Abstract: The disclosure relates to the field of computer security. Provided are a method for implementing a firmware root-of-trust, and an apparatus, a device, and a readable storage-medium thereof. The method includes: setting a storage-medium for storing state-data of the firmware root-of-trust; integrating a processing-logic of an instruction of the firmware root-of-trust into a system-firmware; initializing the firmware root-of-trust, according to the state-data of the firmware root-of-trust and a startup-command of the firmware root-of-trust; creating a node of a device-tree for the firmware root-of-trust, for an operating-system to load a driver-program corresponding to the firmware root-of-trust; and registering an instruction-interface of the firmware root-of-trust into an interface-list.

Abstract: A method for processing trust and security for leased infrastructure includes: detecting a first audit event directed to the leased infrastructure; initiating, in response to detecting the first audit event, an execution of a first trust audit; making a first determination, based on a result of the first trust audit, that the first audit event is a verified event; and transmitting, in response to the first determination and to a computing device of a user leasing the leased infrastructure, first instructions for the computing device to display a first output notifying the user that the leased infrastructure is in a trusted domain.

Abstract: Methods and systems for authentication and establishment of secure connection for accessing edge computing services are provided. The method includes dynamically deriving a pre-shared key (PSK) and use the dynamically derived PSK for the authentication, while performing or before performing a secure connection establishment or while or before establishing a secure interface between a user equipment (UE), and a server, wherein the UE includes an Edge Enabler Client (EEC), and the server is an Edge Configuration Server (ECS). The method further includes deriving the PSK based on an Authentication and Key Management for Applications (AKMA) application key.

Abstract: In some implementations, a user device may determine that the user device was granted access to a first set of resources by a first authentication process. The user device may receive a request to access a second set of resources. The user device may generate, based on the request, a token that indicates that the user device was granted access to the first set of resources by the first authentication process. The user device may transmit, based on the request, the token to a server device to cause a second authentication process to be performed on the token. The user device may receive, from the server device, access information indicating whether access to the second set of resources is granted or denied based on transmitting the token to the server device.

Abstract: Disclosed are systems and methods that provide a framework that enables user to delegate other users as operators of their securely held account credentials via services backed by OAuth protocols. The disclosed framework provides functionality for users to be delegated access to other users' account credentials, information and resources for the performance of specific electronic transactions. The framework operates by connecting two OAuth registered users so that one user can perform an electronic transaction using another user's securely held credentials upon approval by the other user. This ensures that each electronic transaction is securely held and performed, and operated under the control of the delegator despite performance of the transaction by the delegatee involving the delegator's account information.

Abstract: Aspects of the subject disclosure may include, for example, receiving, from a computing device, a user request to perform a subscriber identity module (SIM) swap for a subscriber, wherein the computing device and a user device are accessible to a user, based on the receiving the user request, generating a code for the SIM swap, resulting in a generated code, providing the generated code to the computing device for presentation, obtaining, from the user device, data associated with the user, the user device, or a combination thereof, facilitating user authentication responsive to the obtaining the data, detecting a transmission of a particular code from the user device, resulting in a detected code, and, based on the detecting the transmission and based on the facilitating the user authentication, performing an action relating to the SIM swap. Other embodiments are disclosed.

Abstract: The concepts and technologies disclosed herein are directed to providing a split ledger for securing extended reality (“XR”) environments. According to one aspect, an XR server computer can create an XR environment. The XR server computer can cause a passed ledger to be populated with an environment ID associated with the XR environment. The XR server computer can cause a hash ledger to be populated with a first hash of the environment ID. The XR server computer can register a user for participating in the XR environment and can cause the passed ledger to be populated with a user-created block associated with the user. The XR server computer can cause the hash ledger to be further populated with a second hash of the user-created block. The XR server computer can allow a user avatar associated with the user to join the XR environment.

Abstract: Disclosed are methods and systems for securely providing identity attributes. A server computer may receive, from a relying entity, a request for identity attributes associated with a target entity, wherein the request for identity attributes includes a session identifier associated with the target entity and an identifier of the relying entity. The server computer may validate the request based on the session identifier. The server computer may identify, based on the identifier of the relying entity, a package defining types of identity attributes for the relying entity and a data access token associated with the package. Based on validating the request, the server computer may transmit, to a digital identity provider, a request for a set of identity attributes corresponding to the package, the request comprising the data access token. The server computer may receive, from the digital identity provider, the set of identity attributes.

Abstract: A server computer system, comprises a processor; a communications module coupled to the processor; and a memory coupled to the processor, the memory storing instructions that, when executed, configure the processor to receive, via the communications module and from a client device, a signal including a request to configure a transfer of data to a particular data record; determine that the particular data record is associated with a third party server; obtain a trust score associated with the particular data record; determine that the trust score satisfies trust criteria; and responsive to determining that the trust score satisfies trust criteria, enable one or more transfer features associated with a real-time transfer protocol.

Abstract: A camera generates a random number, displays a Quick Response (QR) code representing the generated random number, and transmits the generated random number to a web server. A smart phone captures an image of the QR code displayed on the camera, acquires the random number based on the captured QR code, and transmits the acquired random number to the web server. The web server registers the camera based on a match between the random number transmitted from the camera and the random number transmitted from the smart phone.

Abstract: In one embodiment, an edge device of a network maintains intermediate certificates derived from root certificates of different cloud services that identify the edge device to those different cloud services. The edge device receives identity information for a particular device in the network. The edge device generates, using at least one of its intermediate certificates and the identity information for the particular device, one or more local digital identity certificates for the particular device. The edge device causes the particular device to be onboarded to a target cloud service from among the different cloud services, in part by providing the one or more local digital identity certificates to the particular device and to the target cloud service.

Abstract: A control system for a technical installation, in particular a process or manufacturing installation, includes at least one component upon which a certificate service is computer implemented, wherein the certificate service is configured to check a certificate store that is assigned to the component or a further component to determine whether two or more certificates, which only differ from one another in terms of their validity period, are stored in the certificate store, and in the event of the check identifying two or more certificates of this type, to initiate revocation and removal from the certificate store of the certificate or certificates with the validity period that ends the earliest, such that only the certificate with the validity period that ends the latest remains stored in the certificate store.

Abstract: A system and method for exchanging data among partitions of a storage device is disclosed. For example, data stored in a first partition is exchanged with an application included in the first partition or with a second application included in a second partition. In one embodiment, the second application is associated with a global certificate while the first application is associated with a different platform certificate. A verification module included in the first partition receives a request for data and determines if the request for data is received from the first application. If the request for data is not received from the first application, the verification module determines whether the request is received from the second application and whether the global certificate is an authorized certificate. For example, the verification module determines whether the global certificate is included in a listing of authorized certificates.

Abstract: Examples of the present disclosure describe systems and methods for monitoring the security privileges of a process. In aspects, when a process is created, the corresponding process security token and privilege information is detected and recorded. At subsequent “checkpoints,” the security token is evaluated to determine whether the security token has been replaced, or whether new or unexpected privileges have been granted to the created process. When a modification to the security token is determined, a warning or indication of the modification is generated and the process may be terminated to prevent the use of the modified security token.

Abstract: Ransomware attacks may be prevented by monitoring file access requests. When a process requests a directory listing, the results provided may be modified based on whether the process is trusted or not. For trusted processes, the results provided are the actual directory listing, while the results provided to processes that aren't trusted may be modified to include seeded files. Access to the seeded files may be monitored to determine if the process is associated with a ransomware attack, and steps taken to mitigate an attempted ransomware attack. Ransomware may also be prevented by ensuring that only trusted processed are allowed to access certain files. In order to provide an improved user experience, the processes can be determined automatically from a system structure and their trustworthiness determined.

Abstract: Systems and methods enhanced authentication techniques using virtual persona. An example method includes receiving a request associated with authorization of a user. Information identifying a virtual persona associated with the user is accessed, the virtual persona comprising meshes. Confidence measures associated with the user's identity are determined based on the meshes. The request is responded to based on the confidence measures.

Abstract: Systems, computer program products, and methods are described herein for implementing layered authorization platform using non-fungible tokens. The present invention is configured to electronically receive, via a user input device, a document designated for notarization and an identification credential from a user; crawl through a distributed ledger to determine a non-fungible token (NFT) for the identification credential; retrieve, from the distributed ledger, the NFT for the identification credential; capture, via the user input device, a signature of the user on the document designated for notarization to create a signed document; generate, using an NFT generator, an NFT for the signed document; link the NFT for the signed document with the NFT for the identification credential; and record the NFT for the signed document in the distributed ledger.

Abstract: Example implementations relate to connecting an IoT device to a wireless network using Device Provisioning Protocol (DPP). An authentication server receives a DPP network access authorization request including a connector identifier from an Access Point (AP) in communication with the IoT device. The connector identifier is a hash of the public network access key of the IoT device. If the connector identifier is valid, the authentication server determines a configurable policy from a set of configurable policies that is applicable to the IoT device. The authentication server transmits network permissions defined in the configurable policy to the AP. The IoT device is connected to the wireless network by the AP based on the network permissions.

Abstract: Systems and methods for performing biometric authentication using a smart ring are disclosed. An exemplary method includes collecting biometric data using sensors of a smart ring while a user is wearing the smart ring, wherein the biometric data includes a heartbeat pattern. The method further includes performing an authentication operation by (i) comparing the collected biometric data to a biometric signature for a known user to determine whether the biometric data matches the biometric signature, and (ii) when the biometric data matches the biometric signature, authenticating the user by updating a record to indicate that the user has been identified and authenticated as the known user. The method also includes, when the record indicates that the user has been identified and authenticated, digitally signing transaction data using a private cryptographic key stored on a memory of the smart ring.

Abstract: A system can receive, by a cloud management platform, a request from a user account for a trust certificate. The system can provide, to the user account via a first pathway, the trust certificate, comprising a first portion of a secret. The system can provide, to the user account via a second pathway, a second portion of the secret. The system can receive, at an on-premises cloud controller (OPCC), data indicative of the first and second portions. The system can, in response to the OPCC validating the first secret, receive, by the cloud management platform and from the OPCC, a second request to instantiate a trust relationship, wherein the second request comprises a first message body that is signed and encrypted with the first secret. The system can send, by the cloud management platform and to the OPCC, a message that comprises a second trust certificate and a second secret.

Abstract: Policy-based genomic digital data sharing facilitates a variety of sharing scenarios, including public access, tenant-to-tenant sharing, workgroup sharing, and access by external service providers. Genomic digital data can be published to the platform and controlled by access tokens that are generated based on access policies. The policies can support conditions that are evaluated at execution time and effectively place control of access to information in hands of the owning tenant. Sharing conditions can be easily specified to support various use cases, relieving administrators from excessive access control configuration.

Abstract: Techniques are provided for user identity verification using dynamic identification policies. One method comprises obtaining, by an identity management server, a validation request to evaluate an identity of a user, wherein the validation request is processed by the identity management server in connection with an access request of the user to access a protected resource provided by a service provider that is distinct from the identity management server. The validation request may comprise an identification policy, generated by the service provider in response to receiving the access request, that specifies authentication consensus constraints that apply to the access request.

Abstract: A method performed in a wireless device, for enhancing paging operations with a network node is disclosed. The method comprises determining a group identifier based on a paging occurrence parameter, wherein the group identifier is indicative of a subset of wireless devices belonging to a paging group paged at a same paging occasion.

Abstract: Disclosed is a method to create a digital twin which is a copy of a machine or a production system in a computer environment and usage of the created digital twin in the computer-based calculation. Digital twins which are developed by the method are created by physical laws/equations rather than solely by sensor data. Developed digital twins could be created/served with API's by dividing thereof into small pieces and could be resold through a market place in form of an application.

Abstract: Apparatus, methods, and computer program products for managing power sharing in electronic devices are disclosed. One apparatus includes a processor and a memory that stores code executable by the processor to determine, in real-time, whether one or more first electronic devices that are compatible with a second electronic device that is low on power are within a predetermined geographic distance of the second electronic device and, in response to determining that one or more first electronic devices that are compatible with the second electronic device are within the predetermined geographic distance of the second electronic device, transmit a request to the one or more first electronic devices inquiring whether any of the one or more first electronic devices are willing to share power with the second electronic device. Methods and computer program products that include and/or perform the operations of the apparatus are also disclosed.

Abstract: Components of a public certificate authority (CA) generate respective cryptographic assertions during performance of respective tasks of a certificate issuance workflow and a workflow approval component approves/rejects certificate issuance, based upon verification of the cryptographic assertions. For example, a workflow manager may assign tasks of a certificate workflow process to a number of components that process the tasks. The components generate responses and sign the respective responses with keys particular to each component. The workflow manager gathers the cryptographic assertions and sends them to a workflow approval component that validates the assertions, verifies the assertions indicate successful completion of the workflow and approves or rejects certificate issuance.

Abstract: A computing resource service provider provides a certificate management service that allows customers of the computing resource service provider to create, distribute, manage, and revoke digital certificates issued by private certificate authorities. A private certificate authority hosted by the computing resource service provider is able to issue signed certificates to network entities within the customer enterprise. The certificate management service provides a network-accessible application programming interface to the private certificate authority that allows applications to create and deploy private certificates programmatically. The system provides the flexibility to create private certificates for applications that require custom certificate lifetimes or resource names.

Abstract: A method of managing and verifying a certificate of a terminal is provided. The method includes obtaining certificate information that is usable when downloading and installing a specific bundle corresponding to at least one of a secondary platform bundle family identifier or a secondary platform bundle family custodian identifier, transmitting, to a secondary platform bundle manager, the certificate information corresponding to the at least one of the secondary platform bundle family identifier or the secondary platform bundle family custodian identifier of the specific bundle, and receiving, from the secondary platform bundle manager, at least one of a certificate of the secondary platform bundle manager, certificate information to be used by a smart secure platform (SSP), the secondary platform bundle family identifier, or the secondary platform bundle family custodian identifier.

Abstract: The invention discloses a digital slide scanner sample identification device, and relates to the digital slide scanner for solving the problem that a bar code scanner can normally read a bar code label through the light contact, and the samples cannot be read due to the shielding of the bar code since the samples are stored in the digital slide scanner or scanning samples are stacked. The device comprises a digital slide scanner, and scanning samples; a near-field communication NFC read-write module is arranged in the digital slide scanner, and a NFC label is arranged on each scanning sample. By using the NFC technology, the NFC label data in a large amount of scanning samples can be read within short time, a feedback indication can be provided, and the working efficiency is greatly improved. The invention further discloses a digital slide scanner sample identification method.

Abstract: A multi-factor authentication scheme uses an MFA authentication service and a browser extensionless phish-proof method to facilitate an MFA workflow. Phish-proof MFA verifies that the browser the user is in front of is actually visiting the authentic (real) site and not a phished site. This achieved by only allowing MFA to be initiated from a user trusted browser by verifying its authenticity through a signing operation using a key only it possesses, and then also verifying that the verified browser is visiting the authentic site. In a preferred embodiment, this latter check is carried out using an iframe postMessage owning domain check. In a variant embodiment, the browser is verified to be visiting the authentic site through an origin header check. By using the iframe-based or ORIGIN header-based check, the solution does not require a physical security key (such as a USB authenticator) or any browser extension or plug-in.

Abstract: A principal database is described in which each entry includes one principal identity, and one or more alias identities that may each have an authorization scope. Principal identity attributes include a principal identifier and login credentials, and alias identity attributes include an authorization scope and login credentials. Responsive to successfully authenticating the user for a first application (a multiple-identity application), based on the alias identity login credentials, an access token containing both the alias identity attributes and the principal identity attributes is transmitted to the first application, causing the first application to grant a scope of access based on the authorization scope. Responsive to a request to authenticate the user for a second application (a single-identity application), the access token is transmitted to the second application without re-authenticating the user, causing the second application to grant a scope of access based on the principal identifier.

Abstract: Systems and methods are provided for investigation network activities. Network activity information may be accessed. The network activity information may describe for an individual (1) respective relationship with one or more persons; and (2) respective activity status information indicating whether a given person has engaged in a particular activity. A network activity graph may be generated based on the network activity information. The network activity graph may include two or more nodes representing the individual and the one or more persons. Connections between the nodes may represent the respective relationships between the individual and the one or more persons. Data corresponding to the network activity graph may be presented through an interface.

Abstract: Method, apparatus and computer program product for multi-device user authentication are described herein. For example, the apparatus includes at least one processor and at least one non-transitory memory including program code.

Abstract: A genomic update system can generate a user interface from network pages based on user variant data and network services associated with the network pages. A trait data structure tracks network services for different trait categories. A given network page of a given category can be used to identify a different category and different network services and content for display to a user. Content in the trait data structure can be included in a user interface with additional contextual visualizations that allow the user to interact with the links and content via a user device, such as a handheld mobile device.

Abstract: Custom policies are definable for use in a system that enforces policies. A user, for example, may author a policy using a policy language and transmit the system through an application programming interface call. The custom policies may specify conditions for computing environment attestations that are provided with requests to the system. When a custom policy applies to a request, the system may determine whether information in the attestation is sufficient for the request to be fulfilled.

Abstract: A method for performing key exchange for a security operation in a storage device includes generating, by a trusted third party (TTP), a first certificate based on a first user ID and first public key and generating a second certificate based on a second user ID and second public key. While the storage device is accessed by the first user ID, a first verification is performed on the second certificate based on a third certificate. When the first verification is successfully completed, a ciphering key is derived based on a first private key and the second public key. While the storage device is accessed by the second user ID, a second verification is performed on the first certificate based on the third certificate. When the second verification is successfully completed, the ciphering key is derived based on a second private key and the first public key.

Abstract: Disclosed is a device and method to secure software update information for authorized entities. In one embodiment, a device for receiving secured software update information from a server, the device includes: a physical unclonable function (PUF) information generator, comprising a PUF cell array, configured to generate PUF information, wherein the PUF information comprises at least one PUF response output, wherein the at least one PUF response output is used to encrypt the software update information on the server so as to generate encrypted software update information; a first encrypter, configured to encrypt the PUF information from the PUF information generator using one of at least one public key from the server so as to generate encrypted PUF information; and a second encrypter, configured to decrypt the encrypted software update information using one of the at least one PUF response output so as to obtain the software update information.

Abstract: An example operation may include one or more of encrypting content via an encryption key to generate encrypted content, storing the encrypted content via a distributed ledger, splitting the encrypted encryption key into a set of key shares via a threshold secret sharing scheme, and distributing the set of key shares among a plurality of nodes of a distributed vault, where each key share is distributed with an expiry value that identifies when the respective key share is to be deleted by a node.

Abstract: A method is provided for automating management of automatic renewal of a public key infrastructure (PKI) certificate issued by a certificate authority (CA) for a subscriber. The method includes steps of causing the subscriber to (i) transmit a first alert to a management entity for initiating renewal of the PKI certificate, and (ii) transmit a certificate signing request (CSR) to a registration authority (RA) for issuance of a renewal certificate. The method further includes steps of (iii) transmitting, from the RA to the CA, the CSR signed by the RA, (iv) receiving, at the RA from the CA, an issued renewal certificate signed by the CA, (v) sending, from the RA to the subscriber, the issued renewal certificate signed by the CA, and (vi) causing the subscriber to transmit a second alert to a management entity indicating renewal of the PKI certificate.

Abstract: A connection management apparatus of a relay system specifies, when terminal identification information for identifying a target terminal is acquired from a client terminal, a first relay apparatus that relays communication, and specifies connecting information for the client terminal to connect to the first relay apparatus. The connection management apparatus stores the specified connecting information and the terminal identification information in a storage in association with each other, and notifies the client terminal of the specified connecting information. When the specified first relay apparatus receives access based on the connecting information from the client terminal, the specified first relay apparatus relays the communication between the client terminal and the target terminal on the basis of the terminal identification information associated with the connecting information.

Abstract: The present invention provides a system and method for remote configuration and management of internet of thing devices, whereby applications do not need to explicitly participate in a particular configuration scheme and the application configuration and management can be performed securely and remotely while the Secure Remote Management engine is architecturally decoupled from the bearing protocols used by the remote enterprise to configure and manage the device or devices.

Abstract: Disclosed is a method for checking the setting of predefined security functions of a field device of process and automation technology, wherein the predefined security functions relate to an access to a function of the field device by an unauthorized person. The method includes: identifying a user; starting by the user a query about the actual setting of the security functions predefined at the measuring point; comparing actual setting of the predefined security functions with a target setting of the predefined security functions defined by the stipulated security level; and outputting an electronic report about the matching or deviation of the actual setting from the target setting of the predefined security functions. Depending on the matching or deviation of the actual setting from the target setting of the predefined security functions, different steps are carried out.

Abstract: Systems and methods for enhancing file systems with file system objects that automatically expire. An example method may involve: scanning, by a processing device, a data storage node, wherein the data storage node comprises multiple certificates associated with file system objects in a plurality of different data storage nodes; iterating through the multiple certificates to determine a set of certificates, wherein the set of certificates comprises certificates that are invalid; and initiating a deletion of the file system objects in the plurality of different storage nodes.

Abstract: A method preserves privacy in an HTTP communication between a client and a server. The method includes: intercepting an HTTP request that is sent from the client to the server; extracting a cookie from the HTTP request, the cookie including a cookie name and a cookie value; splitting the cookie value into information segments according to a split pattern; and modifying one or more of the information segments based on predefined modification rules. The split pattern for the cookie value is received from a cookie format analyzer. The cookie format analyzer selects the split pattern by: generating multiple lists of data formats based on the cookie name, and selecting one of the lists as the split pattern based on similarity and frequency features associated with the data formats.

Abstract: A first instruction to store an entity identification (ID) in a memory of a device may be received. The entity ID may be stored in the memory in response to receiving the first instruction. Furthermore, a second instruction to store a value based on a key in the memory of the device may be received. A determination may be made as to whether the value based on the key that is to be stored in the memory corresponds to the entity ID that is stored in the memory. The value based on the key may be stored in the memory of the device when the value based on the key corresponds to the entity ID.

Abstract: A method for validation of virtual function pointers includes compiling a source code file with one or more classes whereby each of the classes has a virtual table, and the compiling includes associating a security check function with the virtual function invocation site such that the associated security check function is executed prior to an invocation of the virtual function, generating a class hierarchy hash table (CHHT), whereby when the compiled source code file is executed, the security check function is used to determine whether an invoked virtual function pointer of a virtual function associated with the security check function is valid by looking up an indicator in the CHHT according to a hash result of the virtual function pointer and an address of a virtual table containing the virtual function pointer.

Abstract: A system and method is disclosed for transporting application data through a communications tunnel between a host device and a guest device that each includes networked processors. The application data may be transported between the host device and the guest device through an allowed port of the host device, the communications tunnel, and a port of the guest device. Based on logon credentials, the guest device can be authenticated by a security server and a role may be determined. The role can include allowed ports and associated applications on the host that the guest is allowed to access. Remote access from the guest device to host devices or remote devices may be enabled without needing prior knowledge of their configurations. Secure access may be facilitated to remote host devices or remote devices, according to security policies that can vary on a per-session basis and takes into account various factors.

Abstract: The disclosure relates to an electronic device for processing a digital key and an operation method thereof. The electronic device for processing a digital key may include a communicator configured to receive a request from a digital key framework, verify a package, a signature information of the package, and a certificate information of the target device based on a first authentication information received from the digital key framework and a second authentication information stored in the secure element, and generate the digital key by using configuration information included in the package.

Abstract: Techniques described herein include utilizing a mobile device as a proxy receiver and/or transmitter for a vehicle in a V2X network. In some embodiments, the mobile device associated mobile device capabilities may be configured to obtain vehicle capabilities and store such data in memory at the mobile device. The mobile device may obtain any suitable combination of a reception credential and one or more transmission credentials. In some embodiments, the one or more transmission credentials may be generated by a credential authority based at least in part on determining that the vehicle capabilities and mobile device capabilities indicate that the sensor(s) and/or processing resources of the vehicle and/or mobile device meet transmission requirement thresholds for the network. The mobile device may subsequently transmit any suitable data message on behalf of the vehicle using at least one of the transmission credentials.

Abstract: Systems and methods for controlling and tracking computer devices using a secure communication path between a central server and a machine control-file watchdog program. One or more machine control-files can be generated to control, limit and track a computer device using a machine control-file watchdog program. The system sets limits on the computer device to ensure the user operating the computer device stays within a restricted set of usage limitations. The machine control-file watchdog program protects the one or more machine control-files and additionally can report on all activities performed by the computer device to the central server.