reader to acquire a digital access code stored therein the content of which is identical to a printed MRZ code on the eID card. Upon receipt of the digital access code, the card reader establishes secured communication with the eID card to access the secured data that is stored in the eID card.

Abstract: The disclosure provides an approach for certificate management for cryptographic agility. Embodiments include receiving, by a cryptographic agility system, a cryptographic request related to an application. Embodiments include selecting, by the cryptographic agility system, a cryptographic technique based on contextual information associated with the cryptographic request. Embodiments include determining, by the cryptographic agility system, based on the cryptographic request, a certificate for authenticating a key related to the cryptographic technique. Embodiments include providing, by the cryptographic agility system, the certificate to an endpoint related to the cryptographic request for use in authenticating the key.

Abstract: In some implementations, a system may receive a first request including a user internet protocol (IP) address associated with the first request, and a user e-mail address associated with an e-mail account of a user. The system may store the submission IP address in association with the first request. The system may transmit a confirmation e-mail message to the user e-mail address. The confirmation e-mail message may include image data associated with the first request. The system may receive, from an e-mail client associated with the user e-mail account, a second request to access the image data. The second request may include a confirmation IP address. The system may perform a comparison of the requesting and submission IP addresses and the submission IP address. The system may transmit, to the e-mail client, an image associated with the image data and based on the comparison.

Abstract: A method of authenticating a card for use with a mobile pay function of a mobile device is provided. The method includes: receiving a payment transaction from the mobile device; identifying the payment transaction from the mobile device as an authentication request by determining that the payment transaction includes a payment amount less than or equal to a predefined amount, wherein the authentication request includes a cryptogram; decrypting the cryptogram; verifying and approving the authentication request that was generated by the card and wirelessly transmitted to the mobile device from the card based on the decrypted cryptogram; transmitting an authentication decision to the mobile device based on the approval; and, enabling the mobile pay function for the card for the mobile device to complete mobile pay transactions utilizing the card.

Abstract: Technology is shown for establishing a chain of trust for an unknown root certificate in an isolated network that is verified using a chain of trust external to the network. A bootstrap executable and a leaf certificate rooted in the external chain of trust are configured with an OID. The leaf certificate is received in the isolated network and used to sign a new root certificate created in the isolated network to create a blob that is stored in a pre-determined location. The bootstrap executable is executed to instantiate a client machine, which retrieves the blob and verifies its signature using the leaf certificate. The client machine verifies that the OID values from the blob and bootstrap executable match. If the signature and OID checks are successful, then the new root certificate is distributed within the isolated network and installed in a PKI certificate chain of trust.

Abstract: Enhanced dynamic security with partial data access to preserve anonymity is provided herein. An example method comprises storing personally identifying information (PII) about an end user in a database, organizing data in the database into tokens, determining, upon receiving a request for the PII from an agent in communication with the end user, that the agent is authorized to access the PII, granting the agent temporary access to the PII, and removing the PII from a device associated with the agent.

Abstract: An integrated circuit device including processing circuitry, communications circuitry configured to provide a communication link with a communication apparatus external to the integrated circuit device, and a memory accessible by the processing circuitry and by the communications circuitry, the memory comprising a memory region to which the processing circuitry has write access and to which the communications circuitry has read access, in which the processing circuitry is configured to write information to the memory region indicative of one or more use conditions of the integrated circuit device, and in which the communications circuitry is configured to access the memory region and to provide the information indicative of the one or more use conditions of the integrated circuit device via the communication link.

Abstract: Systems, methods, and computer-readable storage media for ensuring electronic communications have not been intercepted and manipulated. An exemplary device generates a public/private pair of keys, and transmits the public key to another device with information about the data to be shared. The second device encrypts associated data, while also executing a hash function on at least a portion of the data. The first device receives the encrypted data, decrypts it, and verifies its accuracy using a third party. The third party also executes the hash function on the data received from the first device, and transmits the output of that hash function to the first device. Both the first device and second devices and display the hash values, allowing users to visually determine if the data has been manipulated during the transaction.

Abstract: Unknown devices may be bound to an identity using a four step process that involves trusted relationships only between known partner entities and a known user attribute. The identity may be an account, such as a personal account number (PAN). The PAN may be abstracted using a token for use with the device. The unknown device may first be enrolled at a service to establish a cryptographically verifiable identity. A binding request for the enrolled device may be sent to an issuer of the PAN resulting in the issuer generating a challenge. After a successful authentication of the challenge at the token service provider, the binding of the token to the device is complete.

Abstract: Securely executing instructions of software on a computerized device by accessing a software of a computerized device, wherein the software includes a plurality of instructions and respective reference message authentication codes (MACs), generating a cryptographic key based at least in part on a key derivation function, wherein arguments of the key derivation function are based at least in part on a unique identifier of the computerized device and a value extended from a measurement of a content of the software of an extension mechanism of a platform configuration register of the computerized device, verifying an instruction of the plurality of instructions of the software based at least in part on the cryptographic key and a reference MAC of the respective reference MACs, and in response to verifying the instruction of the plurality of instructions of the software, executing the instruction.

Abstract: Embodiments of the invention are directed to systems, methods, and computer program products for generation of dynamic authentication tokens for use in system-to-system transaction authorization and user identity verification. The system utilizes user biometric data to generate unique authentication tokens which are customized to a particular user. Furthermore, the system rotates not only the encryption algorithms used, but also the datasets being encrypted in order to provide a high level of security such that even if a user's biometric data was compromised, it would be highly unlikely that an attacker would be able to recreate the authentication token stemming from said biometric data at any given point in time. The system eliminates the need for user-provided authentication credentials and provides a more secure and more efficient method of authenticating data exchange between multiple systems or applications.

Abstract: The techniques herein are directed generally to a “zero-knowledge” data management network. Users are able to share verifiable proof of data and/or identity information, and businesses are able to request, consume, and act on the data—all without a data storage server or those businesses ever seeing or having access to the raw sensitive information (where server-stored data is viewable only by the intended recipients, which may even be selected after storage). In one embodiment, source data is encrypted with a source encryption key (e.g., source public key), with a rekeying key being an encrypting combination of a source decryption key (e.g., source private key) and a recipient's public key. Without being able to decrypt the data, the storage server can use the rekeying key to re-encrypt the source data with the recipient's public key, to then be decrypted only by the corresponding recipient using its private key, accordingly.

Abstract: A method of accessing data at a device, wherein the data is stored remotely from the device or in removable storage. The method may the following steps: (i) sending a request from the device to access the data, the request including an identification code of a secure element or a memory card associated with the device, (ii) verifying, based at least partly on the identification code, whether access to the data is to be allowed or denied, and (iii) allowing or denying the device access to the data accordingly.

Abstract: Disclosed embodiments include systems, methods, and computer-readable media for maintaining and accessing security metadata associated with a micro service. Aspects include generating security metadata associated with a micro service. The security metadata may be separate from an executable portion of the micro service and define a plurality of security attributes of the micro service. Examples of security attributes include a security grade level for the micro service, a security sensitive operation that the micro service is programmed to perform, a function classification for the micro service, and an idempotence property for the micro service, among others. Aspects also include accessing the security metadata, and determining, based on the security metadata, whether to perform a control action of various different types for the micro service.

Abstract: A storage system that determines coupling priority of a plurality of coupling candidate servers includes a control unit. The control unit is configured to acquire information on security strength from the coupling candidate servers, determine coupling priority of the respective coupling candidate servers on a basis of the security strength of the coupling candidate servers and processing speed performance in processing relating to security with the coupling candidate servers, and cause the determined coupling priority of the coupling candidate servers to be stored in a prescribed memory.

Abstract: Various embodiments are generally directed to techniques of generating a unique biometric key, hashing and salting the key, and storing it. Embodiments include techniques to analyze biological information associated with a user and determine one or more biological characteristics from the analyzed information. The biological characteristics may be used to generate a character string unique to the user, which may be used to generate the biometric key based on a cryptographic algorithm. The hash values, salt values, or the hash function may be changed at a predetermined interval.

Abstract: Systems, computer program products, and methods are described herein for dynamically reconfiguring electronic applications based on user requests. The present invention may be configured to analyze multiple applications to determine configurations, programming interfaces, functions, and data formats of each application of the applications and receive payload data, where the payload data is based on a user request, and where the user request includes a user identifier associated with a user that provided the user request and information identifying an engineering request. The present invention may be further configured to determine, based on the payload data, an application, of the applications, for performing the engineering request and convert the payload data to a data format, of the data formats, for the application to obtain converted data. The present invention may be further configured to perform, on the application and based on the converted data, the engineering request.

Abstract: Public-key cryptography allows putting into practice concepts of digital signatures and public-key key exchange; methods used on a daily basis in digital systems. A method generates a protected secret value k? used as a first operand in a cryptographic group operation involving a base group element G of order n and including: generating random positive integers k1 and k2, that are strictly smaller than the order of the group element G due to a cryptographically secure random number generator, such that the generated random positive integers k1 and k2 do not share any divisor with the order n other than 1; generating the protected secret value k? based on the generating random positive integers such as k?=k1*k2, the protected secret value k? being used as a second operand in the group operation.

Abstract: A method and apparatus provides for securely unlocking a locked program domain by a third party wishing to gain extraordinary access to the program domain by a third party. The third party and the program domain are mutually authenticated using exclusive self-escrow of credentials that are generated, revealed, or stored within the program domain. Multiple third parties that are required for unlocking the program domain may also be authenticated prior to unlocking the program domain. The method and apparatus provides extraordinary access without the use of backdoors or having the program domain provide credentials to third parties.

Abstract: Systems and methods for blockchain-based asset authentication are described. The disclosed embodiments leverage the traceability and immutability of blockchains (or distributed ledgers, in general) to enable the authentication and ownership of assets, e.g., luxury goods. In an example, this is achieved by first pairing an authentication chip with a physical product, and writing a transaction correlated with the first pairing to a blockchain. The product being acquired (reacquired) results in the blockchain being updated (e.g., an updated transaction being written to the blockchain) and the (subsequent) owner being provided with a digital passport that can be added to the owner's digital Web3 wallet. The described embodiments advantageously enable digital identities to be associated with physical goods, which adds value for customers making a long-term investment in a luxury good, and promotes sustainability and transparency in manufacturing and retail processes.

Abstract: Technologies are disclosed for associating a subscriber's subscription profile established with a local media content delivery network, or MSO, with a remote CPE and/or network gateway device, perhaps for example served by the same MSO. One or more techniques may control the delivery of a subscriber's media content, perhaps for example by a media control device. Techniques may include receiving one or more credentials by the media control device, where the media control device is geographically remote from the subscriber's local media content delivery network. A signal may be sent to a media content delivery network device, where the signal may include information corresponding to the credentials. A configuration may be received for the subscriber's local media content delivery network in response to the signal. The configuration may be installed on the media control device. Media content may be delivered by the media control device.

Abstract: The technology described herein discloses systems and methods for upgrading biometric authentication system. The system can receive first biometric information in connection with an authentication request from a user. The system can authenticate the user via a first authentication system by comparing the first biometric information received in connection with the authentication request with second biometric information. The user can be automatically enrolled into a second authentication system using the first biometric information received in connection with the authentication request.

Abstract: A system and method are provided for authenticating client devices communicating with an enterprise system. The method includes providing a policy enforcement interceptor to intercept API calls and enabling the policy enforcement interceptor to communicate with a policy information point to query the at least one endpoint for entitlements associated with an account. The method also includes intercepting an API call to the application API, communicating with the policy information point to determine entitlements associated with the account by having the policy information point query an entitlements database and, when the entitlements returned to the policy enforcement interceptor are valid, invoking a policy decision point to validate the client device. The method also includes, when the client device is validated, permitting invocation of the API. The method also includes providing an API response to the client device to permit access to the application via the API.

Abstract: Computer systems and methods for replicating a portion of a data set to a local repository associated with a subnetwork are disclosed. In one implementation, a method for a device associated with a subnetwork may include obtaining a portion of a data set from a central repository. The data set may be associated with one or more subnetworks, and the portion of the data set may be associated with the subnetwork. The method may further include obtaining a request for data originating from a node in the subnetwork. In addition, the method may include determining whether the central repository is unavailable to provide the requested data, and providing the requested data to the node after the central repository is determined as being unavailable.

Abstract: Methods and systems are described herein for facilitating blockchain operations in decentralized applications by offering enhanced efficient when conducting blockchain operations using cryptography-based, digital ledgers through the use of specialized indexing. For example, as opposed to relying on raw blockchain data to power decentralized applications, the methods and systems use a blockchain indexer. The blockchain indexer provides a queryable record of a subset of blockchain operations.

Abstract: Systems and methods for providing one or more secure services are disclosed. One method can comprise authenticating and/or authorizing a user device to receive a security token. A request for information can be processed using the security token to facilitate the secure provision of services to the user device.

Abstract: Leveraging secure tokenization, such as a Non-Fungible Token (NFT), for purposes of multifactor and/or elevated user authentication. In this regard, an authentication NFT is generated based at least on a user's authentication credentials. Subsequently, the authentication NFT is verified/validated via a private distributed trust computing network and stored, in a deactivated state, on a distributed ledger. Once the user is confronted with an elevated and/or multifactored authentication process, the user may initiates use of the authentication NFT by checking-out the authentication NFT from the distributed ledger and moving the authentication NFT from the deactivated state to an activated state, in which the user credentials are accessible to the user for purposes of authentication.

Abstract: Methods and apparatus, including computer program products, are provided for express voting. In some example embodiments, there is provided a method for express voting. The method may include authenticating a voter based on a token carried by a user equipment, the token mapped to at least one of an identity of the voter, a precinct of the voter, and a ballot for the voter; and providing, when the authenticating indicates the voter is authorized to vote, the ballot presented on the user equipment. Related systems, methods, and articles of manufacture are also disclosed.

Abstract: The techniques herein are directed generally to a “zero-knowledge” data management network. Users are able to share verifiable proof of data and/or identity information, and businesses are able to request, consume, and act on the data—all without a data storage server or those businesses ever seeing or having access to the raw sensitive information (where server-stored data is viewable only by the intended recipients, which may even be selected after storage). In one embodiment, source data is encrypted with a source encryption key (e.g., source public key), with a rekeying key being an encrypting combination of a source decryption key (e.g., source private key) and a recipient's public key. Without being able to decrypt the data, the storage server can use the rekeying key to re-encrypt the source data with the recipient's public key, to then be decrypted only by the corresponding recipient using its private key, accordingly.

Abstract: A computer, including a processor and a memory, the memory including instructions to be executed by the processor to acquire a first image with a visible and NIR light camera and acquire a second image with an infrared camera. The instructions can include further instructions to determine whether the second image includes a live human face by comparing a first infrared profile included in the second image with second infrared profile included in a previously acquired third image acquired with the infrared camera; and when the second image includes the live human face, output the first image.

Abstract: A robotic process automation system includes a server processor that performs an automation task to process a work item, by initiating a java virtual machine on a second device. A first user session that employs credentials of a first user for managing execution of the automation task is also initiated on the second device. The server processor loads into the java virtual machine, with a platform class loader, one or more modules, such as logging and security, that perform functions common to the sets of task processing instructions. A first class loader a first set of task processing instructions is also loaded. Then each instruction in the first set of task processing instructions is loaded with a separate class loader. The server processor causes execution, under control of the first user session, on the second device, the task processing instructions that correspond to the work item.

Abstract: Apparatuses and methods are disclosed for protection of data servers configured for data replication of a database. As an example, one apparatus includes at least one processing circuit configured to receive records indicating respective modifications performed on a first version of the database stored in a first data server of the plurality of data servers. The at least one processing circuit is configured to delay replication of the modification in one or more additional servers in the plurality of data servers for a respective length of time specified for the servers in security profile data. While delaying replication of the modification, the processing circuit determines a probability that the modification is malicious based on a first set of factors indicated in a security profile. If the probability is greater than a threshold specified in the security profile data, the processing circuit prevents the modification from being performed.

Abstract: A client device for use with a gateway device (or a Wi-Fi APD) with a key stored therein and an external server where an original singe sign on (SSO) password is stored. The client device transmits a one time password (OTP) request to the external server, obtains the OTP from the external server, transmits the OTP to the external server to authenticate the client device, transmits an encrypted SSO password request to the external server, onboards the gateway device using a temporary password, receives the encrypted SSO password from the external server, obtains the key from the gateway device, decrypts the encrypted SSO password using the key to obtain the SSO password, and changes the temporary password of the gateway device to the original SSO password.

Abstract: An electronic device includes a slave interface configured for coupling to a machine controller of a machine via a multi-drop bus (MDB), a host interface configured for coupling to a first peripheral device of the machine, and memory storing one or more programs to be executed by the one or more processors and comprising instructions for: registering the electronic device as a slave to the machine controller, registering the first peripheral device as a slave to the electronic device, receiving from a mobile device a request to access signals generated by the first peripheral device, validating the request, and sending a reset command to the first peripheral device via the host interface, the reset command including a directive to update a signal destination address of the first peripheral device from a controller address of the machine controller to a device address of the electronic device.

Abstract: A method and apparatus for testing and simulating an access control policy are disclosed. Evaluating an access control policy may be performed by utilizing a deny statement that causes the access request to be rejected despite actions indicated in the access request being authorized. Further, an independent simulation environment may be utilized for testing access control policy evaluation.

Abstract: An information processing apparatus which anonymizes data composed of records including one or more items through statistical processing, includes a memory and a processor to execute classifying respective records constituting the data into one or more sets based on masking target items indicating items to be masked among the items, a dictionary which expresses categories of item values in a tree structure for each of the masking target items, a selected hierarchy level indicating a hierarchy level selected in the tree structure for each of the masking target items, and the number of records included in the data, and calculating the number of records N of each set and a ratio of records belonging to a set including N records, and dividing the data into one or more pieces of data in a case where the ratio of the records belonging to the set including N records satisfies a predetermined condition.

Abstract: Systems and methods for interoperable network token processing are provided. A network token system provides a platform that can be leveraged by external entities (e.g., third party wallets, e-commerce merchants, payment enablers/payment service providers, etc.) or internal payment processing network systems that have the need to use the tokens to facilitate payment transactions. A token registry vault can provide interfaces for various token requestors (e.g., mobile device, issuers, merchants, mobile wallet providers, etc.), merchants, acquirers, issuers, and payment processing network systems to request generation, use and management of tokens. The network token system further provides services such as card registration, token generation, token issuance, token authentication and activation, token exchange, and token life-cycle management.