Abstract: A method and apparatus provides for securely unlocking a locked program domain by a third party wishing to gain extraordinary access to the program domain by a third party. The third party and the program domain are mutually authenticated using exclusive self-escrow of credentials that are generated, revealed, or stored within the program domain. Multiple third parties that are required for unlocking the program domain may also be authenticated prior to unlocking the program domain. The method and apparatus provides extraordinary access without the use of backdoors or having the program domain provide credentials to third parties.

Abstract: Public-key cryptography allows putting into practice concepts of digital signatures and public-key key exchange; methods used on a daily basis in digital systems. A method generates a protected secret value k? used as a first operand in a cryptographic group operation involving a base group element G of order n and including: generating random positive integers k1 and k2, that are strictly smaller than the order of the group element G due to a cryptographically secure random number generator, such that the generated random positive integers k1 and k2 do not share any divisor with the order n other than 1; generating the protected secret value k? based on the generating random positive integers such as k?=k1*k2, the protected secret value k? being used as a second operand in the group operation.

Abstract: Systems, computer program products, and methods are described herein for dynamically reconfiguring electronic applications based on user requests. The present invention may be configured to analyze multiple applications to determine configurations, programming interfaces, functions, and data formats of each application of the applications and receive payload data, where the payload data is based on a user request, and where the user request includes a user identifier associated with a user that provided the user request and information identifying an engineering request. The present invention may be further configured to determine, based on the payload data, an application, of the applications, for performing the engineering request and convert the payload data to a data format, of the data formats, for the application to obtain converted data. The present invention may be further configured to perform, on the application and based on the converted data, the engineering request.

Abstract: Systems and methods for blockchain-based asset authentication are described. The disclosed embodiments leverage the traceability and immutability of blockchains (or distributed ledgers, in general) to enable the authentication and ownership of assets, e.g., luxury goods. In an example, this is achieved by first pairing an authentication chip with a physical product, and writing a transaction correlated with the first pairing to a blockchain. The product being acquired (reacquired) results in the blockchain being updated (e.g., an updated transaction being written to the blockchain) and the (subsequent) owner being provided with a digital passport that can be added to the owner's digital Web3 wallet. The described embodiments advantageously enable digital identities to be associated with physical goods, which adds value for customers making a long-term investment in a luxury good, and promotes sustainability and transparency in manufacturing and retail processes.

Abstract: Technologies are disclosed for associating a subscriber's subscription profile established with a local media content delivery network, or MSO, with a remote CPE and/or network gateway device, perhaps for example served by the same MSO. One or more techniques may control the delivery of a subscriber's media content, perhaps for example by a media control device. Techniques may include receiving one or more credentials by the media control device, where the media control device is geographically remote from the subscriber's local media content delivery network. A signal may be sent to a media content delivery network device, where the signal may include information corresponding to the credentials. A configuration may be received for the subscriber's local media content delivery network in response to the signal. The configuration may be installed on the media control device. Media content may be delivered by the media control device.

Abstract: The technology described herein discloses systems and methods for upgrading biometric authentication system. The system can receive first biometric information in connection with an authentication request from a user. The system can authenticate the user via a first authentication system by comparing the first biometric information received in connection with the authentication request with second biometric information. The user can be automatically enrolled into a second authentication system using the first biometric information received in connection with the authentication request.

Abstract: A system and method are provided for authenticating client devices communicating with an enterprise system. The method includes providing a policy enforcement interceptor to intercept API calls and enabling the policy enforcement interceptor to communicate with a policy information point to query the at least one endpoint for entitlements associated with an account. The method also includes intercepting an API call to the application API, communicating with the policy information point to determine entitlements associated with the account by having the policy information point query an entitlements database and, when the entitlements returned to the policy enforcement interceptor are valid, invoking a policy decision point to validate the client device. The method also includes, when the client device is validated, permitting invocation of the API. The method also includes providing an API response to the client device to permit access to the application via the API.

Abstract: Computer systems and methods for replicating a portion of a data set to a local repository associated with a subnetwork are disclosed. In one implementation, a method for a device associated with a subnetwork may include obtaining a portion of a data set from a central repository. The data set may be associated with one or more subnetworks, and the portion of the data set may be associated with the subnetwork. The method may further include obtaining a request for data originating from a node in the subnetwork. In addition, the method may include determining whether the central repository is unavailable to provide the requested data, and providing the requested data to the node after the central repository is determined as being unavailable.

Abstract: Methods and systems are described herein for facilitating blockchain operations in decentralized applications by offering enhanced efficient when conducting blockchain operations using cryptography-based, digital ledgers through the use of specialized indexing. For example, as opposed to relying on raw blockchain data to power decentralized applications, the methods and systems use a blockchain indexer. The blockchain indexer provides a queryable record of a subset of blockchain operations.

Abstract: Systems and methods for providing one or more secure services are disclosed. One method can comprise authenticating and/or authorizing a user device to receive a security token. A request for information can be processed using the security token to facilitate the secure provision of services to the user device.

Abstract: Leveraging secure tokenization, such as a Non-Fungible Token (NFT), for purposes of multifactor and/or elevated user authentication. In this regard, an authentication NFT is generated based at least on a user's authentication credentials. Subsequently, the authentication NFT is verified/validated via a private distributed trust computing network and stored, in a deactivated state, on a distributed ledger. Once the user is confronted with an elevated and/or multifactored authentication process, the user may initiates use of the authentication NFT by checking-out the authentication NFT from the distributed ledger and moving the authentication NFT from the deactivated state to an activated state, in which the user credentials are accessible to the user for purposes of authentication.

Abstract: The techniques herein are directed generally to a “zero-knowledge” data management network. Users are able to share verifiable proof of data and/or identity information, and businesses are able to request, consume, and act on the data—all without a data storage server or those businesses ever seeing or having access to the raw sensitive information (where server-stored data is viewable only by the intended recipients, which may even be selected after storage). In one embodiment, source data is encrypted with a source encryption key (e.g., source public key), with a rekeying key being an encrypting combination of a source decryption key (e.g., source private key) and a recipient's public key. Without being able to decrypt the data, the storage server can use the rekeying key to re-encrypt the source data with the recipient's public key, to then be decrypted only by the corresponding recipient using its private key, accordingly.

Abstract: Methods and apparatus, including computer program products, are provided for express voting. In some example embodiments, there is provided a method for express voting. The method may include authenticating a voter based on a token carried by a user equipment, the token mapped to at least one of an identity of the voter, a precinct of the voter, and a ballot for the voter; and providing, when the authenticating indicates the voter is authorized to vote, the ballot presented on the user equipment. Related systems, methods, and articles of manufacture are also disclosed.

Abstract: A computer, including a processor and a memory, the memory including instructions to be executed by the processor to acquire a first image with a visible and NIR light camera and acquire a second image with an infrared camera. The instructions can include further instructions to determine whether the second image includes a live human face by comparing a first infrared profile included in the second image with second infrared profile included in a previously acquired third image acquired with the infrared camera; and when the second image includes the live human face, output the first image.

Abstract: Apparatuses and methods are disclosed for protection of data servers configured for data replication of a database. As an example, one apparatus includes at least one processing circuit configured to receive records indicating respective modifications performed on a first version of the database stored in a first data server of the plurality of data servers. The at least one processing circuit is configured to delay replication of the modification in one or more additional servers in the plurality of data servers for a respective length of time specified for the servers in security profile data. While delaying replication of the modification, the processing circuit determines a probability that the modification is malicious based on a first set of factors indicated in a security profile. If the probability is greater than a threshold specified in the security profile data, the processing circuit prevents the modification from being performed.

Abstract: A robotic process automation system includes a server processor that performs an automation task to process a work item, by initiating a java virtual machine on a second device. A first user session that employs credentials of a first user for managing execution of the automation task is also initiated on the second device. The server processor loads into the java virtual machine, with a platform class loader, one or more modules, such as logging and security, that perform functions common to the sets of task processing instructions. A first class loader a first set of task processing instructions is also loaded. Then each instruction in the first set of task processing instructions is loaded with a separate class loader. The server processor causes execution, under control of the first user session, on the second device, the task processing instructions that correspond to the work item.

Abstract: A client device for use with a gateway device (or a Wi-Fi APD) with a key stored therein and an external server where an original singe sign on (SSO) password is stored. The client device transmits a one time password (OTP) request to the external server, obtains the OTP from the external server, transmits the OTP to the external server to authenticate the client device, transmits an encrypted SSO password request to the external server, onboards the gateway device using a temporary password, receives the encrypted SSO password from the external server, obtains the key from the gateway device, decrypts the encrypted SSO password using the key to obtain the SSO password, and changes the temporary password of the gateway device to the original SSO password.

Abstract: An electronic device includes a slave interface configured for coupling to a machine controller of a machine via a multi-drop bus (MDB), a host interface configured for coupling to a first peripheral device of the machine, and memory storing one or more programs to be executed by the one or more processors and comprising instructions for: registering the electronic device as a slave to the machine controller, registering the first peripheral device as a slave to the electronic device, receiving from a mobile device a request to access signals generated by the first peripheral device, validating the request, and sending a reset command to the first peripheral device via the host interface, the reset command including a directive to update a signal destination address of the first peripheral device from a controller address of the machine controller to a device address of the electronic device.

Abstract: An information processing apparatus which anonymizes data composed of records including one or more items through statistical processing, includes a memory and a processor to execute classifying respective records constituting the data into one or more sets based on masking target items indicating items to be masked among the items, a dictionary which expresses categories of item values in a tree structure for each of the masking target items, a selected hierarchy level indicating a hierarchy level selected in the tree structure for each of the masking target items, and the number of records included in the data, and calculating the number of records N of each set and a ratio of records belonging to a set including N records, and dividing the data into one or more pieces of data in a case where the ratio of the records belonging to the set including N records satisfies a predetermined condition.

Abstract: A method and apparatus for testing and simulating an access control policy are disclosed. Evaluating an access control policy may be performed by utilizing a deny statement that causes the access request to be rejected despite actions indicated in the access request being authorized. Further, an independent simulation environment may be utilized for testing access control policy evaluation.

Abstract: Systems and methods for interoperable network token processing are provided. A network token system provides a platform that can be leveraged by external entities (e.g., third party wallets, e-commerce merchants, payment enablers/payment service providers, etc.) or internal payment processing network systems that have the need to use the tokens to facilitate payment transactions. A token registry vault can provide interfaces for various token requestors (e.g., mobile device, issuers, merchants, mobile wallet providers, etc.), merchants, acquirers, issuers, and payment processing network systems to request generation, use and management of tokens. The network token system further provides services such as card registration, token generation, token issuance, token authentication and activation, token exchange, and token life-cycle management.

Abstract: The disclosed exemplary embodiments include computer-implemented systems, apparatuses, and processes that, among other things, authenticate device identity and authorize exchanges of data in real-time based on dynamically generated cryptographic data. For example, an apparatus may receive a first signal that includes a first cryptogram associated with a client device, and may perform operations that authenticate an identity of the client device based on a comparison of the received first cryptogram and a second cryptogram generated by a computing system associated with an application program executed by the client device. In response to the authenticated identity, the apparatus may load profile data associated with the client device from a storage unit, and perform operations consistent with the profile data in accordance with the authenticated identity.

Abstract: A system and method for a distributed security model that may be used to achieve one or more of the following: authenticate system components; securely transport messages between system components; establish a secure communications channel over a constrained link; authenticate message content; authorize actions; and distribute authorizations and configuration data amongst users' system components in a device-as-a-key system.

Abstract: A method and system for provisioning access data in a second application on a mobile device using a first application on the mobile device. Authentication data may be input into the first application, and an authentication code may be requested from a remote server. After the authentication code is received by the first application in the mobile device, it can pass the authentication code to a second application that initiates an access data provisioning process.

Abstract: An entity may generate digital account credentials when a new account is approved for generation by an authorizing entity that controls or issues new accounts. A user may contact an authorizing entity to open a new account with the authorizing entity. The authorizing entity may authenticate the user and may approve a new account to be generated for the user. The user may wish to conduct transactions immediately upon approval. However, the authorizing entity may not immediately generate a physical identification device along with an actual account identifier associated with the new account. An intermediary entity may generate digital account credentials for the new account immediately after the authorizing entity approves generation of the new account, provide the digital account credentials to the account holder, and process transactions using the digital account credentials.

Abstract: Systems, apparatuses, and methods related to a computer system having a processor and a main memory storing scrambled data are described. The processor may have a secure zone configured to store keys and an unscrambled zone configured to operate on unscrambled data. The processor can convert the scrambled data into the unscrambled data in the unscrambled zone using the keys retrieved from the secure zone in response to execution of instructions configured to operate on the unscrambled data. Another processor may also be coupled with the memory, but can be prevented from accessing the unscrambled data in the unscrambled zone.

Abstract: Embodiments are provided for protecting boot block space in a memory device. Such a memory device may include a memory array having a protected portion and a serial interface controller. The memory device may have a register that enables or disables access to the portion when data indicating whether to enable or disable access to the portion is written into the register via a serial data in (SI) input.

Abstract: Systems and methods as provided herein may create a biometric model associated with a user. The created biometric model may be used to generate challenges that are presented to the user for authentication purposes. A user response to the challenge may be compared to an expected response, and if the user response matches within a predetermined error of the expected response, the user may be authenticated. The systems and methods may further generate challenges that are adaptively designed to address weaknesses or errors in the created model such that the model is more closely associated with a user and the user is more likely to be the only person capable of successfully responding to the generated challenges.

Abstract: Example implementations can involve a system, which can involve a server configured to distribute role decision condition expressions created based on user input to one or more storage devices; and the one or more storage devices, which can involve a processor, configured to, for receipt of a request, determine user identification information, request source environment information and requested contents from the request; determine a role from the role decision condition expressions based on the user identification information and request source environment information; and determine whether or not the request can be executed based on the role.

Abstract: A method includes receiving a communication identifying a remote database and a first value stored in the remote database that is being transferred to a first entity by a second entity. That first value is capable of being modified by the second entity. Modification of the first value stored in the remote database by the second entity is prevented by identifying an application programming interface allowing operations to be performed on the remote database, and using that API to transfer the first value so as to be associated with one or more other identifiers unknown to the second entity. After modification of the first value stored by the second entity is prevented, a transfer of a second value to a database record associated with the second entity is triggered. Related systems and applications of the method and those systems are also disclosed.

Abstract: In various embodiments, authentication stations are distributed within a facility, particularly in spaces where mobile devices are predominantly used—e.g., a hospital's emergency department. Each such station includes a series of authentication devices. Mobile device may run applications for locating the nearest such station and, in some embodiments, pair wirelessly with the station so that authentication thereon will accord a user access to the desired resource via a mobile device.

Abstract: This disclosure describes techniques for implementing a Single-sign-On Domain-Agnostic Proof-of-Possession (SODA-POP) token (or access token) to solve generation of multiple POPs for authentication of multiple domains that may belong to a single mobile network operator (MNO). The access token may be implemented by a JSON Web Token (JWT) that includes a map of key-value pairs as confirmation claims. The key-value pairs may include multiple domains/sub-domains and their corresponding public keys. These key-value pairs may be registered and added in the confirmation claims to automatically authenticate each one of the domains to access a corresponding service provider. To register a new domain, the new domain redirects a request back to an already registered domain, which updates the access token and then redirects the request back to the new domain. After registration, the updated access token may be used to access services at all registered domains without further reauthentication.

Abstract: A disclosed method for managing encryption keys, which may be performed by a key management server, responds to receiving, from a first client, a request to create a new key for a self-encrypting drive (SED) associated with the first client by retrieving unique identifiers of the first client and the SED, generating and storing the new key and a corresponding key identifier (KeyID), and associating the unique identifiers of the SED and first client with the new key. Upon receiving, from a second client, a locate key request that includes the SED identifier, providing the new key, the KeyID, and the first client identifier to the second client. Associating the SED and first client identifiers with the new key may include adding the identifiers as attributes of the KeyID. Embodiments may be implemented in accordance with a key management interoperability protocol (KMIP) standard.

Abstract: A user authentication method performed in an unmanned delivery system including a server, a buyer customer device, a deliveryman customer device, and an autonomous delivery vehicle includes: generating, by the server, a session key based on order information received from the buyer customer device, and transmitting the generated session key to the deliveryman customer device and the buyer customer device; generating, by the deliveryman customer device, a One-Time Password (OTP) based on the session key; applying, by the deliveryman customer device as a first application step, a hash function to the OTP a first predetermined number of times; additionally applying, by the deliveryman customer device as a second application step, the hash function to the OTP generated in the first application step a second predetermined number of times; and generating, by the deliveryman customer device, a first Quick Response (QR) code based on the OTP generated in the second application step.

Abstract: Described is a hybrid centralized-decentralized system for managing data and token transactions among a decentralized group of stakeholders. The system uses a blockchain architecture to maintain secure identities for the stakeholders, as well as allow any stakeholder to perform a data or token transaction with another stakeholder. A central organization manages a central application and a data exchange. The central application manages profile data from users and interaction data for users with developer applications, and provides it to the data exchange. The data exchange organizes and packages the data, and may provide it to other stakeholder for analysis.

Abstract: An inspection apparatus that performs quality inspection on a printed matter printed by a printer using a reference image and a scanned image of the printed matter. When inspecting the quality of the printed matter, selection is performed as to which to use as the reference image, a pre-printed image for use in printing the printed matter, or the scanned image. In a case where a difference is detected as a result of comparison between the pre-printed image and the scanned image, a reference image selection screen including the pre-printed image and the scanned image is displayed. A user input is received concerning whether or not the detected difference is a defect. The reference image is selected based on the received user input.

Abstract: The disclosure provides an approach for certificate management for cryptographic agility. Embodiments include receiving, by a cryptographic agility system, a cryptographic request related to an application. Embodiments include selecting, by the cryptographic agility system, a cryptographic technique based on contextual information associated with the cryptographic request. Embodiments include determining, by the cryptographic agility system, based on the cryptographic request, a certificate for authenticating a key related to the cryptographic technique. Embodiments include providing, by the cryptographic agility system, the certificate to an endpoint related to the cryptographic request for use in authenticating the key.

Abstract: The present disclosure relates to devices and methods for protecting data from physical attacks. The devices and methods may establish an encryption protocol to encrypt data transmitted over a bus to one or more removable devices in communication with a computer device. The devices and methods may use the encryption protocol to communicate with the removal devices and perform storage requests at the removal devices. The devices and methods may also perform another layer of encryption on the data stored at the removal devices using a data at rest key stored on the removal devices.

Abstract: A computer-implemented method is disclosed. The method includes: receiving, via a communication interface from a client application executing on a first device, a first signal including a request to obtain an access token for accessing a protected resource, the request including a public key associated with an end user; validating the request to obtain the access token; and in response to validating the request: encrypting an authorization code associated with the request using the public key to generate a first code; and transmitting, via the communication interface to the client application on the first device, a second signal including both the access token for accessing the protected resource and the first code.

Abstract: Systems and methods are provided for verifying recurring transactions to payment accounts. One exemplary method includes initially receiving an authorization request for a transaction to a payment account and involving a merchant, where the authorization request includes a recurring payment indicator. The method also generally includes transmitting, by at least one computing device, a verification request to a consumer associated with the payment account, and inhibiting, by the at least one computing device, at least one or authorization or clearing of the transaction until a verification of the transaction, based on a direction from the consumer, is recognized, whereby the consumer is able to verify the transaction before the transaction is cleared.

Abstract: A computer-implemented system and method that includes receiving, by a messaging hub, a code and a transaction amount from a recipient and determining, by the messaging hub, based at least partially on the code, an account number for a credit card held by a user. The system and method may include receiving, by the messaging hub, funds equaling the transaction amount from the credit card and depositing the funds in an account held by the messaging hub, the funds being received via a four-party credit card transaction in which the messaging hub operates as a merchant and sending the funds from the account held by the messaging hub to an account held by the recipient.

Abstract: Embodiments of the invention are directed to systems, methods, and computer program products for generation of dynamic authentication tokens for use in system-to-system transaction authorization and user identity verification. The system utilizes user biometric data to generate unique authentication tokens which are customized to a particular user. Furthermore, the system rotates not only the encryption algorithms used, but also the datasets being encrypted in order to provide a high level of security such that even if a user's biometric data was compromised, it would be highly unlikely that an attacker would be able to recreate the authentication token stemming from said biometric data at any given point in time. The system eliminates the need for user-provided authentication credentials and provides a more secure and more efficient method of authenticating data exchange between multiple systems or applications.

Abstract: A data storage device 100 comprising: a non-volatile storage medium 108 configured to store user data 109; a data port 106 configured to transmit data and power between a host computer system 130 and the data storage device 100; a data access state indicator 140; and a controller 110 configured to: selectively set a data access state of the data storage device 100 to either: an unlocked state to enable access to the user data 109; or a locked state to disable access to the user data 109; and generate an indicator control signal to cause the data access state indicator 140 to indicate the data access state, wherein the data access state indicator 140 is configured to indicate the data access state irrespective of whether the data storage device 100 is powered through the data port 106.

Abstract: A biometric token is generated for a user and provided to a user-operated device. A pre-staged transaction is defined by a user and the user supplies the token for association with the pre-staged transaction. Subsequently, a user visits a transaction terminal and a new candidate token is generated from biometric attributes of the user. The candidate token is matched to the token associated with pre-staged transaction to authenticate the user and the pre-staged transaction is processed at the transaction terminal as a completed transaction.

Abstract: A method, including identifying, in network traffic during multiple periods, scans, each scan including an access of multiple ports on a given destination node by a given source node, and computing, for each given source in the scans, an average of destinations whose ports were accessed by the given source during any scan by the given source, and a fraction of periods when the given source accessed at least one of the destinations in at least one scan performed by the given source node. A whitelist is assembled sources for which one or more of the following conditions applies: the average of destinations accessed in the scans was greater than a first threshold, and the fraction of periods during which at least one destination was accessed in at least one scan was greater than a second threshold. Upon detecting a scan by any non-whitelisted node, a preventive action is initiated.

Abstract: Authenticating devices utilizing Transport Layer Security (TLS) protocol to facilitate exchange of authentication information or other data to permit or otherwise enable access to services requiring authentication credentials, certificates, tokens or other information. The authentication may utilize Digital Transmission Content Protection (DTCP) certificates, Diffie-Hellman (DH) parameters or other information available to the authenticating devices, optionally without requiring device requesting authentication to obtain an X.509 certificate.

Abstract: Embodiments disclosed herein generally related to a system and method of authenticating a user with a third party server. In one embodiment, a method is disclosed herein. A computing system receives, from a remote client device of the user, a token. The token includes personal identification information and a digitized file of a biometric captured by a biometric scanner. The computing system identifies via the personal identification information that the user has a user account. The computing system queries a database with the personal identification information and the digitized file to determine whether the biometric matches a stored biometric in the user account. Upon determining that the biometric matches the stored biometric, the computing system generates a message to be transmitted to the third party server that authenticates the user. The computing system transmits the message to the third party server.

Abstract: The CLOUD-BASED VIRTUAL WALLET NFC APPARATUSES, METHODS AND SYSTEMS (“EAE”) transform user enhanced security transaction initiation requests using EAE components into time-limited, session-specific transaction bounding tokens. In some implementations, the disclosure provides a processor-implemented method of transforming a transaction bounding token request into transaction bounded tokens and purchase authorizations.

Abstract: A client application establishes a connection between the client application and an origin server over one or more networks. The application generates a request to establish a secure session with the origin server over the connection. The request includes information, in a header of the request, that flags traffic sent during the secure session to a network of the one or more networks as subject to one or more optimizations performed by the network. Subsequent to establishing the secure session, the application encrypts the traffic in accordance with the secure session and sends the traffic to the origin server over the connection, subject to the one or more optimizations. The infrastructure service applies the one or more optimizations to the traffic as it passes through the edge network to the origin server.

Abstract: An apparatus and method of protecting information by using a system on a chip (SoC) are discussed. The apparatus includes a SoC memory which is disposed in a predetermined SoC and includes a first region accessible only by a unit having an access right, and a hardware (HW) filter configured to monitor at least one unit attempting to access the SoC memory. When a unit without an access right attempts to access the first region, the HW filter can block access of the unit without the access right.