Abstract: The disclosed technology relates to a system configured to generate an initial tree state, wherein the initial tree state includes three tree data structures configured to aid in the synchronization of content items managed by a content management system. The system is configured to provide the initial tree state to a client synchronization service, retrieve a final tree state from the client synchronization service, and determine whether the final tree state is correctly synchronized.

Abstract: An electronic device is provided. The electronic device includes a first short-range communication module configured to execute short-range communication with a second electronic device, a security module configured to store security information, and a processor configured to receive, from the second electronic device, a pairing key that registers the electronic device as being linked to the second electronic device, transmit session key generation information to the second electronic device when authentication with the second electronic device is completed based on the pairing key, generate a session key based on the session key generation information, encrypt the security information based on the session key, and transmit the encrypted information to the second electronic device.

Abstract: A computing resource service provider grants a first set of security permissions to a principal (e.g., a user) which may be used to access a plurality of computing resources. The permissions may be associated with a first security token. The principal may access resources using the first set of security permissions, and a system (e.g., a service provider) may identify a subset of security permissions that are sufficient to provide access to the computing resources accessed by the principal using the first set of permissions. The subset may be associated with the principal. In some cases, the principal operating under the subset of permissions may be denied access to a computing resource and may be granted access to the computing resource by operating under the first set of permissions.

Abstract: A method for defending a computing system against ransomware attacks is disclosed. In one embodiment, such a method includes identifying, on a computing system, files to be protected against ransomware attacks. The method appends a public key to each of the files. Upon receiving a request to modify a specific file, the method reads the public key appended to the file, requests an authentication token from a user, and computes a private key associated with the files. The method combines the public key, authentication token, and private key to generate an unlock key. This unlock key is compared to a validation key. The method authorizes modification of the file in the event the unlock key matches the validation key. A corresponding system and computer program product are also disclosed.

Abstract: The present disclosure relates to a communication technique for combining a 5G communication system for supporting a higher data transmission rate than a 4G system with an IoT technology, and a system therefor. The present disclosure can be applied to 5G communication and IoT related technology-based intelligent services (for example, smart homes, smart buildings, smart cities, smart cars or connected cars, health care, digital education, retail business, security and safety related services, etc.).

Abstract: Techniques for using sending communication data using a first communication system and a second communication system are described. When a request is received to send communication data, it is determined that sending the communication data includes the second communication system. A request for updated identification information, such as a security token, is therefore sent to the second communication system prior to, for example, determining further account information related to the initiator of the communication and/or an identity of a recipient of the communication. While the request is pending, additional requests for the identification information are delayed. When the new identification information is received, the communication data is sent.

Abstract: One embodiment provides event handling in a cloud based multi-tenant identity management system. Embodiments receive a plurality of individual events and a request to create a group from the individual events. Embodiments publish the group as a composite event and persist the composite event in a composite queue. Embodiments then dispatch the composite event to a composite handler, parse the composite event and persist the individual events in respective event queues.

Abstract: Selecting a persona for a Decentralized Identifier (DID) and associated DID document based on a trust score. A request for data or services associated with an owner of various decentralized identifiers (DID) is received. Each of the plurality of DIDs may have an associated DID document. The associated DID document for each of the DIDs defines a persona based on an amount of identifying information included in the DID document. Based on the received request, a trust score is assigned to an entity that generated the received request. The trust score is at least partially based on the verifiability of an identity of the entity that generated the received request. Based on the trust score, the persona and the associated DID and DID document that should be used by the owner for interacting with the entity that generated the request is selected.

Abstract: The invention relates to a computer-implemented system and method for service-to-service authentication. The method may comprise deploying the SSA service, deploying a micro service, and providing an SSA client that serves as an interface between the micro service and the SSA service. The micro service can send a request to the SSA service for an authentication token. The SSA service then generates the authentication token for the micro service, which is signed by the SSA service using an SSA service private key. The authentication token can be encrypted so that it is secure when sent by the SSA service to the micro service. The authentication token carries information necessary for the micro service to access a second micro service directly through validation of the authentication token by the second micro service based in part on a private key of the micro service previously generated by the SSA service.

Abstract: This disclosure relates method and system for protecting a computing device from a malware. In one embodiment, the method may include determining a digital trust certificate of a set of computing instructions to be executed by the computing device. The set of computing instructions may form a part of a boot process of the computing device, and may be a firmware, a boot loader, a kernel, a system driver, a start-up file, or an antimalware. The method may further include establishing a chain of trust by validating the digital trust certificate with the computing device. The digital trust certificate may be pre-registered with a local database, accessible by the computing device, by communicating with a centralized certificate authority and policy server. Upon a positive establishment of the chain of trust, the method may further include allowing an execution of the set of computing instructions by the computing device.

Abstract: A communication system for authenticate a second communication device to a first communication device, wherein the communication system comprises a physical connection between a first communication device and a second communication device, where a first message may be transmitted from the first communication device, via the physical connection, to the second communication device.

Abstract: Disclosed is a device and method to secure software update information for authorized entities. In one embodiment, a device for receiving secured software update information from a server, the device includes: a physical uncolonable function (PUF) information generator, comprising a PUF cell array, configured to generate PUF information, wherein the PUF information comprises at least one PUF response output, wherein the at least one PUF response output is used to encrypt the software update information on the server so as to generate encrypted software update information; a first encrypter, configured to encrypt the PUF information from the PUF information generator using one of at least one public key from the server so as to generate encrypted PUF information; and a second encrypter, configured to decrypt the encrypted software update information using one of the at least one PUF response output so as to obtain the software update information.

Abstract: A method for preserving privacy in an HTTP communication between a client and a server includes: intercepting an HTTP request that is sent from the client to the server; extracting a cookie from the HTTP request, the cookie including a cookie name and a cookie value; splitting the cookie value into information segments; and modifying one or more of the information segments based on predefined modification rules.

Abstract: Method, apparatus and computer program product for multi-device user authentication are described herein. For example, the apparatus includes at least one processor and at least one non-transitory memory including program code.

Abstract: A portable encryption format wraps encrypted files in a self-executing container that facilitates transparent, identity-based decryption for properly authenticated users while also providing local password access to wrapped files when identity-based decryption is not available.

Abstract: A display unit displays an image including information which is necessary to share communication parameters for establishing a wireless connection and information about a scheme for establishing a wireless connection, whereby the connection scheme to be performed is shared with a target apparatus, and a wireless connection is established by using the desired connection scheme.

Abstract: Aspects of the disclosure relates to managed access to content and/or services. In certain aspects, tokens or other artifacts can be utilized for authentication and authorization.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for blockchain-based cross-entity authentication are provided. One of the methods includes: obtaining an authentication request by a first entity for authenticating a user, wherein the authentication request comprises a decentralized identifier (DID) of the user; in response to determining that the first entity is permitted to access authentication information of the user endorsed by a second entity, generating a blockchain transaction for obtaining an authentication result of the user by the second entity, wherein the authentication result is associated with the DID; and transmitting the blockchain transaction to a blockchain node for adding to a blockchain.

Abstract: An image processing apparatus provided with a biological information sensor receives an authentication request including a verification parameter from a service providing system, transmits the verification parameter to an information processing apparatus provided with an authentication module for biometric authentication, and a tamper-resistant storage device configured to store a user's biological information required when an authentication process is performed by the authentication module and a private key generated with respect to the biological information, transmits the biological information acquired by the biological information sensor using an encryption technique to the information processing apparatus, receives signature data, created using the private key extracted when biometric authentication based on the transmitted biological information has succeeded and the verification parameter, from the information processing apparatus, and transmits the signature data to the service providing system.

Abstract: Examples of the present disclosure describe systems and methods for monitoring the security privileges of a process. In aspects, when a process is created, the corresponding process security token and privilege information is detected and recorded. At subsequent “checkpoints,” the security token is evaluated to determine whether the security token has been replaced, or whether new or unexpected privileges have been granted to the created process. When a modification to the security token is determined, a warning or indication of the modification is generated and the process may be terminated to prevent the use of the modified security token.

Abstract: A portable encryption format wraps encrypted files in a self-executing container that facilitates transparent, identity-based decryption for properly authenticated users while also providing local password access to wrapped files when identity-based decryption is not available.

Abstract: An apparatus and associated method are provided for application deployment assessment. In use, a plurality of deployment parameters associated with one or more applications, and a workload profile are received. Further, an application deployment specification is generated, based on the workload profile and the deployment parameters. Still yet, a type of one or more orchestrators on one or more systems is identified. The application deployment specification is processed, based on the identified type of the one or more orchestrators on the one or more systems. Further, the one or more processors execute the instructions to deploy, via an application program interface (API), the one or more applications to the one or more orchestrators on at least one of the one or more systems, and at least one workload generator to at least one of the one or more systems, utilizing the processed application deployment specification. Operational data is collected from one or more monitoring agents on the one or more systems.

Abstract: Methods and apparatuses are described for time-series database user authentication and access control. A server computing device receives a request from a remote computing device to access a time-series database coupled to the server computing device, wherein the request includes one or more authentication credentials associated with the remote computing device. The server computing device validates the one or more authentication credentials associated with the remote computing device. The server computing device connects to an access control layer associated with the time-series database. The access control layer authorizes the remote computing device to access data in the time-series database based upon an access profile associated with the validated authentication credentials. The server computing device retrieves data from the time-series database in response to the request.

Abstract: Certain relationships representing material insights are identified from among a set of discovered relationships. Cognitive discovery of relationships in a knowledge base, or corpus, are ranked according to one or more metrics indicative of material insights, including recentness and degree of alignment.

Abstract: A handshake procedure to establish a first connection between a client and a server is monitored at an intermediate network device. A request message sent to the server from the client is received at the intermediate network device. The request message includes parameters defining a manner of receiving information from the server. The parameters defining the manner of receiving information from the server are modified to produce modified parameters. A redirect message is sent from the intermediate network device to the client to induce or cause the client to establish a second connection with the server based upon the modified parameters, wherein the redirect message contains the modified parameters.

Abstract: Aspects of the disclosure relate to processing systems using improved domain pass-through authentication techniques. A computing platform may send, to an external cloud computing platform, one or more registration requests that each may cause an RLS endpoint corresponding to each of a plurality of resource location connectors to be stored at the external cloud computing host platform. The computing platform may receive one or more requests for a resource location identifier. The computing platform may determine an accessible resource location connector and may send, to the user device, a corresponding resource location identifier. After receiving a pass-through authentication request, the computing platform may receive, from the ticketing service stored on the external cloud computing platform, a one-time ticket. The computing platform may send, to the user device, the one-time ticket, which may allow the user device to perform pass-through authentication with the external cloud computing platform.

Abstract: Systems and methods are provided for managing mobile device updates. In some embodiments, the disclosed systems can include a key provisioning system, a key system, and mobile devices. The key provisioning system can provide keys to the mobile devices and the key system. The key system can receive a key from the key provisioning system, receive a request from an application system, calculate a first token, and provide the first token to the application system for transmission to a mobile device. The mobile device can receive a key from the key provisioning system, establish a local connection with a connected device, receive an application and the first token from the connected device, generate a second token using the application and the key, compare the first token and the second token, and update the mobile device according to the application based on a result of the comparison.

Abstract: Systems and methods for disabling applications on a client device remotely are disclosed. An example method may comprise establishing, via a network interface device, a communication connection with a client computing device, receiving, via the communication connection, a list of applications installed on the client computing device, comparing the received list of applications to a blacklist of applications, identifying, in view of the comparing, an installed application on the received list of applications, the installed application comprised in the blacklist of applications, identifying a severity score corresponding to the installed application and an action corresponding to the severity score, and responsive to the identifying the severity score and the corresponding action, causing, by the processing device, the corresponding action to be performed with respect to the client computing device, the corresponding action pertaining to the installed application.

Abstract: Systems, methods, and devices for securely provisioning a roadside unit (RSU) that includes an application certificate, wherein the RSU is geographically restricted according to the application certificate. An enhanced SCMS system may receive a request for an application certificate for the RSU; determine, in response to the request, an operating geolocation for the RSU; verify that the operating geolocation is within the allowed geo-region for the RSU; generate an application certificate that includes the operating geolocation; and provide the application certificate to the RSU device.

Abstract: Systems and methods are provided for managing mobile device updates. In some embodiments, the disclosed systems can include a key provisioning system, a key system, and mobile devices. The key provisioning system can provide keys to the mobile devices and the key system. The key system can receive a key from the key provisioning system, receive a request from an application system, calculate a first token, and provide the first token to the application system for transmission to a mobile device. The mobile device can receive a key from the key provisioning system, establish a local connection with a connected device, receive an application and the first token from the connected device, generate a second token using the application and the key, compare the first token and the second token, and update the mobile device according to the application based on a result of the comparison.

Abstract: A method for initializing a computerized system by executing a boot-script having an associated private security key, wherein the computerized system comprises a first secure storage device for storing a plurality of public keys each having a public key index assigned thereto and a second secure storage device for storing a current key index, wherein the boot-script is only executed if a public key selected from the plurality of public keys is uniquely related to the private security key such as to form a unique key pair with the private security key and has a booting key index having a predetermined relationship with the current key index.

Abstract: A method for controlling media presentation is disclosed. In some implementations, the method is performed at a first electronic device having one or more processors and memory storing one or more programs for execution by the one or more processors. The first electronic device displays a webpage including a control element, such as a “play” button. The webpage originates from a webpage server. The first electronic device receives a user input, such as a mouse click, selecting the control element. In response to the user input, the first electronic device sends a media control request to a media server. The media control request is configured to cause the media server to control presentation of first media content at a second electronic device associated with the user, wherein the second electronic device is different from the first electronic device, and wherein the media server is different from the webpage server.

Abstract: In some examples, a target device may store a policy that includes one or more conditions. For example, a condition of the policy may specify that each device of the multiple devices have a certificate that was deployed to each device when each device was provisioned. A condition of the policy may specify that each device of the multiple devices be within a predetermined distance (or within a particular distance range) from the target device. A condition of the policy may specify that each device of the plurality of devices have a beacon secret that is periodically broadcast out-of-band by a local beacon. While the conditions of the policy are satisfied, the target device may grant the multiple devices access to the target device. If the target device determines that the conditions of the policy are no longer being satisfied, the target device may deny (or reduce) access.

Abstract: To secure an application, a request to establish a communication session with a client is received from the application, at a server. The server sends the request to establish the communication session to the client. The request to establish the communication session generates a request for a user to approve the application. If the request is approved, a client token is received. A certificate with a public key and a private key is created and the public key is sent to the application. An application token that is encrypted using the public key is received from the application. The application token is unencrypted using the private key and compared to the client token. In response to the unencrypted application token matching the client token, an approval message is sent to the client to establish the communication session. The application can then establish a secure communication session with the client.

Abstract: An apparatus may include a communication interface configured to receive a first message including a first data portion and a second data portion, wherein the first data portion is associated with a security token, wherein the first data portion includes a first instance of a session key, and wherein the second data portion includes a second instance of the session key. The apparatus may also include a security component configured to perform message validation associated with the first message. The apparatus may further include a message generation component configured to generate, if the first message is valid, a second message including the first data portion. The communication interface may be configured to communicate, if the first message is valid, the second message.

Abstract: A system for providing a directory service for generating network presence documents may include a computer processor and memory having instructions stored thereon. These may instruct the processor to parse registration information of a member to obtain a set of keywords. Using the set of keywords, the network maybe searched for information about the member, and registration information may be created based on the information. A trusted network presence document may be generated to include at least a first portion of the registration information as read only content. A link may be created between a profile document and the trusted network presence document. The profile document may include at least a second portion of the registration information as customizable content customizable by the member. The document may then be published on the network.

Abstract: Standard I/O library functions for accessing files stored on mass storage devices are modified to enable access to files stored in firmware volumes. An application can be compiled against the modified standard I/O library functions to generate a pre-boot application. When the pre-boot application is executed within a pre-boot execution environment, it can utilize standard I/O library functions to access files stored in a firmware volume. In response to receiving a request to open a file from a pre-boot application, the called I/O function searches a file cross-reference table to locate the filename for the file. If the filename is in the file cross-reference table, the GUID associated with the filename is retrieved from the file cross-reference table and used to obtain a file handle to the file. The file handle can then be returned to the pre-boot application and used to perform other types of operations on the file.

Abstract: Techniques are disclosed relating to authenticating a user based on a partial password. In one embodiment, a computer system stores masking criteria defining how a mask is to be applied to generated passwords. In some embodiments, the computer system receives a request from a user to generate a one-time password. In response to the request, in some embodiments, the computer system generates the one-time password having a sequence of characters, applies the mask to the generated one-time password to select a subset of the sequence of characters usable to authenticate the user, and presents the selected subset of characters to the user as a partial password for authentication.

Abstract: An information processing apparatus includes a signing unit and first and second obtaining units. The signing unit signs a document by using a certificate used for connecting to an access point. The document is obtained via the access point. The first obtaining unit obtains, in response to an access request to access the signed document, identification information concerning the certificate used for signing the signed document. The second obtaining unit obtains identification information concerning a certificate used for connecting to an access point when the access request is received. The display controller performs control so that the sighed document will be displayed if the identification information obtained by the first obtaining unit and the identification information obtained by the second obtaining unit coincide with each other.

Abstract: Disclosed are systems and methods for securely controlling a vehicle using a mobile device. An exemplary method comprises authenticating, by a mobile device, a user attempting to perform commands controlling one or more vehicle systems of a coupled vehicle, retrieving profile information related to the user's preference associated with the coupled vehicle, establishing a connection between the mobile device and a security device of the coupled vehicle, authenticating the mobile device with the security device, forming, by the mobile device, commands to control the one or more vehicle systems based on command forming algorithms, the one or more vehicle systems comprising actuating devices of the vehicle and electronic systems of the vehicle, modifying the formed commands based on the profile information and safety information related to a location of the vehicle and transmitting the formed commands to the one or more vehicle systems via the security device to securely control the vehicle.

Abstract: There is provided an information providing device which, even when one advertisement display area is shared between a plurality of advertisers, can increase the probability that, for example, a banner advertisement of each advertiser is specified and efficiently display information matching each advertiser. The information providing device is configured to, when a user of a terminal device specifies an advertisement display area, specify a partial area including a position specified in the advertisement display area, and transmit information matching a provider allocated to the partial area to the terminal device.

Abstract: A system performs threat protection for real-time communications (“RTC”). The system receives, by a signaling engine of a gateway, a request of a client according to a protocol, where the request has successfully traversed one or more security devices between the client and the gateway. The system determines, by a protocol handler corresponding to the protocol, whether the request includes a threat. When the request includes the threat, the system indicates the threat to the one or more security devices, and when the request does not include the threat, the system sends the request to an application server at the gateway.

Abstract: The present disclosure relates to systems and methods for facilitating trusted handling of genomic and/or other bioinformatic information. Certain embodiments may facilitate policy-based governance of access to and/or use of bioinformatic information, improved interaction with and/or use of distributed bioinformatic information, parallelization of various processes involving bioinformatic information, and/or reduced user involvement in bioinformatic workflow processes, and/or the like. Further embodiments may provide for memoization processes that may persistently store final and/or intermediate results of computations performed using genomic data for use in connection with future computations.

Abstract: A computer-implemented method for assessing cyber risks using incident-origin information may include (1) receiving a request for a cyber-risk assessment of an entity of interest, (2) using an Internet-address data source that maps identifiers of entities to public Internet addresses of the entities to translate an identifier of the entity into a set of Internet addresses of the entity, (3) using an incident-origin data source that maps externally-detected security incidents to public Internet addresses from which the security incidents originated to translate the set of Internet addresses into a set of security incidents that originated from the entity, and (4) using the set of security incidents to generate the cyber-risk assessment of the entity. Various other methods, systems, and computer-readable media may have similar features.

Abstract: Disclosed are various approaches for validating public keys pinned to services or servers on private networks. A client device can request a first certificate from a trust service. The client device can then validate that the first certificate from the trust service is signed by a preinstalled certificate stored on the client device. Subsequently, the client device can receive a uniform resource locator identifying a network location of an secure sockets layer (SSL) pinning service, wherein the SSL pinning service is configured to provide a hash value for a first public key issued to a computing device. Finally, the client device can receive a second public key from the trust service, wherein the second public key is configured to encrypt network traffic sent to the SSL pinning service.

Abstract: A system stores and manages regulated content items on a non-regulated storage platform. The system creates a representation of a regulated content item representing its content that is subject to one or more regulations. The system provides representation of the regulated content item to the non-regulated storage platform for storage. The representation of the regulated content item is configured to be accessible on the non-regulated storage platform. If the system receives a request to access the regulated content item using the representation of the regulated content item, the system retrieves the regulated content item from the non-regulated storage platform to fulfill the request.

Abstract: Embodiments of this application provide an identity information processing method, a database control system, a service capability exposure function, and a home subscriber server, so as to dynamically establish a correspondence between external identity information and intra-network identity information, thereby simplifying an operation process of establishing the correspondence. In this way, the correspondence between the external identity information and the intra-network identity information is dynamically established, so as to reduce correspondence establishment complexity.

Abstract: Computer-implemented systems and methods for user authentication based on blockchain technology. The authentication may comprise operations including receiving, from a user system, an authentication request for a user. The operations may also include determining a root system for the user using a blockchain, and redirecting a member system to the root system. The operations may include receiving, following redirection, a verification message indicating that the root system successfully authenticated the user, and including an authorization code for receiving, from the root system, a root system secret. The operations may include receiving from a database, identification data using the root system secret. Determining the root system may comprise identifying, using the authentication request and index information stored in the blockchain, a block of the blockchain storing root system information for the user. Receiving the identification data may comprise retrieving identification data from the database.

Abstract: Embodiments authenticate a user in response to receiving from a Kerberos key distribution center (“KDC”) a request to authenticate the user that includes a user identification (“ID”). Embodiments retrieve a user record corresponding to the user ID, the user record including a principal key. Embodiments decrypt the principal key using a tenant-specific encryption key and encrypt the decrypted principal key using a Kerberos master key to generate an encrypted principal key. Embodiments retrieve a password policy corresponding to the user ID. Based on the retrieved password policies, embodiments construct password state attributes and return to the KDC the encrypted principal key, the password policy and the password state attributes.

Abstract: In some implementations, a device may detect loading of a first web page associated with a domain, and may create an inline frame element that references a second web page associated with the domain. The second web page may require an authenticated user session to access particular content of the second web page. The device may insert the inline frame element into code for the first web page, and may transmit a request for the second web page based on inserting the inline frame element into the code for the first web page. The device may receive a response to the request for the second web page, and may determine whether there is an authenticated user session for the domain based on the response. The device may selectively perform an action based on determining whether there is an authenticated user session for the domain.