Abstract: A method of securing electronic computer files includes having a client-based application running in the background with a kernel extension and a communication channel over a network to a server. The client app. can intercept an interprocess communication for opening a file and then collect a swath of fingerprint information about the requesting process and the state of the computer. The fingerprint information is sent to the server, optionally through a Signal Protocol message hidden by steganography in an image. Based on the fingerprint information, the server sends a key and/or a command back, optionally through steganography, to the client. The file is then accessed and decrypted—or accessed and not decrypted—based on the server key and command. The command can include instructions to gather more data from the user or about the computer before allowing access.

Abstract: Methods and devices for two nodes to authenticate each other as credentialed by a group of autonomous specialized nodes, without involving the group or involving a centralized certificate manager or authenticator. The method may involve a first node and a second node using bilinear pairing operations involving their respective identifiers and secret points to derive the same session key. Provided the secret points and identifiers were obtained from the group using the group private key, the bilinear pairing operation leads to generation of the same session key at each of the two nodes, thereby authenticating their respective credentials and enabling trusted communications between the two nodes.

Abstract: An electronic point multiplication device (100) is provided for computing a point multiplication (kG) on an elliptic curve between a multiplier (k) and a base point (G) on the elliptic curve (E) for use in a cryptographic protocol. The device being arranged to compute from a first set of multiple joint encodings (Ai) a blinded base multiplier (A, 131), and a second set of multiple joint encodings (Bi) multiple blinded auxiliary multipliers (?i, 136). The device performs obtains the point multiplication (141) (kG) of the multiplier (k) and the base point (G) by computing the point addition of the point multiplication of the blinded base multiplier and the base point on the elliptic curve, and the multiple point multiplications of a blinded auxiliary multiplier and an auxiliary point. The blinded base multiplier and auxiliary multipliers may be represented in a plain format during the performing of the elliptic curve arithmetic.

Abstract: Non-informational data D is generated as an output using a non-informational data E and informational data as inputs to a function on a computing device in an information-restricted domain. The function may be an XOR and the non-informational data E may be a pseudorandom string of the same length as the informational data. The non-informational data D is moved to an unrestricted domain where it may be managed normally. When the informational data is needed it can be re-generated using the non-informational data D and non-informational data E as inputs to an inverse function (XOR is its own inverse). The non-informational data E may be generated from a smaller random seed.

Abstract: A method for managing documents includes obtaining, from a first computing device, a first signed document, and in response to obtaining the first signed document: identifying a first plurality of validity services associated with the signed document, sending a verification request to the first plurality of validity services, wherein each of the plurality of verification requests specifies the first signed document, obtaining a plurality of verification responses from the first plurality of validity services, and making a determination, based on the plurality of verification responses, that the first signed document is valid.

Abstract: A process for completing transactions using biometric data, including include possible redundancies to ensure the accuracy of the transaction, and the system needed to perform the process. The process entails obtaining a biometric sample, extracting a biometric hash string from the biometric sample, converting the biometric hash string into an alpha numeric device, using the alpha numeric device to convey an identity, and equating the alpha numeric device to an identity with an account or membership.

Abstract: An ecosystem for managing a public key infrastructure (PKI) includes an electronic device having at least one silicon component, an ecosystem manager configured to create at least one PKI keypair, a root certificate, and a bootstrapping certificate, and a device manufacturer configured to integrate into the electronic device the at least one silicon component. The device manufacturer is further configured to integrate into the at least one silicon component a public key of the at least one PKI keypair and the bootstrapping certificate. The ecosystem further includes an ecosystem approved test lab (ATL) configured to test the electronic device having the integrated silicon component, the public key, and the bootstrapping certificate. The ecosystem ATL is further configured to confirm that the bootstrapping certificate complies with predetermined standards of the ecosystem.

Abstract: Implementations of this specification provide signature verification methods and apparatuses for a blockchain ledger. An example method includes receiving by a server, a signature verification instruction that comprises a verification object parameter and a hash value. The verification object parameter includes a third-party parameter, a platform parameter, or a time service certificate parameter, the verification object parameter indicates a type of a to-be-verified object, and the server is configured to store data by using the blockchain ledger. The server obtains the to-be-verified object based on the verification object parameter and the hash value. The type of the to-be-verified object includes a third-party digital signature, a server digital signature, or a time service certificate. The server sends the to-be-verified object to a client for verification by the client.

Abstract: Generally described, one or more aspects of the present application correspond to a content validation system. A content validation service receives visual secret request information from user devices. The content validation service provides visual secret information to be rendered with received content. The content validation service then receives a snapshot of content to be rendered including a representation of the visual secret information to validate the content.

Abstract: A process for rendering a user interface of a web portal providing access to content of a content management system (CMS) includes: providing, from a client system of the CMS, the user interface for rendering through a browser of a user device; receiving, by the client system from the user device via the user interface, a request for a content asset; sharing a server secret between the CMS and an edge node; using, by the CMS, the server secret to generate a signing key, transmitted to the client system, wherein the client system uses the signing key to generate a signed URL for the content asset, the user device being redirected to the signed URL; responsive to receiving and successful validation of the signed URL by the edge node, then providing the content asset from the edge node to the user device for presentation through the user interface.

Abstract: In some examples, in response to detecting addition or update of a program component of a program, a system creates a blockchain entry for addition to a blockchain register, generates a hash based on the program component, and adds in the blockchain entry a signed hash produced by encrypting the generated hash. The system publishes the blockchain entry for the blockchain, the signed hash in a blockchain entry useable to detect tampering with the program component.

Abstract: Embodiments of the present invention are directed to facilitating detection of suspicious access to resources. In accordance with aspects of the present disclosure, an access graph is generated. The access graph contains access data that includes observed accesses between entities and resources. Access scores can be determined for entity-resource pairs in the access graph by applying a set of access rules to the entity-resource pairs in the access graph. The access scores indicate an extent of relatedness between the corresponding entity and resource. Thereafter, the access scores can be used to train a probabilistic prediction model that predicts suspiciousness of accesses between entities and resources.

Abstract: Various embodiments are directed to group-based data storage systems configured for maintaining data exchanged between client devices within channel-specific shards each corresponding with one or more group-identifiers to provide group-based access to those channel-specific shards and for applying group-specific policies for data stored within those channel-specific shards. Membership of particular users within particular groups and within particular channels may be monitored such that access to particular channel shards may be controlled based on group-memberships of the users, and access to data stored within particular channel shards may be controlled based on channel-memberships of the users.

Abstract: The invention provides a computer-implemented control method and corresponding system. The method may control or influence a device, system or other resource such as a technical process. The invention can provide a mechanism for emulating or otherwise executing the functionality of a logic gate via a computer-based distributed ledger (blockchain). This may be the Bitcoin blockchain or an alternative network/protocol. The invention provides logic embedded within a redeem script such that it determines which particular private keys have been used to sign an unlocking script, and then interprets the provision of those keys in accordance with a predetermined function.

Abstract: In some examples, a system includes a first processor, a second processor, and a storage medium to store first information comprising machine-readable instructions executable by the second processor. The first processor is to validate the machine-readable instructions using an iterative validation process involving a plurality of iterations at different times, where each respective iteration of the plurality of iterations includes issuing a respective indication to the second processor to compute a value based on a respective subset of the first information, wherein the respective indication includes respective subset information identifying the respective subset, wherein the respective subset information differs from different subset information included in another indication issued in another iteration of the plurality of iterations, the different subset information identifies a different subset of the first information.

Abstract: Techniques are described to embed graphical identifiers into a ghost image within a layer of laminate of an identification document. The ghost image includes optically variable media that has a first appearance when viewed from a front of the identification document in reflected light at a first angle and a second, different appearance when viewed from the front of the identification document in reflected light in a second, different angle. During the ghost image generation process, a graphical identifier can be placed on a baseline ghost image to generate an adjusted ghost image. Once the adjusted ghost image is printed onto the identification document, the graphical identifier can be viewable based on the appearance of the adjusted ghost identifier in relation to the reflected light.

Abstract: Provided is a process including: receiving, with one or more processors, a first request to store a record from a computing entity; encoding, with one or more processors, the record in a first plurality of segments; arranging, with one or more processors, the first plurality of segments in respective content nodes of a first content graph, wherein at least some content nodes of the first content graph have two or more content edges of the first content graph pointing to two or more respective other content nodes of the first content graph; and storing, with one or more processors, the content nodes of the first content graph in a verification graph.

Abstract: Systems and methods for enabling proximity services to be delivered as part of an application service and/or for providing tailored services and/or a differential quality of service (QoS) to a flow may be disclosed. For example, a temporary service name between an application and a server such as a D2D server may be established such that a UE and/or network may execute such a service at a later time without later involvement by the application and/or without exchanging credentials for the application with the network and vice versa.

Abstract: The technology described herein generates a unique identifier for a visual media that comprises pre-printed visual indications on the visual media and a user's handwritten signature. The location of the signature on the visual media can be determined by including preprinted fiducial marks on the visual media. The fiducial markers act as landmarks that allow the size and location of the signature to be determined in absolute terms. The unique identifier is then stored in computer memory on a user-experience server. The user-experience server can associate the unique identifier with a digital asset, such as an image or video, designated by the user. When the unique identifier is provided to the user-experience server a second time, the digital asset can be retrieved and output to the computing device that provided the unique identifier.

Abstract: An example operation may include one or more one or more of receiving two or more authorization decisions from two or more authorization entities into a blockchain system, recording the two or more authorization decisions into one or more blocks of a blockchain of the blockchain system, determining, by the blockchain system, whether the two or more authorization decisions satisfy a policy to authorize access to at least one of a device or identifiable content on the device, and when the two or more authorization decisions satisfy the policy, authorizing access to a public key that can be used to gain access to the device.

Abstract: A method for computer program source level trust assurance in an Internet of Things (IoT) device includes receiving a request to install a computer program in an IoT device and storing, in temporary memory, a file containing a binary form of the computer program and an authenticity fingerprint incorporated as part of the binary form of the computer program. The method additionally includes extracting the authenticity fingerprint from the binary form of the computer program, retrieving a different fingerprint from remote storage and comparing the different fingerprint to the extracted fingerprint. Finally, the method includes installing the computer program into the IoT device in response to the comparison indicating that the extracted fingerprint is identical to the different fingerprint, but otherwise rejecting the request to install the computer program.

Abstract: A digital work generating device, a digital work generating method and a computer-readable storage medium are provided. The digital work generating device includes: an obtaining unit configured to obtain presetting information and an initial content of the digital work; a generating unit configured to generate at least one partial content of the digital work according to the initial content and the presetting information; and a processing unit configured to process the initial content and the at least one partial content to generate the digital work.

Abstract: A system having a content management system (CMS) and an edge node of a content delivery network is provided. The CMS and edge node are configured to perform a method that includes sharing a server secret between the CMS and the edge node and using, by the CMS, the server secret to generate a signing key. The signing key includes a signing secret generated using the server secret. The signing key is transmitted to a client system, and the client system receives a request for a content asset from a user device and authorizes said user device for access to the content asset. The client system uses the signing key to generate a signed URL for the content asset, and the user device is redirected to the signed URL. Responsive to receiving, by the edge node, the signed URL from the user device, the method proceeds to validating the signed URL by the edge node. Validating the signed URL uses the server secret to rederive the signing secret based on the signed URL.

Abstract: Disclosed are methods and apparatuses for electronic signature. The method for electronic signature comprises obtaining a hash value of a first key created for a user and a user identifier of the user, generating a key certificate of the first key based on the obtained hash value, the user identifier and a current key, recording the key certificate on a public medium, which public medium ensures that information published thereon is not tampered with, signing a file with the first key and recording a resulting file signature and the file on the public medium, and recording the first key on the public medium only after the file is already on the public medium. With the technical solution of the disclosure, a key can be effectively utilized.

Abstract: A device (40) for generating a watermarked stream (39), comprising: at least one input interface (41) configured to receive encrypted control messages (20) and conditional access streams (30) including a main stream (33) and protected watermarking data streams (35) from which a watermarking information (38) can be embedded in said watermarked stream (39); a security module (43) configured to process said control messages (20) and to control access to said conditional access streams (30); a descrambler (45) configured to remove protection applied on at least some of said conditional access streams (30); a watermarking unit (47) configured to generate the watermarked stream (39) from said conditional access streams (30) by selectively processing said watermarking data streams (35) depending on access data (AC, AR) included in some of said control messages (20).

Abstract: A computer implemented method of updating software of embedded devices connected to a central dispatch device, comprising using one or more processors of a central dispatch device, the processor(s) are adapted for executing a code for obtaining a respective update package for one or more of a plurality of embedded devices which are operatively connected to the central dispatch device via a communication interconnection, transferring a transient update agent to the embedded device(s) and transferring the update package to the embedded device(s), the one or more embedded devices execute the transient update agent to apply the update package in the one or more embedded devices. The one or more embedded devices discard the transient update agent after the update package is applied.

Abstract: According to one embodiment of the invention, a subtoken corresponding to a primary token is generated. The primary token corresponds to a credential. The credential may be, for example, a primary account number (PAN) corresponding to a payment account. The subtoken may be a temporary, one-time use subtoken based on a primary token associated with the credential that allows a user to conduct a transaction from his or her account, while still providing security for the user's sensitive data. The subtoken may contain a header and an obfuscated portion. The header of the subtoken routes the subtoken to the entity issuing the subtoken for translation into the primary token. The obfuscated portion acts as a pointer to the primary token and data associated with the primary token. A same check digit may be included in the subtoken, the primary token, and the credential, in order to ensure that the transaction is not improperly denied.

Abstract: A program writing method in which a program is written into a flash ROM that a microcomputer includes therein includes: a generating step for generating a version representative value indicating a version of a source directory from predetermined types of files included in the source directory; an additionally writing step for additionally writing the version representative value into a source file included in the source directory; and a program writing step for writing a program corresponding to the source directory generated by compiling the source file into which the version representative value has been additionally written into the flash ROM.

Abstract: The present disclosure relates to domain name resolution technology and discloses a DNS resolution method, an authoritative DNS server and a DNS resolution system. In some embodiments, the authoritative DNS server receives a target domain name resolution request sent by a LDNS server, where the target domain name resolution request includes content information; the authoritative DNS server determines a target domain name resolution result according to the content information, and returns the target domain name resolution result to the LDNS server.

Abstract: A vertically integrated retail system includes an embedded storefront adapted to operate in a distributed manner through independent units embedded in different web sites or content in other host applications. Each unit of the embedded storefront enables a user to purchase goods, services, or other entities without leaving the host application. The units are modules that may be inserted into a web page, application, game, or other electronic media. Units can include product content such as video or animation, images, text, audio, music, or any other type of interactive or non-interactive electronic content. A user may receive virtual currency, virtual goods (such as virtual items or enhancements within a game application), or other rewards for completing transactions using the unit in the host application. Units may be embedded in host content via hyperlinks included in the content or through an application programming interface of a host content provider.

Abstract: Provided is a system and method for implementing remote trust services for blockchain. In one example, the method may include one or more of retrieving block content from a portion of a blockchain via an application programming interface (API), in response to a triggering event being detected, calling an off-chain trust service to sign the retrieved block content, receiving accreditation results of the retrieved block content from the off-chain trust service, the accreditation results comprising an indication of whether the retrieved block content has been successfully signed, and writing the received accreditation results to a block within the blockchain.

Abstract: A method of registration and access control of identity for third-party certification is provided. The method has steps of registration and steps of access control. The steps of registration have: controlling a user-end computer apparatus to retrieve an identity image of an identity document of a user; executing processes on the identity image for obtaining identity data; retrieving embedded identity data from the identity document; and configuring and registering the identity data if the data are matched with each other. The steps of access control have: controlling the user-end computer apparatus to verify user's identity upon reception of request of identity access, and generating and returning return identity data to a request-end computer apparatus.

Abstract: Disclosed herein are methods, systems, and apparatus, including computer programs encoded on computer storage media, for electronically stamping a document. One of the methods include receiving an electronic stamping instruction, where the electronic stamping instruction comprises a to-be-stamped document and a stamping type. In response to determining that a format of the to-be-stamped document is a predetermined document format and the stamping type is a first stamping type, a first to-be-stamped area of the to-be-stamped document is determined. An electronic stamp corresponding to the to-be-stamped document is identified using an encryption algorithm interface. A first electronically stamped document is generated and include the electronic stamp in the first to-be-stamped area.

Abstract: Method for registering an electronically stored digital document (A), comprising the steps of a) providing to an owning party a digital document and a private ownership key, which private ownership key is a private key in an asymmetric cryptographic key pair also comprising a corresponding public ownership key; b) calculating a digital document hash value based upon the document (A); c) the owning party using the private ownership key to calculate a digital document signature of the document (A); d) digitally storing in an electronic digital document register not the document (A), but the document signature as well as the public ownership key and the document hash value. The invention also relates to a system.

Abstract: Concepts for defining authority for triggering an expression within an enterprise workspace from an external service outside the enterprise workspace are presented. Such concepts define a rolling key function configured to generate a rolling key. A secret is defined as a starting point for the rolling key function. The secret and the rolling key function are securely shared with the external service.

Abstract: Systems and methods for authenticating a user of a mobile electronic device to use a FIDO (fast identification online) compliant application in the device are provided. These entail receiving a user authentication input at the mobile electronic device and caching the authentication input. While the authentication input remains cached, the user is authenticated to use the mobile electronic device via the authentication input. The mobile electronic device is then unlocked and the FIDO compliant application is opened. Secure delayed FIDO authentication is then executed by providing the cached authentication input to the FIDO compliant application to open an authenticated session of the user on the FIDO compliant application.

Abstract: Data transmission system and method with high security are introduced for communicative connection of a transmitter device to a receiver device through a data transmission channel. The transmitter device includes multiple asymmetric encoding packers, and the receiver device includes a multiplex-decoding processor corresponding to the asymmetric encoding packers. After the transmitter device performs pre-processing on original data according to a source of the original data, the asymmetric encoding packers perform encoding packing on the pre-processed original data and generate multiple encoded data. The encoded data are sent to the receiver device through the data transmission channel, and are decoded by the multiplex-decoding processor to obtain restored data. Accordingly, enhancing security and convenience of data transmission are achieved.

Abstract: Systems and methods for generating certified images and incident reports are disclosed. An image capture device can be used to capture an image and integrate metadata from camera sensors as well as other ancillary device sensors into the image. The image and its metadata can then be certified upon a check that the image and its metadata are authentic and unaltered. The image and its metadata can then be included in or as a part of an incident or other report describing an incident or event such as an accident or a crime. The image and/or incident report may be maintained at a cloud-based server for viewing, authorized editing, and subsequent distribution.

Abstract: A method performed by a content management system (CMS) and an edge node of a content delivery network is provided. A server secret is shared between the CMS and the edge node, and CMS uses the server secret to generate a signing key which includes a signing secret generated using the server secret. The signing key is transmitted to a client system. The client system receives a request for a content asset from a user device. The client system uses the signing key to generate a signed URL for the content asset, and the user device is redirected to the signed URL. The edge node validates the signed URL using the server secret to rederive the signing secret based on the signed URL. Responsive to successful validation of the signed URL by the edge node, then the content asset is provided from the edge node to the user device.

Abstract: Rebalancing as a result of re-encoding a code chunk in response to scaling out of a geographically diverse storage system employing erasure coding technology is disclosed. After a scaling out event, a new erasure coding scheme can be selected. An old coding chunk generated according to an old erasure coding scheme can be re-encoded into a new coding chunk according to the new erasure coding scheme and based on a data chunk not previously protected by the old coding chunk. The re-encoding can be selected to diversify distribution of chunks, resulting in rebalancing occurring as part of re-encoding. In an embodiment, the new coding chunk can be generated in a new zone from the scaling out event. In another embodiment, the data chunk can be moved to the new zone from the scaling out event.

Abstract: A method for verifying a property of plaintext using ciphertext is disclosed. In an embodiment, a computing device may receive the ciphertext at a trusted execution environment (TEE) of the computing device. The TEE may decrypt the ciphertext to generate the plaintext using a private encryption key of an encryption key pair. The encryption key pair comprises a public encryption key and the private encryption key. The TEE may generate a digitally signed validation result by encrypting the validation result using a private signing key of a signing key pair. The signing key pair comprises a public signing key and the private signing key. The private key is retrieved from secure memory of the computing device, and the secure memory may only be accessible by the TEE. The computing device may then transmit the digitally signed validation result.

Abstract: An electronic terminal capable of using a function of payment includes a wearing detector, a communicator, and a processor. The wearing detector detects whether the electronic terminal is worn by a user. The communicator communicates with a wireless communication apparatus via near field communication. The processor changes, based on information that is obtained by the wearing detector and the communicator, whether to enable or disable use of the function of payment.

Abstract: The invention relates to an industrial testing device communicating with a data center located in a remote computer network, such as the cloud. Disclosed is a method of registering the device to the cloud and specifying the geographical location of the data center. The method includes selecting a data center from a list of available data centers based on regulations specific to a device type of the industrial testing device. Features are configured for communication between the device and the selected data center.

Abstract: There is provided an optical distance measurement system including an image sensor and a processing unit. The processing unit is configured to generate an image to be calculated according to at least one image captured by the image sensor, wherein different image regions of the image to be calculated correspond to different exposure times thereby improving the accuracy of the distance calculation.

Abstract: In example implementations, a mobile device is provided. The mobile device includes a first antenna, a second antenna, a radio module and a memory. The radio module includes four antenna ports. The first antenna is in communication with a first port of the four antenna ports and the second antenna is in communication with a second port of the four antenna ports. The memory stores a configuration of the radio module that deactivates a third port and a fourth port of the four antenna ports of the radio module.

Abstract: Provided herein are systems and methods for secure document sharing in a database system. For example, a system includes at least one hardware processor and a memory. The memory stores instructions that cause the at least one hardware processor to perform operations including receiving a query for a data set from a client device. The data set is shared in a data exchange by a data provider. The operations further include retrieving a data file responsive to the query for the data set. A security function is applied to the retrieved data file to generate a modified data file. A scoped uniform resource locator (URL) associated with the modified data file is encoded for transmission to the client device. The scoped URL includes an encrypted hash with a storage location of the modified data file.

Abstract: An information handling system includes a basic input/output system that checks for a first-time password in NVRAM, and prompts a user for a password when the first-time password is present. A processor compares the password to the first-time password, deletes the first-time password from the NVRAM when the password matches the first-time password, and boots the information handling system when the password matches the first-time password.

Abstract: A data provision system includes a data provision device and a data security device installed in a vehicle. The data provision device includes a vehicle interface configured to transmit data to and receive data from the vehicle; and an cryptographic processing unit configured to generate an electronic signature of application data to be applied to an in-vehicle computer installed in the vehicle by using a secret key of the data provision device, wherein application data with the electronic signature, which is obtained by attaching the electronic signature to the application data, is transmitted to the vehicle through the vehicle interface. The data security device includes an interface unit configured to transmit data to and receive data from a device outside the data security device; and an cryptographic processing unit configured to verify the electronic signature of the application data with the electronic signature received from the data provision device.

Abstract: Methods of authenticating a file are disclosed. A method may include selecting, via an identifier, a subset of data segments of a file. The method may also include executing, via a microcontroller, a cryptographic function on only the subset of data segments of the file to generate a digest. Further, the method may include generating, via the microcontroller, an authenticator based on the digest and a private key. The method may also include conveying the file, the identifier, and the authenticator to a cryptography element. In addition, the method may include executing, via the cryptography element, the cryptographic function on the subset of data segments of the file to generate a second digest. Furthermore, the method may include authenticating, via the cryptography element, the file via verification of the authenticator based on the second digest and a public key of the microcontroller.

Abstract: A specialized apparatus for recording medical transactions designed to protect patient privacy when necessary to record private biometric individual data. The mechanisms and proprietary methods scramble the biometric data within the recording device, unrecoverable when leaving recording device with high assurance, yet an audit copy can forward to outside permanent storage and systems.