Abstract: Filesystem driver software can receive a file access request indicating that an application process is requesting to access a target file in a filesystem, Network filter driver software can receive a connection establishment request indicating that the application process running on the processing apparatus is requesting to establish a connection over a network with a target endpoint. According to the present disclosure, one or both of: a) the filesystem driver software is configured to grant or deny the file access request in dependence on state information from the network filter driver software, and/or b) the network filter driver software is configured to grant or deny the connection establishment request in dependence on state information from the filesystem driver software.

Abstract: A data storage device includes: a housing integrating a control logic, a data protection logic, and a non-volatile storage; and a network interface connector integrated to the housing and is configured to be directly inserted into a network switch. The control logic is configured to store a vehicle data including a video stream in the non-volatile storage. The video stream is received from a video camera that is connected to the network switch. The data protection logic is configured to detect a vehicle event and change an operating mode of the data storage device to a read-only mode prohibiting the vehicle data stored in the non-volatile storage from being erased or tampered.

Abstract: The present disclosure belongs to an identity authentication technology in network security field, and relates to a lightweight identity authentication method. The method utilizes lightweight operations of the physical unclonable function, Hash operation, XOR operation, etc.

Abstract: Systems and methods are provided for generating and managing dynamic customized electronic tokens for electronic device interactions. A system for transferring data between a user device associated with a user and a remote device may include a memory storing instructions and a processor configured to execute the stored instructions. The stored instructions may configure the processor to receive, via a network, transaction information from the remote device, access information associated with an electronic token, and provide the electronic token to the remote device. The electronic token may be associated with at least one of the user or the user device, and a token server may generate the electronic token based on the received transaction information, and determine one or more expiration parameters for the electronic token.

Abstract: Disclosed are systems and techniques for detecting user presence, user motion, and for performing facial authentication. For instance, a wireless device can receive a waveform that is a reflection of a transmitted radio frequency (RF) waveform. Based on RF sensing data associated with the received waveform, the wireless device can determine a presence of a user. In response to determining the presence of the user, the wireless device can initiate facial authentication of the user.

Abstract: A method controls access to at least one confidential data access to which by a function of a watch requires an identification of its wearer. The method includes authenticating the wearer of the watch to authorise access to the functions of this watch, selecting one of the functions of the watch requiring the use of at least one of the confidential or general data archived in the memory element, determining the category to which the at least one data required by the function belongs, verifying the identity of the wearer of the watch from at least one biometric information element comprised within a portion of the skin of this wearer when the at least one data is the confidential data, and authorizing use of the at least one confidential data by the function as soon as the identity of the wearer of the watch is verified.

Abstract: The present application discloses a method, system, and computer system for managing data using keys. The method includes receiving a request to access data, wherein the data is encrypted based on a tenant service encryption key (TSEK) corresponding to the tenant database, determining a wrapper key used in connection with encrypting the TSEK based on a TSEK metadata, determining a top-level key used in connection with encrypting the wrapper key based on wrapper key metadata stored in association with the encrypted version of the wrapper key, obtaining the data stored within the tenant database, comprising decrypting at least part of the data based on (i) the TSEK, (ii) the wrapper key, and (iii) the top-level key, and providing the data in response to the request. The TSEK metadata is stored in the tenant database. An encrypted version of the wrapper key is stored in a key management service.

Abstract: Systems, devices, and methods are provided for implementing a cloud-based mainframe service. A cloud-based mainframe service may utilize various resources, including an operating system that is provisioned with an authorization interceptor that uses a first set of security policies stored in a policy database to determine whether to grant or deny access to resources managed by the operating system. The authorization interceptor may use the security policies of the policy database to determine whether to grant access to operating system resources. A database management system may use a second set of security policies stored in the policy database to determine whether to grant or deny access to resources managed by the database system. Security policies for a mainframe service may be centrally stored in a policy database managed by a policy management service.

Abstract: Systems, devices, and methods are provided for authorizing access to operating system resources using security policies managed by a service external to the operating system. An operating system may be provisioned with a kernel-mode component that intercepts system calls from applications, determines a request context for the system call, and sends a request to an external policy management service. The policy management service may be used to perform a policy evaluation to determine whether to grant access to operating system resources. In some cases, policies are cached by the operating system. In various examples, the operating system and policy management service are both hosted on resources managed by a computing resource service provider on behalf of a customer to run mainframe workloads.

Abstract: A method and system for file content protection and policy-based access control in a networked environment are provided. It includes an endpoint module which runs on endpoint devices and a key store module which runs on key stores servers. The endpoint computing device where files are created and used generates a content encryption key and unique file identifier (UFI), which are different for each file. The file is encrypted with the content key and attaches the UFI to the encrypted file to create a protected file. The coupled UFI and content key are sent to the key store servers to be stored. To accesses the protected file, end point module reads the UFI and sends it to the key store which responses with the permission as the outcome of evaluation of associated policies and the content key if permission is granted so the file can be decrypted.

Abstract: Techniques for enhancing security for thin client devices in hybrid edge cloud systems are described. In accordance with various embodiments, the hybrid system includes a cloud computing platform (e.g., the cloud) and an edge device (e.g., the edge). The cloud extracts key(s) for authentication and session establishment. The cloud also utilizes the key(s) to establish a session between the edge and a client device. The cloud additionally authorizes a content request from the client device for a media content item over the session and extracts a content key upon successful authorization. The edge caches the key(s), obtains the content key at the time of receiving the content request from the client device and transmits the content key and the key(s) with the media content item to the client device.

Abstract: A security server to validate identity data of computing devices having secure memory devices and track activities of components in the computing devices. The server system is configured to store data representative of a unique device secret sealed in the memory device. The server system can generate a first cryptographic key independently from the memory device generating a second cryptographic key. The memory device uses the second cryptographic key to generate identity data including a message and a verification code generated via cryptographic operations combining the message and the second cryptographic key. The server system can use the first cryptographic key to determine whether the verification code is valid for the message. If so, the security server can generate an activity record associating the activity of the computing device with identifications of respective components of the computing device confirmed via validation of the identity data.

Abstract: A computer-implemented method is disclosed. The method includes: receiving, via a computing device in a locked state, input of a first PIN; determining that the first PIN is associated with a first cryptographic key that is stored in a memory; responsive to determining that the first PIN is associated with the first cryptographic key, retrieving, from the memory, an encrypted form of a first credential that is associated with the first cryptographic key; recovering the first credential from the encrypted form using the first cryptographic key; and causing the computing device to be unlocked using the recovered first credential.

Abstract: A method and electronic device for configuring a PUF, wherein: PUF cells are configured to use a signal path; determining a winner of racing pairs of PUF cells in a first round and in a second round wherein winners of the first round are raced; the first and second round are repeated for different signal paths; determining, for each signal path, a comparison metric, wherein the comparison metric is based on the count of the outputs of the PUF cells having the signal path in common; determining an optimum signal path for the PUF from the respective comparison metrics; and configuring the PUF to use the optimum signal path.

Abstract: The present disclosure relates to utilizing a dynamic visual elements system to improve operations and interfaces of client applications by detecting when user accounts associated with tokenized or alternative account information are provided for user accounts, generating dynamic visual elements based on the tokenized account information, and intelligently integrating the dynamic visual elements into one or more user interfaces associated with fillable forms. In some implementations, the dynamic visual elements system generates and integrates selectable visual elements and/or visual overlay elements into user interfaces with respect to tokenized user account information in a manner that reduces visual clutter as well as eliminates user confusion regarding tokenized user accounts and their relationship to regular user accounts.

Abstract: Certain embodiments disclosed herein provide attestation for a transient version of an application while reusing the attestation and the cryptographic key on which the attestation is based for the full version of the application should the user obtain the full version of the application prior to the transient version being deleted. As an example, a computing device can detect an upgrade event corresponding to replacing an application clip with the full version of the application, and associate the cryptographic key already stored in a key database with the full version of the application. Associating the existing key with the full version of the application enables the full application to automatically take over the attestation previously provided for the application clip, saving time and resources that would otherwise be used for establishing a new attestation for the full version of the application.

Abstract: According to examples, a host device may be instructed to pre-spawn a number of first host processes and a number of second host processes, in which the number of first host processes and the number of second host processes are defined in a first scaling constraint and are each greater than or equal to one. The host device may pre-spawn the second host processes in one or more computing nodes through identification of a host process of the first host processes that is unbound from a client session, termination of the identified host process, and pre-spawning of a second host process that provides a second version of the service based on the termination. The host device may also decrease the number of first host processes and increase the number of second host processes in the one or more computing nodes as defined in a second scaling constraint.

Abstract: A method of authenticating a user via a galvanic skin response on electric computing device is described. The method includes receiving a request for user authentication from a second electronic computing device. The electronic computing device measures a change in the galvanic skin response associated with the user, and the change in the galvanic skin response is indicative of the user creating a physical connection between the electronic computing device and the second electronic computing device. The electronic computing device compares the galvanic skin response to a threshold skin conductance level. When the comparison of the galvanic skin response indicates, an authentication confirmation is sent to the second electronic computing device.

Abstract: A batteryless device is disclosed. According to certain embodiments, the batteryless device may include a first communication system and a second communication system, the second communication system being a near-field-communication (NFC) system. The batteryless device may also include a power receiver coupled to the first communication system and configured to wirelessly receive power from an external device for powering the first communication system. The batteryless device may further include a controller configured to: when the first communication system is powered, establish, via the first communication system, a first wireless connection with a user device; receive, through the first wireless communication, a token from the user device; establish, via the second communication system, a second wireless connection with a terminal; and transmit, through the second wireless connection, the token to the terminal.

Abstract: A permissions management system and a method for managing permissions in a multiplatform environment. A centralized permissions management system is communicably coupled to a gateway service that receives API calls and requests for content from edge devices, such as user devices. The gateway forwards permissions requests to the centralized permissions management system that determines whether a given user identifier is permitted to access content referenced by a given content identifier. In response, the centralized permissions management system returns an authorization response that, in turn, is forwarded to an identified or determined platform which, in response, can serve content and/or service an API call.

Abstract: Examples of detecting whether a device meets an enrollment level are disclosed. In one case, a method for providing access to an application on a client device includes receiving a request to access an application from the client device, determining an enrollment level associated with the application, and determining that multi-factor authentication is required for access to the application on the client device based on the enrollment level associated with the application. The method can also include initiating multi-factor authentication on the client device before access to the application is permitted. The method can also include determining that multi-factor authentication is successful on the client device, transmitting a management component to the client device, and installing the management component on the client device for enrollment as a managed device with a management service.

Abstract: In a method of controlling account user access to transaction information for a joint account, a set of control criteria is stored in a control database. Information for a new transaction is received and stored in a transaction information database. An information limitation request to prevent access to the transaction information by a second account user for a withholding time interval is received from a first account user. An access limitation record including identification of the second account user and the withholding time interval is stored in the information control database. Upon receiving from a second account user a request for account information including the transaction information, a determination may be made as to whether the transaction information should be withheld from the second account user. Responsive to a determination that the transaction information should be withheld, a response excluding the transaction information is transmitted to the second user device.

Abstract: Devices and methods for backing up digital data on storage devices which are automatically selected on an individual basis for digital connection, data exchange and data storage on a scheduled basis and each kept digitally disconnected when not selected and connected for backup data transfer and storage. Devices and methods which backup data on one of a number of an offline storage devices by connecting a selected storage device, backup data onto an offline storage device and then disconnecting the offline storage device, in order to isolate the backed-up data and optionally allow a different storage device to be used for the next back up event.

Abstract: An apparatus and method for transmitting and receiving information related to multimedia data in a hybrid network and a structure thereof are provided. The transmission method includes generating transmission characteristic information about the media data, and transmitting the transmission characteristic information. The transmission characteristic information includes valid range information about the transmission characteristic information.

Abstract: An application for dynamic, granular access permissions can include a database interface, a user interface, a login process, an administrator, an event handler and an authorization process. The database interface can be an interface to an access control permissions database that stores roles, actions, or policies for users of the application. The login process can authenticate a user and determine a default set of access control permissions for that user when they are using the user interface. The administrator can provide access control permissions for a user by using the database interface. The event handler can dynamically modify access to functionality in the user interface based on an event. The authorization process can determine whether a request from the user interface is authorized before process the request. The authorization process can use access control permissions from the administrator and either a scope limited or a temporally limited access permission.

Abstract: A social networking system performs account recovery for a user with the help of the user's connections (e.g., friends). The social networking system selects connections of the user based on information indicating likelihood of real-world interactions between the user and the selected connections. Access codes are sent to the selected connections and the user instructed to obtain access codes from the selected connections via a communication that is outside the social networking system, for example, via phone. The user provides the access codes obtained from the selected connections to the social networking system. If the access codes provided by the user match the access codes sent to the selected connections, the user is granted access to the account. Real-world interactions between two users are determined based on sharing of devices between the users or information indicating presence of the users in the same place during same time interval.

Abstract: A system for authentication for a user device associated with a user, said system comprising: a processing system to generate a first user interface running on a screen of said user device, said first user interface comprising one or more components, wherein said one or more components comprises a first icon, which when activated, directs a user to a second user interface to select a secret pattern, a second icon, which when activated, generates a current randomly populated keyboard, further wherein said processing system provides a current Personal Identification Number (PIN) to said user by correlating said secret pattern with the current randomly populated keyboard, and a regular keyboard for said user to enter a PIN for authentication.

Abstract: A data storage device includes: a housing integrating a control logic, a data protection logic, and a non-volatile storage; and a network interface connector integrated to the housing and is configured to be directly inserted into a network switch. The control logic is configured to store a vehicle data including a video stream in the non-volatile storage. The video stream is received from a video camera that is connected to the network switch. The data protection logic is configured to detect a vehicle event and change an operating mode of the data storage device to a read-only mode prohibiting the vehicle data stored in the non-volatile storage from being erased or tampered.

Abstract: A system and method for allowing a plurality of consumers or users to be individually authenticated in a Virtual Reality (VR) environment conducted throughout a VR session accessing a gaming server that dispenses outcomes. The consumer authentications are made possible through the VR device, thereby authorizing continued access to controlled or restricted VR environments.

Abstract: Enhanced techniques for communicating with an integrated circuit chip card are disclosed. An integrated circuit chip card may include a processor, a memory storing a plurality applications executable by the processor, an input/output (I/O) interface, and a network interface coupled to the (I/O) interface. The network interface may implement a plurality of logical ports, and the network interface can be configurable to select between multiple communication protocols to communicate with an external device in a socket communication mode. The network interface can be configured to establish a plurality of communication channels between the external device the integrated circuit chip card using the plurality of logical ports, and each of the communication channels may support communication with one of the plurality of applications.

Abstract: A system, apparatus, method, and machine-readable medium are described for fast authentication. For example, one embodiment of a system comprises: a local challenge generator of a client apparatus to generate a challenge on a client device using a derivation function; an authentication engine of the client apparatus to generate a challenge response as defined by a specified challenge-response protocol; the authentication engine to transmit the challenge response to a server, and the server to validate the challenge response, at least in part, by determining whether the challenge was generated within a specified time window.

Abstract: Systems and methods including notification techniques for sharing information related to detected dialogs on secondary computing devices associated with a user are provided. For example, a system can include a user interface (UI) monitor on a first client computing device configured to detect a dialog and send an indication of the dialog to a workspace backend. The workspace backend can facilitate communication between the first client computing device and one or more secondary computing devices associated with the user such that the user receives notifications of dialogs displayed on the first client computing device on the one or more secondary computing devices. The user has the option of responding to the dialog on a secondary computing device, and the workspace backend facilitates transmission of the user response on the secondary computing device back to the first client computing device.

Abstract: Systems, devices, and methods for secure data management and transfer for secure data transactions are provided. For example, disclosed herein are secure & tamper resistant smart cards configured to immutably store data and securely exchange at least a portion of the data via, for example, wireless networks and/or peer-to-peer networks. The smart cards comprise a plurality of dedicated hardware circuit blocks electrically coupled via a bus interconnection, the plurality of dedicated hardware circuit blocks configured to authenticate users, verify trust amongst the smart card and external devices, and encrypt sensitive data for secure transmission.

Abstract: A system for granting access to an account at an access device includes a computer server having a hardware processor and a memory storing a software code. The hardware processor executes the software code to receive a login request from the access device through a first communications socket, open a second communications socket between the access device and the computer server, transmit a verification request message including a required call-to-action to a verification device through a third communications socket, and receive a verification response message verifying that the required call-to-action has been completed at the verification device. Upon receiving the verification response message, the software code sends an access token for accessing the account to the access device through the second communications socket, receives the access token from the access device, and grants the access device access to the account.

Abstract: There are provided systems and methods for biometric authentication during voice data transfers. A user may initiate voice communications with a service provider endpoint that provides automated services to the user through the voice or audio communications, such as an interactive voice response (IVR) system where a user may navigate menus through audio commands. The user may by required to authenticate their identity during the phone call or other voice data transfer, which may be done by entering a biometric, such as a fingerprint. The biometric may be converted to biometric feature data and provided to one or more token service providers. The token service providers may provide one or more tokens for the biometric, which may be used as the authentication token. This token may then be transmitted to the IVR system through the user's endpoint using a dialer feature of the endpoint.

Abstract: A robot for data logging is described as a module of a portable data transfer system for use in physically transferring very big amounts of data in secure, fast and cheap way. The data logger logs and optionally analyzes sensory and operation data by statistically correlating and combining data, events, and control data from a variety of system modules, user actions, and sensors used to track system transit, handling, operation, and events. The data logger allows forensic analysis and comparison against a mission description to identify system location, transit path, mishandling, tampering, security breaches and problems arising from environmental conditions, design problems, etc. As a result, persons or events causing problems can be identified, retrained, and rectified, and system debugging can solve problems with error in hardware and software.

Abstract: The invention relates to blockchain technologies such as the Bitcoin blockchain. The invention uses a novel technique to decompose the functionality of a blockchain transaction script into several chunks or functional parts, and to use the output of a chunk as the input of the next chunk. Advantageously, this allows the blockchain to be used for ever complex tasks and computations while minimising script size, and also provides a novel architecture for the distributed execution of computational processes.

Abstract: A method of managing a non-volatile memory includes during a data writing process, selecting, by a program triggering the data writing process, an error detection and correction code from among two codes depending on a type of information being written. The information is written into the non-volatile memory, where the information is associated with the selected error detection and correction code.

Abstract: Application-manager software authenticates a user of a client device over a channel. The authentication operation is performed using a directory service. The application-manager software presents a plurality of applications in a GUI displayed by the client device. The plurality of applications depends on the authentication, the client device, and the channel. And the plurality of applications includes a thin application and a software-as-a-service (SaaS) application. The application-manager software receives a selection as to an application from the user. If the selection is for the SaaS application, the application-manager software provisions the SaaS application. The provision includes automatically logging the user onto an account with a provider of the SaaS application using a single sign-on and connecting the user to the account so that the user can interact with the SaaS application. If the selection is for the thin application, the application manager software launches the thin application.

Abstract: Location-based validation of a wireless authentication device. A request is received by a security hardware computing device for an action requiring authentication in connection with security hardware. A security hardware location is received or accessed. A wireless authentication device location of a wireless authentication device in possession of a requester is received by security hardware computing device. The security hardware computing device receives a mobile device location for a mobile device in possession of the requester. The security hardware computing device determines whether the security hardware location, the mobile device location, and the wireless authentication device location are in a proximity. The security hardware computing device performs the action requiring authentication in connection with the security hardware.

Abstract: Provided is an unobtrusive client verification system with one verification devices having processors that are configured to receive a first request from an unverified client device, generate a random number in response to receiving the first request from the unverified client device, define a set of expressions as a browser challenge problem that evaluates to an answer specified by the random number, encrypt the answer within an answer token, provide the browser challenge problem with the answer token to the unverified client device, receive a second request with a solution to the browser challenge problem and the answer token from the unverified client device, and verify the unverified client device in response to the solution matching the answer that is decrypted from the answer token provided with the second request.

Abstract: In some examples, an embedded controller of a computing device may detect, when the computing device is in a low-power state, that a smartcard has been connected to a port of the computing device or that data has been received from an input device (e.g., keyboard or biometric input device) connected to the computing device. For the smartcard, the embedded controller may use a card driver to read data stored on the smartcard. The embedded controller may compute a hash value based on the data read from the smartcard or received from the input device. If the hash value matches a previously stored hash value, then the embedded controller may initiate a boot-up process of the computing device. If the hash value does not match the previously stored hash value, then the embedded controller may cause the computing device to remain in the low-power state.

Abstract: Disclosed are various approaches for facilitating single sign-on (SSO) for third-party services that are accessible through messages (e.g., email) received by a user. A user can receive a message that includes an embedded URL or link that opens in a third-party service that requires authentication. Instead of requiring the user to enter authentication credentials for accessing the third-party service, a tunnel service can be used to intercept requests for authentication and redirect the requests to an identity manager that can issue a SSO token following an authentication of the user and device. Upon supplying the third-party service with the SSO token, the user can access the content associated with the third-party service without entering authentication credentials.

Abstract: Providing authorization and authentication in a cloud for a user of a storage array includes: receiving, by a storage array access module from a client-side array services module, a token representing authentication of user credentials and authorized access privileges defining one or more storage array services accessible by the user, where the token is generated by a cloud-based security module upon authentication of the user credentials and identification of authorized access privileges for the user; receiving, by the storage array access module from the user, a user access request to one or more storage array services; and determining, by the storage array access module, whether to grant the user access request in dependence upon the authorized access privileges represented by the token.

Abstract: Improved systems and methods of authenticating a user using a mobile device to access a secure electronic portal are provided. A user may be enabled to quickly and securely log onto a website or other electronic portal using a handheld electronic device. In certain embodiments, multifactor authentication is utilized to improve the security of the authentication process.

Abstract: A device diagnostic web system that diagnoses a device locally connected to an information processing apparatus. In order to confirm whether or not access by the browser is to be permitted by connecting the device to the information processing apparatus via a local connection such as USB or Bluetooth, and executing a device diagnostic web application by a browser installed on this information processing apparatus, a confirmation screen for prompting a user to perform an operation of the information processing apparatus is displayed on the information processing apparatus, if the user permits the access, the device is communicatively connected to the browser to access the device and predetermined device information is acquired and diagnostic information is generated by using the acquired device information.

Abstract: A physical card has a body with dynamic region(s) configured to appear opaque for human viewing in a first phase and translucent for human viewing in a second phase. The card also has a computer readable chip, a power supply configured to power the one or more dynamic regions, a communication device, one or more processors, and memory storing instructions that, when executed, are configured to cause the card to perform a method. The card may receive an authorization signal from a recognized user device associated with a cardholder, direct dynamic region(s) to transition from being opaque in the first phase to being translucent in the second phase, and direct the dynamic region(s) to transition from being translucent in the second phase to being opaque in the first phase upon hitting a predetermined time threshold in the second phase.

Abstract: According to examples, a method for upgrading a version of a service across a plurality of computing nodes may include instructing a host device to pre-spawn a number of first host processes configured to provide a first version of the service in the computing nodes and to pre-spawn a number of second host processes configured to provide a second version of the service according to a first scaling constraint in the computing nodes. The method may also include, in response to receiving an indication that each of the second host processes is operating properly in the computing nodes, instructing the host device to decrease the number of first host processes and to increase the number of second host processes in the computing nodes as defined in a second scaling constraint.

Abstract: Backup data equivalent to the maximum number of generations to be held can be secured even when backup data is locked. When locking of prohibiting overwrite of one or more storage areas is performed, a backup server prepares a new backup management table and uses the backup management table and an archive management table, which is the past backup management table, to store the backup data equivalent to the maximum number of generations to be held into a storage system.

Abstract: A system and method for monitoring vehicle performance and updating engine control parameters, which provides a solution to the problem of tuning engine control parameters for a vehicle. The core components of the invention are an engine controller coupled to an interface device which communicates with a remote device. Generally speaking, the components are configured as follows: the engine controller receives signals from various sensors in a vehicle and the engine controller controls the engine based on engine control parameters and the signals from the sensors. The interface device monitors the engine control and sensor signals and transmits information to the remote device. The remote device receives the information and sends back updated engine control parameters. The interface device receives the updated engine control parameters and communicates with the engine controller to update the engine control parameters using the updated engine control parameters.