Abstract: A computer system detects that a digital certificate is set to expire within a threshold amount of time. In response to detecting that the digital certificate is set to expire, the computer system generates an update to cause a second computer system to perform operations to indicate an upcoming expiration of the digital certificate. The computer system provides the update to the second computer system to cause the second computer system to perform the operations.

Abstract: A method and apparatus for authenticating a device on a wireless network using a secure attestation package is provided. The method includes receiving, by a processor, information related to a device of an Internet of Thing (IoT) service provider, generating, by the processor, a secure attestation package based on the information, transmitting, by the processor, the secure attestation package to the IoT service provider, receiving, by the processor, a request to access a wireless network of the processor from the device of the IoT service provider, and authorizing, by the processor, the device to access the wireless network based on the secure attestation package.

Abstract: Techniques are disclosed for improving user experience of multimedia streaming over computer networks. More specifically, techniques presented herein reduce (or eliminate) latency in playback start time for streaming digital media content resulting from digital rights management (DRM) authorizations. A streaming media client (e.g., a browser, set-top box, mobile telephone or tablet “app”) may request a “fast-expiring” license for titles the streaming media client predicts a user is likely to begin streaming. A fast-expiring license is a DRM license (and associated decryption key) which is valid for only a very limited time after being used for playback. During the validity period of such a license, the client device requests a “normal” or “regular” license to continue accessing the title after the fast-expiring license expires.

Abstract: A device includes at least one first and one second module configured to cooperate to solve a task and/or are configured to communicate with a higher-level apparatus, a certification module configured to issue a cryptographic signature for each of the at least one first and second module, and an identity generation module configured to form a first code as an identity of the first module from a signature of the first module, to form a second code as an identity of the second module from a signature of the second module, and to form an overall code from the first and the second codes. The certification module is further configured to sign the overall code with a key in order to issue a unique certificate for the device, which biuniquely identifies the device.

Abstract: A disclosed method for provisioning a computing device includes receiving, by provisioning software that executes on the computing device to provision the computing device for access to an enterprise infrastructure from a device orchestration service through which computing devices are provisioned to access the enterprise infrastructure, a digital certificate representing a credential for accessing, by a user via the computing device, the enterprise infrastructure.

Abstract: A communication device may include a first type of interface and a second type of interface. The communication device may execute the communication of object data with a mobile device using the second type of interface after executing a specific process for causing the communication device to shift to a communication-enabled state, in a case where it is determined that the communication device is not currently in the communication-enabled state. Also, the communication device may execute the communication of the object data with the mobile device using the second type of interface without executing the specific process, in a case where it is determined that the communication device is currently in the communication-enabled state.

Abstract: An example operation may include one or more of receiving, from an executing client, a blockchain transaction comprising an anonymous rating related to an authorizing client, a merkle tree root node value, a proof, and a nullifier, and in response, executing, by a smart contract, a valid historical value assert call on a lookback key storing the merkle tree root node value, verifying, through a valid historical value assert call, that the merkle tree root node value is a current or previous value of the merkle tree root node value, verifying the proof with the merkle tree root node value and the nullifier, adding the anonymous rating to a shared ledger, marking the nullifier as used, and storing the marked nullifier to the shared ledger.

Abstract: Techniques are disclosed relating to detecting and prevent phishing attacks (such as man-in-the-middle attacks) related to multi-factor authentication (MFA) or two-factor authentication (2FA) processes. A system is described that makes a determination of whether to permit or deny a subsequent authentication step (e.g., a 2FA authentication step) based on a level of trust determined between the computing device making the initial authentication request to a service computer system and the computing device being asked to implement the subsequent authentication step (such as a mobile device). The computing device associated with the subsequent authentication step assesses the trust between the devices and makes the determination of whether to permit or deny the subsequent authentication step. The present techniques enhance computer system security against phishing attacks while maintaining a satisfying user experience for legitimate users.

Abstract: A method and apparatus for generating a dynamic security certificate. The method creates an entropic element from user input, receives metadata from user input and generates a dynamic security certificate using the entropic element and the metadata. The dynamic security certificate is then trusted through user input.

Abstract: In one embodiment, a computer implemented method of a data processing (DP) accelerator providing a watermark of an artificial intelligence (AI) model to a host device includes receiving, by the DP accelerator, from the host device, the AI model, and a watermark-enabled kernel to the DP accelerator. The DP accelerator further receives from the host device, first input data to the DP accelerator that, when the first input data is used as input to the watermark-enabled kernel, generates a watermark of the AI model. The watermark is provided to the host device. In an embodiment, the method further includes receiving a signature kernel from the host device and calling the signature kernel to digitally sign the watermark. In an embodiment, the method alternatively includes calling a digital signature routine in a secure unit of the DP accelerator to digitally sign the watermark.

Abstract: A key master service capable of operating on a service provider in a network enables is disclosed. The key master enables authorized parties to securely exchange client information without compromising client security. One feature of the key master service is the generation of a unique key for each client. All parties in an authorized universe access, exchange and modify client information by referencing the universal key, rather than using known client identifiers. Client information is further secured by advantageously applying an obfuscation function to the data. Obfuscated client information is stored together with the universal key as keyed client data at the client and/or server, where it may be directly accessed by the service provider or third parties. Because client information is stored and exchanged without the ability to discern either the client identity or the nature of the information, such information is secured against malicious third-party interception.

Abstract: A communication device may execute a wireless communication of object data with a mobile device via a first target network using a second type of interface after executing a sending process of sending a wireless setting, for causing the mobile device to belong to the first target network, to the mobile device using a first type of interface in a case where the communication device is determined as currently belonging to the first target network. The communication device may execute the wireless communication of the object data with the mobile device via a second target network using the second type of interface after executing a specific process of causing both the communication device and the mobile device to belong to the second target network in a case where the communication device is determined as currently not belonging to the target network.

Abstract: An information handling system may include a processor and a basic input/output system communicatively coupled to the processor and embodied by executable instructions embodied in non-transitory computer readable media, the instructions configured to, when executed by the processor: identify, for a firmware image, a secure boot certificate; identify, for the secure boot certificate, a certificate use policy; determine whether the certificate use policy permits verification of the firmware image using the secure boot certificate; and allow the firmware image to be verified with the secure boot certificate if the certificate use policy permits verification of the firmware image using the secure boot certificate.

Abstract: A first entity stores an issuer digital certificate published by a certificate authority (CA) and signed by the issuer certificate; and also stores an old issuer digital certificate published by the CA prior to publication of the issuer digital certificate and an old first entity digital certificate signed by the old issuer digital certificate. The first entity attempts to initiate a secure communication session with a second entity by receiving a second entity digital certificate from the second entity via an electronic network, and sending either the first entity digital certificate or the old first entity digital certificate to the second entity based on which of the issuer digital certificate or the old issuer digital certificate is effective to authenticate the second entity digital certificate received from the second entity. The secure communication session is conducted only if the attempt to initiate the secure communication session is successful.

Abstract: Techniques to facilitate feature licensing of industrial devices employed in an industrial automation environment are disclosed herein. In at least one implementation, a security certificate for an industrial device is provisioned based on a first private key associated with the industrial device, wherein the first private key is securely stored in a hardware root of trust within the industrial device. A device information package for the industrial device is generated based on the security certificate, wherein the device information package is encrypted with a first public key paired with the first private key and signed by a certificate authority using a second private key. The device information package is provided to the industrial device, wherein the industrial device is configured to validate the device information package using a second public key paired with the second private key and decrypt the device information package with the first private key.

Abstract: A data management method includes: in a case where A denotes a set of symbols, A* denotes a set of all character strings composed of the symbols in A, L denotes a subset of A, and h(L) denotes a mapping performed on L with h that denotes a cryptographical hash function, regarding h: A*?A, multiple peers each hold an inverse mapping hL?1 of hL: L?h(L) that denotes a partial mapping of h, and in a case where at least one original data item M and an encrypted data item C encrypted from the original data item M are present, the encrypted data item C being held in hL?1, and correspondence between the original data item M and the encrypted data item C is to be validated, calculating a hash value h(M); decrypting the encrypted data item C with a hash value k; and comparing a result of the decrypting with the original data item M.

Abstract: Systems and methods for improved distributed symmetric cryptography are disclosed. A client computer may communicate with a number of cryptographic devices in order to encrypt or decrypt data. Each cryptographic device may possess a secret share and a verification share, which may be used in the process of encrypting or decrypting data. The client computer may generate a commitment and transmit the commitment to the cryptographic devices. Each cryptographic device may generate a partial computation based on the commitment and their respective secret share, and likewise generate a partial signature based on the commitment and their respective verification share. The partial computations and partial signatures may be transmitted to the client computer. The client computer may use the partial computations and partial signatures to generate a cryptographic key and verification signature respectively. The client computer may use the cryptographic key to encrypt or decrypt a message.

Abstract: A system and method for integrating FIDO authentication systems and User verification systems. The system is provided in one configuration as a mobile app that allows access to highly sensitive information via a mobile device while simultaneously ensuring a highly secured environment authenticating both the mobile device and the user via a highly reliable authentication process.

Abstract: An information processing apparatus capable of connecting to an external apparatus via a network includes a setting unit configured to enable a function of transmitting an issuance request for a digital certificate to the external apparatus at a previously designated date and time or with a previously designated cycle and acquiring a digital certificate from the external apparatus in response to the issuance request, wherein the function is enabled by the setting unit under a condition that information required for connection to the external apparatus is previously input.

Abstract: A management system and a method for secure signing of certificates, which have a certificate signing subsystem set up in a device of a controlled management site, unless authorized externally, internal data of the subsystem cannot be accessed arbitrarily, and each unit applying for a certificate needs confirmation of identity to increase the security of certificate application and signing. In addition, the certificate signing subsystem is a device with arithmetic capability, which operates fast and can increase the efficiency of certificate signing. Because units or companies applying for certificates do not need to set up a certificate signing system by themselves, provided that they are connected to the certificate signing subsystem of the present invention, certificates can be applied for and obtained, thereby saving business operating costs.

Abstract: A method of providing a search index based on a Bloom filter in a distributed data sharing environment based a block chain includes generating, by a data generating device, Bloom filters used as the search index on the basis of a hash value calculated by applying a hash function to a keyword set for searching for data which is to be shared, generating, by a block providing server, a new block on the basis of the Bloom filters and the data received from the data generating device and performing proof of work (PoW) on the new block, for adding the new block to the block chain, and distributing, by a block distributing server, block chain data including the new block added to the block chain.

Abstract: Disclosed herein are systems and methods for detecting malicious files based on file fragments. In one aspect, an exemplary method comprises, extracting data fragments from a file, for each extracted data fragment, determining a category selected from a list of categories that includes at least: trusted, malicious, and untrusted, when a number of data fragments categorized as being malicious is below a predetermined threshold, avoiding categorization of the file as malicious, and when a number of data fragments categorized as being malicious reaches or exceeds the predetermined threshold, determining whether at least one malicious file detection rule having criteria for detecting a malicious file is found, when at least one malicious file detection rule whose criteria is met is found, categorizing the file as a malicious file, and when no malicious file detection rule whose criteria is met is found, avoiding categorization of the file as a malicious file.

Abstract: A chipset for an end device comprises at least a Secure Processor into which a one-time programmable memory storage is integrated, wherein in the chipset at least an end-device serial number of the end device is stored, wherein in the one-time programmable memory information is stored for securing the end-device serial number against tampering.

Abstract: A method for authenticating a vehicle with a service unit by way of a central computer unit external to the vehicle is provided. An initial value is transmitted from the service unit to the authentication unit and, depending on the initial value, the authentication unit reads a request command from a request table and outputs it to an interface of the vehicle. The authentication unit receives an output value from the interface, generated in response, and calculates a vehicle check value from the output value. The vehicle check value and the initial value are transmitted to the central computer unit. Depending on the initial value, the central computer unit reads a characteristic value from a characteristic value table and calculates a further vehicle check value. When the vehicle check value and the further vehicle check value match the central computer unit sends a predetermined enable signal to the service unit.

Abstract: The disclosed technology is generally directed to secure transactions. In one example of the technology, a first enclave to be used for executing a cryptlet binary of a first cryptlet is identified. The first enclave may be a secure execution environment that stores an enclave private key, and the first cryptlet may be associated with at least a first counterparty. A cryptlet binding that is associated with the first cryptlet may be generated, and may include counterparty information that is associated with at least the first counterparty. Cryptlet binding information may be provided to a cryptlet binding key graph, and a location of a first hardware security module (HSM) that stores a key that is associated with the first counterparty may be received from the cryptlet binding key graph.

Abstract: Some embodiments relate to a content matching system (101) comprising a first device (100), a matching server (300), and a second device (200). The content matching system enables the second device to consume content matching with content which is consumable on the first device, even if the first and second devices do not have access to the same streaming service.

Abstract: A log, comprising a sequence of temporally ordered digital entries, is authenticated by entering a new entry into the log only after expiration of a minimum time interval. A digital signature and timestamp are generated for each entry in the log and are included in each respective entry. In a validity verification phase, the timestamp of at least one of the entries is examined to determine whether it indicates entry into the log at a time relative to a preceding entry in the log after less than an expected minimum time interval. If so, a remedial action is taken.

Abstract: A provisioning system is provided for terminals such as point of sale terminals. An interface device interfaces with a smart card and a provisioning server, providing initialization keys and security codes that are stored on the smart card. At a terminal, an initialization key from the smart card may be provided to the terminal if a correct security code is entered at the terminal. The terminal may then provide a terminal authorization package to the smart card. The terminal authorization package is stored on the smart card. At the interface device, the terminal authorization package is provided to the provisioning server. The terminal may then securely communicate transactions with an issuer server.

Abstract: Embodiments of the invention are directed to techniques for enabling self-certification of an electronic device to result in the issuance of a security certificate that the electronic device may use to authenticate itself to another entity. In some embodiments, the device is caused to initiate the self-certification process upon determining that a status of a current security certificate is no longer valid. In some embodiments, an electronic device may communicate with a certificate authority, which may generate a set of policy data that indicates permissions for the electronic device. The electronic device may then generate an electronic record to be associated with the security certificate, which it may sign using a private key. The certificate authority may then verify the authenticity of the signed electronic record using a public key associated with the electronic device. The electronic record may be appended to some collection of records.

Abstract: A certificate identification system comprises multiple source devices configured to generate an artifact which comprises features indicating user data and an action, a certificate database configured to store certificates comprising user identity information corresponds to its signatory, and an identity manager in signal communication with the source devices and the certificate database.

Abstract: Techniques for securing user sessions using a time-based one-time password (TOTP) generated from a shared secret. The shared secret can be a cryptographic hash of one or more user credentials. In response to a successful authentication based on the user credential(s), a session is created. The authentication is performed in connection with an initial access request from a client application. A subsequent access request for a protected resource during the session is processed by extracting a session cookie and a TOTP and generating a corresponding TOTP using the shared secret. The TOTP can be generated by combining the shared secret with one or more additional parameters such as a Uniform Resource Locator associated with the resource, or the session cookie. Access to the protected resource is conditioned upon the session, which is identified by the session cookie, being valid and upon the TOTPs matching.

Abstract: Example method includes: establishing a secure tunnel with an unauthenticated client device associated with a user of a restricted network; receiving user credentials associated with the user and transmitted from the unauthenticated client device within the secure tunnel; validating the received user credentials; and transmitting at least a client certificate and device configuration information to the unauthenticated client device within the secure tunnel such that the unauthenticated client device is able to access the restricted network after installing the client certificate and applying the device configurations based on the received device configuration information.

Abstract: Embodiments of this specification provide methods and systems for operating an IoT device An exemplary method comprises: receiving, by a user equipment, an operation instruction for the IoT device from a user, wherein the user equipment is communicatively coupled with the IoT device; identifying, by the user equipment, a biometric feature of the user; verifying, by the user equipment, an identity of the user based on the biometric feature; signing, by the user equipment, the operation instruction using a first user key of the user in response to the identity of the user being verified; transmitting, by the user equipment, the signed operation instruction to the IoT device; verifying, by the IoT device, the signed operation instruction using a second user key of the user; and executing, by the IoT device, the operation instruction in response to the signed operation instruction being verified.

Abstract: Embodiments provide a system and method for stateless session synchronization between inspectors for high availability deployments. Man in the Middle inspectors of a communication session between a client and server exchange a shared key that is used as a common seed value in a mapping function algorithm. Each inspector generates identical key-pairs using the common mapping function algorithm, and the inspectors generate the session keys from the key-pairs. Inspectors use the session keys to decrypt and either actively or passively inspect data transferred in a session between a client and server.

Abstract: An approach is provided for deterring a tampering of content. Content is signed by using an asymmetric key cryptography. The signed content is stored in a distributed ledger which is accessible to a plurality of subscribers of the distributed ledger. The signing of the content using the asymmetric key cryptography together with the storing of the signed content in the distributed ledger provide a non-repudiable identification of an owner of the content and a non-repudiable proof of an ownership of the content.

Abstract: A method is provided for registration of a device as a Network Application Function, NAF, in a Generic Bootstrapping Architecture, GBA. The device performs a GBA bootstrap operation with a Bootstrapping Server Function, BSF, and sends to a NAF registration function a request to register as a NAF. The device receives NAF registration information from the NAF registration function, and performs a NAF registration with the BSF. The NAF registration function receives from the device a request to register as a NAF, confirms that that the device is authorised to act as a NAF, and transmits the NAF registration information to the device.

Abstract: Systems and methods for detecting breached user login records in a zero-knowledge architecture. A breach detection module obtains login data that has been breached from breached data sources and service providers. The breached data is hashed with a system key and the breached data hashes are hashed in a hardware security module (HSM) using a hashing method and a non-exportable key. Clients provide user login data that has been hashed using the hashing method by the client device to the breach detection module. The breach detection module hashes the hashed user login data and compares the hashed user login hashes with the hashed breached data hashes and sends a breach alert to the client device if any hashes match.

Abstract: An information processing system 100 includes a client node 1 and an issuing node 2 for issuing a coupon having terms of use Q1. The client node 1 includes a use request unit 155 that requests to use the coupon by presenting user data D held by a user of the client node 1. The issuing node 2 includes: a use request verification unit 253 for verifying whether the information included in the user data D satisfies the terms of use Q1 upon the use request from the use request unit 155; and a use authorization unit 254 that authorizes the client node 1 to use the coupon when the information satisfies the terms of use Q1.

Abstract: Authentication tokens, systems, and methods are described. An illustrative method is disclosed to include receiving an electronic file including a digital image, receiving biometric information that is associated with a person, modifying the electronic file with the biometric information such that one or more pixels in the digital image are replaced with the biometric information, and storing the modified electronic file as a digital authentication token to be used in connection with authorized publications of original digital work.

Abstract: Technologies related to credit payment based on a mobile terminal embedded secure element are disclosed. In an implementation, a payment request is received from a mobile computing device associated with a user account. The payment information including a payment amount is generated based on the payment request. The payment information is then sent to the mobile computing device. A payment authorization encrypted by a private key is received based on asymmetric encryption from the mobile computing device. A public key corresponding to the private key is used to verify the payment authorization, and a transaction log is generated for collecting a payment according to the payment amount if the payment authorization is successfully verified.

Abstract: A computer server controls access to a hosted service using digital certificates that are requested from each client attempting to access the service. When a particular client accesses the hosted service, the host service requests a digital certificate from the particular client and issues a challenge message. The particular client signs the challenge message and provides a client digital certificate to the hosted service. The hosted service confirms that the signature on the challenge message matches the client digital certificate, and that the client digital certificate is signed by a trusted entity. Trusted entities are defined by an administrator by uploading, to the hosted service, one or more trusted digital certificates associated with a trusted entities. Using the trusted digital certificates, the hosted service confirms that the digital certificate provided by the particular client is signed by at least one of the trusted entities.

Abstract: In one example an apparatus comprises a memory and a processor to receive, in an edge node of a secure network, a first file, determine that the first file is addressed to a recipient outside the secure network, and in response to a determination that the first file is addressed to a destination outside the secure network, to generate a watermark that identifies a transmitter of the document, a recipient of the document, and comprises a digital signature of the first file, embed the watermark in the first file to generate a watermarked file, and pass the watermarked file to an input/output system for transmission out of the secure network. Other examples may be described.

Abstract: Concepts and technologies are disclosed herein for multifactor authentication for Internet-of-things devices. An access request can be received from an Internet-of-things device. The access request can include identifying information associated with the Internet-of-things device and a certificate. The certificate can be validated and a stored version of the identifying information can be obtained. If the stored version of the identifying information is determined to match the identifying information included with the access request, access to a resource can be allowed.

Abstract: Systems and methods are disclosed for certifying an equipment by connecting to a distributed ledger; capturing a physical location and a schematic location of the equipment; performing a test on the equipment; taking a picture of the equipment being tested; and certifying a test result and rendering the test results as immutable records on the distributed ledger.

Abstract: A user may be willing to purchase items or participate in a pay-for service offered by a service provider. A service provider may wish to verify characteristics of the user prior to allowing transactions to take place, and may want to secure the transactions once the transactions are allowed. A credential issued to a user and a transaction application uploaded to a user device may be used to secure transactions between the user and a service provider interface, such as a webserver or a point-of-sale. The transaction application may capture real-time user data and comparing the real-time user data to prior user data stored on the credential, authenticate the service provider interface to the user and the user to the service provider interface; and establish an encrypted session between the service provider interface and the transaction application adapted to authenticate the transactions between the user and the service provider interface.

Abstract: The present invention relates to security service providing apparatus and method for supporting lightweight security which provides lightweight security by using an error coefficient and a hash of a chain block used for time synchronization with the terminal for generation of an encryption key to improve security complexity while securing security for communication with terminals and also securing security for an encryption key through the blockchain. According to the present invention, for security for the communication session between the service providing apparatus and the terminal, the encryption key of the terminal is generated as the hash through the hash algorithm by combining the time difference generated in the time synchronization process with the terminal and the hash generated based on the information related to the encryption key of the other terminal stored in the blockchain to generate a symmetrical encryption key which cannot be inferred and has high security.

Abstract: Techniques are disclosed for provisioning device-specific credentials to an Internet of Things device that accesses a cloud-based IoT service. The IoT service receives, from the IoT device, a request for device-specific credentials. The request comprises a provisioning certificate including information identifying a group of devices associated with the IoT device. The provisioning certificate is authenticated by evaluating the information with expected information. The device-specific credentials are generated based, at least in part, on the information provided in the provisioning certificate. The device-specific credentials are sent to the IoT device, and the IoT device installs and activates the device-specific credentials. The device-specific credentials are associated with the IoT device in a registry of the IoT service.

Abstract: A system for performing authentication of users of a distributed register network is provided. In particular, the system may comprise a distributed register network comprising one or more decentralized nodes, each of which may store a separate copy of a distributed data register. The system may further comprise one or more specialized nodes which authenticate users that trigger the generation of blocks in a linked structures of the distributed register network, where the blocks are associated with requests that are submitted by the user. In this way, the system verifies the authenticity of the blocks in the linked structures, thereby providing a more robust distributed register network.

Abstract: In one illustrative example, a mobility node (e.g. an SMF) may receive a message which indicates a request for creating a session for a user equipment (UE). A user plane function (UPF) instance for the session may be selected based on a set of parameters. The set of parameters may include one or more location(s) of one or more multi-access edge computing (MEC) resources and applications of interest for the UE. Location data associated with the MEC resources and applications may be determined from server addresses obtained from UPF processing of domain name server (DNS) queries associated with the applications. In preferred implementations, the server addresses are client subnet location-dependent server addresses obtained from client subnet-based DNS queries. The server addresses or location data derived therefrom may be regularly submitted to the SMF for improved UPF selection based on locations of MEC resources and applications.

Abstract: Implementations of the present disclosure include generating, by a consensus node, a certificate signing request (CSR); sending the CSR to a first certificate authority (CA); receiving a first public key certificate of the consensus node from the first CA, and a first one or more public key certificates issued by a first one or more CAs. The consensus nodes also sends the CSR to a second CA, receives a second public key certificate of the consensus node from the second CA, and a second one or more public key certificates issued by a second one or more CAs. The consensus node further configures a first truststore including the first public key certificate and the first one or more public key certificates, and a second truststore including the second public key certificate and the second one or more public key certificates.