Abstract: A method and devices for verifying a digital resource by a plurality of node devices in a blockchain network. The plurality of nodes have respective private key shares, where a collective private key of a collective private-public key pair is based on a set of the respective private key shares, and where each node has a nodal private-public key pair. The digital resource may be encrypted using a digital resource crypto public key, the digital resource crypto public key including combination of a nodal public key and a collective public key. The digital resource may be submitted to a repository system by broadcasting a commitment transaction and a subsequent reveal or rescind transaction of a commitment channel, the commitment channel formed between a respective node and a principal node. Decrypting the encrypted digital resource is based on retrieving private key share contributions from the plurality of nodes participating in verifying the digital resource.

Abstract: Systems and methods for protecting block cipher computation operations, from external monitoring attacks.

Abstract: Techniques in electronic systems, such as in systems including a processor complex having one or more system processors and one or more memories, provide improvements in one or more of system security, performance, cost, and efficiency. In some embodiments, the system includes secure boot logic (SBL) having immutable hardware enabled, in response to a reset of the system, to securely boot one or more boot processors of the SBL to execute known-good executable code. The SBL is then enabled to securely boot the one or more system processors to execute system code stored in a non-volatile one of the memories by copying the system code to another one of the memories from which at least one of the system processors is able to access the system code for a respective initial instruction fetch. The non-volatile memory is not accessible to the system processors.

Abstract: Embodiments for protecting data stored and transmitted in a computer network, by receiving confidential data from a client, the data organized into labeled fields and corresponding data elements; filtering the received data to identify fields that require data masking; generating a security prediction on the corresponding data elements using a machine learning process; separating the masked data into tokenized data having a respective token associated with each corresponding data element; and storing the tokenized data on a blockchain secure ledger to ensure integrity of the received data and prevent an ability to tamper with the received data.

Abstract: Methods and systems for performing a computational operation on a server host are provided. Exemplary methods include: receiving an encrypted service request from a client host, the client host encrypting a service request to produce the encrypted service request using a shared secret, the service request specifying the computational operation; decrypting, in a secure enclave, the encrypted service request using the shared secret to produce a decrypted service request, the secure enclave preventing other software running on the server host from accessing the shared secret and other data stored in a memory space; performing the computational operation, in the secure enclave, using the decrypted service request to generate a service result; encrypting, in the secure enclave, the service result using the shared secret to create an encrypted service result; and providing the encrypted service result to the client host, the client host decrypting the encrypted service result.

Abstract: A device authentication system for use with an authenticatable device having a physically-unclonable function and constructed to, in response to input, of challenge C, internally generate an output O characteristic to the PUF and the challenge C, and configured to: i) upon receiving challenge C, generate a corresponding commitment value that depends upon a private value r, and ii) upon receiving an authentication query that includes the challenge C and a nonce, return a zero knowledge proof authentication value that corresponds to the commitment value.

Abstract: According to one embodiment, a memory system includes an application module, a storage module, and a control module. The storage module stores user data, application software configured to control operation of the application module, and management information used to manage the user data and the application software. The control module controls writing and erasing of the storage module. The control module masks information indicating an access-prohibited area included in the management information read from the storage module, the access-prohibited area includes the application software.

Abstract: There is provided a provisioning device which provides, in advance, setting information necessary for joining in a wireless network to a first field device which is to newly join the wireless network to exchange data with an existing field device that is installed in a plant. The provisioning device includes: a storage unit that stores a white list which contains unique information of the first field device and the setting information such that the unique information and the setting information are correlated with each other; a device information acquiring unit that acquires the unique information from the first field device by wireless communication; an extracting unit that extracts, from the white list, the setting information that is correlated with the acquired unique information; and a setting unit that sends the extracted setting information to the first field device by wireless communication.

Abstract: A device authentication system for use with an authenticatable device having a physically-unclonable function and constructed to, in response to input of challenge C, internally generate an output O characteristic to the PUF and the challenge C, and configured to: i) upon receiving challenge C, generate a corresponding commitment value that depends upon a private value r, and ii) upon receiving an authentication query that includes the challenge C and a nonce, return a zero knowledge proof authentication value that corresponds to the commitment value.

Abstract: A web server authenticates a user with a web client using a database user table and provides a list of new applications, suspended application sessions, and running application sessions. In response to a request for a new application session, a connection is made from an agent server to an application server hosting the requested application, and connection information including a unique session_ID is added to a database session table such that the client can send a user selection for a session_ID to the web server, which associates the requested session_ID to an existing suspended or running application session using the connection database. For additional security, the client is determined to be trusted or untrusted, and if untrusted, connections to the client are made through a forwarding host, which makes connections to the agent server, and the agent server maintains persistent connections from the agent server to the application server.

Abstract: To protect sensitive data in program code, a method includes providing a programming interface with a capability of allocating a protected region of memory which can only be accessed by authorized code. Sensitive data present in program code is stored in the protected region of memory. The method includes marking parts of code in a program as authorized or not authorized to access the sensitive data, and determining if that part of a program which is executing is authorized to access protected data by reference to the marking.

Abstract: A user authentication method and system. A computing system receives from a user, a first request for accessing specified functions executed by a specified software application. The computing system enables a security manager software application and connects the specified software application to a computing apparatus. The computing system executes first security functions associated with the computing apparatus. The computing system executes second security functions associated with additional computing apparatuses. The computing system determines if the user may access the specified functions executed by the specified software application based on results of executing the first security functions and the second security functions. The computing system generates and stores a report indicating the results.

Abstract: A computer system receives a request to access a server. The request includes a first device tag set. When the first device tag set matches a previously assigned device tag set, the computer system allows access to the server without requesting full access credentials of a user. The computer system invalidates the first device tag set, and sends a second device tag set. When the first device tag set does not match the previously assigned device tag set, the computer system requests full access credentials from the user.

Abstract: In a first embodiment of the present invention, a method for operating a presence server in a home network is provided, the method comprising: receiving a request for presence information; sending an event notification to all subscribed control points informing them of the request for presence information; receiving an action from one of the subscribed control points accepting or rejecting the request for presence information; and if the action received from the one of the subscribed control points accepts the request for presence information, causing presence information regarding the one of the subscribed control points to be sent to the entity that sent the request for presence information.

Abstract: An embodiment generally relates to a method of managing tokens. The method includes detecting a presence of a token at a client and determining a status of the token. The method also includes formatting the token at the client in response to the status of the token being unformatted.

Abstract: A client device has one or more processors and memory. An application running on the device obtains a client certificate from a system service running on the device. The certificate includes a public key for the device. The device is authenticated to a remote server using the certificate. The application receives encrypted application identification information and an encrypted access token from the server. The application is authenticated to the device by comparing the received application identification information with corresponding application identification information from the application. The application invokes the system service to unencrypt the access token using the private key corresponding to the public key. The application sends a request for protected information to the server. The request includes the unencrypted access token.

Abstract: A system receives a request to store a document in a database, receives a user security token, analyzes the document to determine an adjudicated security level for the document, compares the user security token to the adjudicated security level, stores the document when the user security token is equal to the adjudicated security level, when the user security token is not equal to the adjudicated security level, queries the user as to whether the document should be stored with the adjudicated security level, receives a response to the query from the user, stores the document when the user agrees to store the document with the adjudicated security level, and when the user does not agree to store the document with the adjudicated security level, transmits a message to a security officer and quarantine the document.

Abstract: Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

Abstract: A storage controller and program product is provided for performing double authentication for controlling disruptive operations on storage resources generated by a system administrator. A first request is received from a first user for generation of a first key. A first key is generated, provided to the first user and associated with the storage resource. An input is received from the administrator, the input comprises a second key and a command for performing the disruptive operation. The second key and the first key are compared. It is verified that the administrator is authorized as an administrator of the storage resource. The disruptive operation is performed on the storage resource if the second key and the first key match and the administrator is authorized. Otherwise, the performance of the disruptive operation is denied.

Abstract: Generally, this disclosure describes devices, methods and systems for securely providing context sensor data to mobile platform applications. The method may include configuring sensors to provide context data, the context data associated with a mobile device; providing an application programming interface (API) to a sensor driver, the sensor driver configured to control the sensors; providing a trusted execution environment (TEE) operating on the mobile device, the TEE configured to host the sensor driver and restrict control and data access to the sensor driver and to the sensors; generating a request for the context data through the API, the request generated by an application associated with the mobile device; receiving, by the application, the requested context data and a validity indicator through the API; verifying, by the application, the requested context data based on the validity indicator; and adjusting a policy associated with the application based on the verified context data.

Abstract: An information processing apparatus for executing authentication processing, characterized by comprises: storage means for storing, in association with each other, an image, region information indicating a region included in the image, and word information indicating an object linked with the region; determination means for determining an image to be used for the authentication processing among the images stored in the storage means; display means for displaying the image determined by the determination means; specification means for specifying, in a case where a user designates a position within the image displayed by the display means, word information associated with region information of a region including the position; and authentication means for executing authentication processing using the word information specified by the specification means.

Abstract: A method of generating a time managed challenge-response test is presented. The method identifies a geometric shape having a volume and generates an entry object of the time managed challenge-response test. The entry object is overlaid onto the geometric shape, such that the entry object is distributed over a surface of the geometric shape, and a portion of the entry object is hidden at any point in time. The geometric shape is rotated, which reveals the portion of the entry object that is hidden. A display region on a display is identified for rendering the geometric shape and the geometric shape is presented in the display region of the display.

Abstract: A magnetic memory device includes a main memory made of magnetic memory, the main memory and further includes a parameter area used to store parameters used to authenticate data. Further, the magnetic memory device has parameter memory that maintains a protected zone used to store protected zone parameters, and an authentication zone used to store authentication parameters, the protection zone parameters and the authentication parameters being associated with the data that requires authentication. Upon modification of any of the parameters stored in the parameter memory by a user, a corresponding location of the parameter area of the main memory is also modified.

Abstract: A device includes a memory which stores a program, and a processor which executes, based on the program, a procedure comprising establishing a session with a request source when a request for a service, made to a second providing source, has been received from the request source, the second providing source providing the service based on data stored in a first providing source; and when an inquiry about whether to transmit the data to the second providing source has been received from the first providing source, notifying, so as to encrypt a mask range of the data, the first providing source of session information indicating the session established with the request source and notifying the request source of the session information so as to decrypt the encrypted mask range of data based on the session information.

Abstract: One embodiment of the invention is directed to a method including receiving an alias identifier associated with an account associated with a presenter, determining an associated trusted party using the alias identifier, sending a verification request message to the trusted party after determining the associated trusted party, and receiving a verification response message.

Abstract: Methods and systems for third party client authentication of a client. A method includes displaying a user interface on a display of the client, the user interface including an option to select a supported credential type of a third party authentication server, receiving a command selecting the supported credential type, and sending credential information and the selected supported credential type to an authentication server for third party authentication by the third party authentication server. The third party authentication server may support a token-based authentication protocol for implementing single sign on (SSO).

Abstract: A method and apparatus to provide a cryptographic protocol for secure authentication, privacy, and anonymity. The protocol, in one embodiment, is designed to be implemented in a small number of logic gates, executed quickly on simple devices, and provide military grade security.

Abstract: A communication system exchanges key generation parameters for secure communications. An internet service and communications device of a user are in communication with each other. The internet service includes an account authentication mechanism for a user and includes a database having stored cryptographic keys and key generation parameters. A device client operates on the communications device and initiates a request to the internet service that authenticates the user and establishes a secure communications channel between the internet service and communications device and determines key generation parameters based on an authenticated user identifier and transmits the key generation parameters for initiating key generation and securely establishing a cryptographic key between the internet service and communications device.

Abstract: A combination-based broadcast encryption method includes: assigning by a server a base group of different combinations to each user; producing and sending secret information for each user by using as a base the base group allocated to each user; producing and sending an inverse-base parameter value through calculations with integers used to produce the base group and key value information of one or more privileged users; and deriving a group key by using the key value information of the privileged users, encrypting a session key by using the derived group key, and sending the encrypted session key to each user. Accordingly, each user is assigned a different base through a combination, thereby having security against collusion attacks.

Abstract: Secure function evaluation SFE) with input consistency verification is performed by two parties to evaluate a function. For each execution, the first party computes a garbled circuit corresponding to the function and uses an Oblivious Transfer protocol to provide wire secrets that are an encrypted version ki of the input xi of the second party. The second party stores the encrypted version ki of the input xi of the second party for the plurality of executions. The second party receives the garbled circuit for computation of an output, which is sent to the first party. To verify the inputs of the second party for two executions, the first party computes a check garbled circuit corresponding to a verification function based on the input keys of the garbled circuits being verified; and sends the check garbled circuit to the second party for computation of a verification output. The verification output is computed by applying the stored encrypted versions ki for the two executions to the check garbled circuit.

Abstract: The present invention provides a new method for user centered privacy which works across all 3rd party sites where users post content, or even for encryption of emails. Users have an identity with a Hyde-It Identity provider (HIP) which authenticates the user to a Hyde-It Service (HITS) which performs key distribution. The functionality can be invoked through a user toolbar, built into the browser or be downloaded on demand via a bookmarklet.

Abstract: Method and apparatus for generating cryptographic credentials certifying user attributes and making cryptographic proofs about attributes encoded in such credentials. Attributes are encoded as prime numbers E in accordance with a predetermined mapping and a cryptographic credential is generated encoding E. To prove that an attribute encoded in a cryptographic credential associated with a proving module of the system is a member of a predetermined set of user attributes, without revealing the attribute in question, the proving module determines the product Q of respective prime numbers corresponding to the attributes in the set in accordance with the predetermined mapping of attributes to prime numbers. The proving module demonstrates to the receiving module possession of a cryptographic credential encoding a secret value that is the prime number E, and then whether this secret value divides the product value Q.

Abstract: Techniques are provided for the controlled scheduling of the authentication of devices in a lossy network, such as a mesh network. An authenticator device that is configured to authenticate devices in a lossy network receives an authentication start message from a particular device to be authenticated. The authenticator device determines a schedule for engaging in an authentication procedure for the particular device based on an indication of current network utilization.

Abstract: A computerized authorization system configured to authorize electronically-made requests to an electronic entity. The computerized authorization system comprises a store configured to store an indication of at least one predetermined electronic authorization device configured to authorize each electronically-made request. The computerized authorization system is further configured such that: in response to receiving an electronically-made request to the electronic entity, an indication of the request is output to the at least one predetermined electronic authorization device configured to authorize the request as indicated in the store; and in response to receiving an indication of authorization from the at least one predetermined electronic authorization device, an indication of authorization of the request is output to the electronic entity.

Abstract: A method for providing fast and secure access to MIFARE applications installed in a MIFARE memory being configured as a MIFARE Classic card or an emulated MIFARE Classic memory, comprises: keeping a repository of MIFARE memories and user identifications assigned to said MIFARE memories as well as of all MIFARE applications installed in the MIFARE memories, wherein, when a new MIFARE application is to be installed in a MIFARE memory identified by a user identification the present memory allocation of said MIFARE memory is retrieved, an appropriate sector of said MIFARE memory is calculated, a key is calculated for said MIFARE application and the MIFARE application together with the assigned sector and key are linked to the user identification and are stored in the repository.

Abstract: A method is disclosed for authenticating, by a processor that controls a parent device, a child device includes: authenticating the child device by making a comparison between a value obtained by operating, for a first response value, a third transform function, which is decided based on a number of a difference between the value set in an authentication chip of the parent device and the value set in an authentication chip of the child device, and the second response value, wherein a first and a second response values are obtained by operating a first and a second transform functions for output values generated by operating an encryption function for performing encryption for secret keys in authentication chips of the parent device and the child device, respectively.

Abstract: The present disclosure provides systems and methods for detecting attacks against authentication mechanisms that generate Transport Layer Security (TLS) tunnels using a server public key. Such attacks can include misconfigured wireless local area network (WLAN) clients that fail to authenticate the server public key prior to creating the TLS tunnels and exchanging credentials. In an exemplary embodiment, an intrusion detection system (IDS) or intrusion prevention system (IPS) is aware of the server public key and monitors for authentication handshakes to detect invalid keys.

Abstract: Embodiments of the invention provide systems and methods for identifying devices by a trusted service manager. According to one example embodiment of the invention, a method for identifying communications is provided. The method can include receiving, by a service provider from a device, a message comprising card production life cycle (CPLC) information associated with a secure element incorporated into the device; and evaluating, by the service provider, the received CPLC information in order to identify the secure element.

Abstract: In one embodiment, the invention provides a portable wireless personal communication system for cooperating with a remote certification authority to employ time variable secure key information pursuant to a predetermined encryption algorithm to facilitate convenient, secure encrypted communication. The disclosed system includes a wireless handset, such as PDA, smartphone, cellular telephone or the like, characterized by a relatively robust data processing capability and a body mounted key generating component which is adapted to be mounted on an individual's body, in a permanent or semi-permanent manner, for wirelessly broadcasting, within the immediate proximity of the individual, a secret or private key identifying signal corresponding to a time variable secure key information under the control of the certification authority.

Abstract: A computerized authorization system configured to authorize electronically-made requests to an electronic entity. The computerized authorization system comprises a store configured to store an indication of at least one predetermined electronic authorization device configured to authorize each electronically-made request. The computerized authorization system is further configured such that: in response to receiving an electronically-made request to the electronic entity, an indication of the request is output to the at least one predetermined electronic authorization device configured to authorize the request as indicated in the store; and in response to receiving an indication of authorization from the at least one predetermined electronic authorization device, an indication of authorization of the request is output to the electronic entity.

Abstract: The disclosure discloses a wireless access device (2), which includes: a wireless module (204) which establishes a wireless connection with a network, a solid state memory (203) partitioned into different storage volumes, a driver management module (202) and an enumeration management module (201). In the solid state memory, the fourth storage volume stores a bootstrap, the first storage volume stores an operating system and system management software, and the third storage volume stores encryption driver management software, device drive software and device management software. The driver management module (202) stores storage volume information.

Abstract: A method begins by a processing module determining whether a data access request is requesting access to data stored in a plurality of dispersed storage networks (DSNs). The method continues with the processing module determining whether one of the plurality of DSNs is a home DSN to a requesting entity when the data access request is requesting access to data stored in the plurality of DSNs. The method continues with the processing module utilizing a local signed certificate to access one or more dispersed storage (DS) units of the home DSN, validating a global signed certificate with one or more DS units of a non-home DSN of the plurality of DSNs to produce a valid global signed certificate, and utilizing the valid signed certificate to access the one or more DS units of the non-home DSN when the plurality of DSNs includes the home DSN.

Abstract: An encryption based method of enabling a plurality of parties to share, create, hide, or reveal message or token information over a network includes a commutative group cipher (CGC), where the underlying CGC is secure against ciphertext-only attack (COA) and plaintext attacks (KPA), and is deterministic. The protocols doe not require a trusted third party (TTP), and execute rapidly enough on ordinary consumer computers as to be effective for realtime play among more than two players. Protocols are defined which include VSM-L-OL, VSM-VL, VSM-VPUM, and VSM-VL-VUM, wherein the letters V, O, SM, P, and UM represent, respectively, Verified, Locking Round, Open, Shuffle-Masking Round, Partial, and Unmasking Round.

Abstract: A method and apparatus for client authentication using a pseudo-random number generation system. The pseudo-random number generation utilizes a secret key as well as state information as input into the hash function to generate a pseudo-random number. The state information that is part of the input can be any number of prior generated pseudo-random numbers. The authentication allows for synchronization of the client and server by exchanging state information. The authentication is not dependent on any absolute time and consequently the client and servers are not required to maintain a reliable shared time base.

Abstract: One embodiment of the invention is directed to a method including receiving an alias identifier associated with an account associated with a presenter, determining an associated trusted party using the alias identifier, sending a verification request message to the trusted party after determining the associated trusted party, and receiving a verification response message.

Abstract: On-demand protection and authorization of playback of media assets includes receiving digital media at a server computer, storing intermediary data in a data store, and receiving a request from a client for the digital media. The method also includes generating a protected copy of the digital media from the digital media and the intermediary data. The method also includes storing a description of the protected copy in a database and sending the protected copy to the client. The method also includes receiving a request from the client to access the digital media and reading the description from the database based on information in the request. The method also includes sending a response to the client, the response indicating whether the client is authorized to access the digital media, and the response including cryptographic data to decrypt the protected digital media if the client is authorized to access the digital media.

Abstract: A method for protecting the execution of a ciphering or deciphering algorithm against the introduction of a disturbance in a step implementing one or several first values obtained from second values supposed to be invariant and stored in a non-volatile memory in which, during an execution of the algorithm: a current signature of the first values is calculated; this current signature is combined with a reference signature previously stored in a non-volatile memory; and the result of this combination is taken into account at least in the step of the algorithm implementing said first values.

Abstract: There are disclosed systems and methods for computing an exponentiatied message. In one embodiment blinding is maintained during the application of a Chinese Remainder Theorem (CRT) algorithm and then removed subsequent to the completion of the CRT algorithm. In another embodiment, fault injection attacks, such as the gcd attack, can be inhibited by applying and retaining blinding during the application of the CRT algorithm to yield a blinded exponentiation value, and then subsequently removing the blinding in a manner that causes an error injected into the CRT computation to cascade into the exponent of the value used to unblind the blinded exponentiated value.

Abstract: A method allows access to a set of secure databases and database applications over an untrusted network without replicating the secure database. The method involves authenticating a user using a first authentication application. When the user is verified, then the user's credentials are directed to a second authentication application associated with a secure database based on a first set of user settings retrieved for the user. The second authentication application, based on a second set of user settings, grants the user access to the secure database and database applications associated with the secure database.

Abstract: A storage controller and program product is provided for performing double authentication for controlling disruptive operations on storage resources generated by a system administrator. A first request is received from a first user for generation of a first key. A first key is generated, provided to the first user and associated with the storage resource. An input is received from the administrator, the input comprises a second key and a command for performing the disruptive operation. The second key and the first key are compared. It is verified that the administrator is authorized as an administrator of the storage resource. The disruptive operation is performed on the storage resource if the second key and the first key match and the administrator is authorized. Otherwise, the performance of the disruptive operation is denied.