Abstract: Methods and apparatus to support scheduled access control for an electronic lock are described herein. An initiating central wireless device obtains an ephemeral identity resolving key (IRK) to use in resolving an ephemeral resolvable private address (RPA) of a peripheral wireless device. The initiating central wireless device can subsequently connect securely to the peripheral wireless device in order to unlock an electronic lock controlled by the peripheral wireless device to gain access during a scheduled time period. The ephemeral IRK and ephemeral RPA can be used for a limited period of time and/or for a predetermined number of usages during the scheduled time period.

Abstract: Embodiments of the present invention provide a system for executing audio cryptology in real-time for audio misappropriation prevention. The system is configured for identifying, via a cryptographic device, one or more audio signals, causing the cryptographic device to generate and emit a dynamically varying continuous audio tone, continuously monitoring in real-time the one or more audio signals, via the cryptographic device, determining, via the cryptographic device, termination of the one or more audio signals based on continuously monitoring the one or more audio signals in real-time, and causing the cryptographic device to stop generating and emitting the dynamically varying continuous audio tone.

Abstract: The present disclosure relates to authentication methods supported by the User Equipment (UE) to the core network and authentication method (selected by the core network) to the UE. These can be used for negotiating any primary or secondary (or any) authentication method and are applicable when multiple authentication methods are supported at the UE and the network (authentication server). Further, the present disclosure also offers security solution to prevent modification or tampering of the parameters in the mechanisms in order to prevent attacks such as bidding-down, Denial of Service (DoS) and Man-In-The-Middle (MITM).

Abstract: Systems and methods are provided for use in appending log entries to a data structure. One exemplary method includes receiving, at a communication device, a log entry from a terminal and signing the log entry with a private key of a key pair specific to the communication device. The method also includes transmitting the signed log entry to an identity provider (IDP) and receiving, by the communication device, from the IDP, a signed, encrypted log entry. The method further includes verifying, by the communication device, a signature of the signed, encrypted log entry based on a public key associated with a key pair specific to the IDP and then appending the encrypted log entry to a digital identity included in the communication device.

Abstract: A network node configured to perform a process that includes receiving a PDU Session Establishment Request message for establishing a PDU session, wherein the PDU Session Establishment Request message was transmitted by a UE and includes a PDU session ID. The process also includes communicating a Session Management (SM) Request comprising the PDU Session Establishment Request to an SMF. The process also includes receiving from the SMF a message that includes: i) the PDU Session ID identifying the PDU session, ii) a PDU Session Establishment Accept message, and iii) a user plane (UP) security policy for the PDU session, wherein the UP security policy for the PDU session indicates: i) whether UP confidentiality protection shall be activated or not for all data radio bearers (DRBs) belonging to the PDU session, and/or ii) whether UP integrity protection shall be activated or not for all data radio bearers (DRBs) belonging to the PDU session.

Abstract: Techniques, methods and/or apparatuses are disclosed that enable of cyber risks on assets of networks to be evaluated in presence of security controls on the assets. In this way, effect of security controls already in place may be quantified. A novel scoring technique is presented. Also, use of causal inference is in the context of security risk assessment is described.

Abstract: Disclosed are a control method, a node and a computer storage medium. The method may include: sending instruction information to a second node when a data bearer for a User Equipment (UE) is established, wherein the instruction information is used for turning on or off the control on a data replication function of the UE by the second node.

Abstract: A vehicle control method applied to a smart car key includes receiving a connection request sent by a mobile terminal, establishing a communication connection with the mobile terminal in response to the connection request, receiving identity information and authorization request information sent by the mobile terminal, determining whether the identity information is correct, and in response that the identity information is correct, sending pairing information to the mobile terminal in response to the authorization request information and sending the identity information to a vehicle to be controlled. The mobile terminal controls the vehicle through the pairing information and the identity information to perform at least one operation.

Abstract: [Problem] Provided is an authorization system capable of reducing a load on a host regarding an invitation procedure in a case where there is a large number of guests or guests are frequently invited, and preventing identity theft or invitation of an unwanted third party.

Abstract: The technology disclosed herein enables a computing device to use a trusted execution environment in an untrusted mobile device to distribute protected content to computing devices at different locations. An example method may include: establishing, by a processor of a mobile device, a trusted execution environment in the mobile device, wherein the trusted execution environment uses memory encryption; loading data of a computing device into the trusted execution environment in the mobile device, wherein the data comprises protected content and comprises executable code to control access to the protected content; receiving, by the mobile device, authentication data from a set of computing devices; and executing, by the mobile device, the executable code in the trusted execution environment to analyze the authentication data and to provide one or more of the computing devices of the set with access to the protected content.

Abstract: The invention provides a method for managing access to a network resource on a network from a mobile device, the method including the steps of intercepting a data stream from the mobile device attempting to access the network resource, extracting information from the intercepted data stream relating to at least one of the mobile device or a user of the mobile device, accessing at least one of enterprise service based information and third party information regarding at least one of the mobile device or the user of the mobile device, determining whether the mobile device is authorized to access the network resource, preparing an access decision that specifies whether the mobile device is authorized to access the network resource, and storing the access decision in a database on the network.

Abstract: A server can receive a device public key and forward the device public key to a key server. The key server can perform a first elliptic curve Diffie-Hellman (ECDH) key exchange using the device public key and a network private key to derive a secret X1. The key server can send the secret X1 to the server. The server can derive an ECC PKI key pair and send to the device the server public key. The server can conduct a second ECDH key exchange using the derived server secret key and the device public key to derive a secret X2. The server can perform an ECC point addition using the secret X1 and secret X2 to derive a secret X3. The device can derive the secret X3 using (i) the server public key, a network public key, and the device private key and (ii) a third ECDH key exchange.

Abstract: Disclosed herein are embodiments providing coordinated privacy for targeted communications and reporting. In particular, the embodiments provide a source user querying an information system to generally identify target users for a communication campaign. A privacy controller alters a first dataset of a query response by a first alteration quantity for transmission to the source user. The source user then generally identifies target users within the first dataset for development of a communication campaign of targeted communications directed to the target users. Subsequently, a reporting system generates a report with a second dataset detailing viewership by target users. The privacy controller alters a second dataset of a report by a second alteration quantity for transmission to the source user. The second alteration quantity is based on the first alteration quantity.

Abstract: An access point (AP) multi-link device (MLD) and a non-AP station (STA) MLD perform a fast initial link setup (FILS) procedure to establish wireless communications over a plurality of links. The AP MLD and the non-AP STA MLD communicate over one or more links of the plurality of links upon completion of the FILS procedure with a FILS Discovery frame transmitted in the FILS procedure indicating whether a service set identifier (SSID) of the AP MLD is different from a SSID of an AP of a plurality of APs in the AP MLD transmitting the FILS Discovery frame.

Abstract: A method for fetching a content from a web server to a client device is disclosed, using tunnel devices serving as intermediate devices. The client device accesses an acceleration server to receive a list of available tunnel devices. The requested content is partitioned into slices, and the client device sends a request for the slices to the available tunnel devices. The tunnel devices in turn fetch the slices from the data server, and send the slices to the client device, where the content is reconstructed from the received slices. A client device may also serve as a tunnel device, serving as an intermediate device to other client devices. Similarly, a tunnel device may also serve as a client device for fetching content from a data server. The selection of tunnel devices to be used by a client device may be in the acceleration server, in the client device, or in both.

Abstract: A method of digital radio communication between a first device and a second device is disclosed. An advertising packet is transmitted between first and second devices, wherein the packet includes a first address and a data portion. Additionally, an encryption key is transmitted between the devices. The first device generates a second address by encrypting an identity value derived from part of the first address using the encryption key and the data portion. The result is encrypted to generate second portion of the second address. The first device then transmits a connection request including the second address. The second device decrypts the second portion and uses the encryption key to determine correspondence with the first portion. If said correspondence is determined, the second device decrypts the first portion using at least the encryption key and compares it to an expected identity value derived from the first address.

Abstract: Embodiments of the present disclosure relate to systems and methods for monitoring and verifying latency on TSN-configured networks. The disclosure describes a novel and inventive time capture location protocol that supplements existing TSN protocols. This supplemental TSN protocol details a way to capture the time at which a message arrives at various points in a TSN-configured network. The captured times allow for monitoring and verification of TSN based features and their underlying systems, including run-time diagnostics to detect problems and delays.

Abstract: A wireless communication device includes a processor and a memory configured to store a program for establishing a wireless connection with a terminal device. The processor establishes, in accordance with the program stored in the memory, the wireless connection with the terminal device upon request for the wireless connection from one of the wireless communication device and the terminal device. Upon establishment of the wireless connection with the terminal device, the processor queries the terminal device with which the wireless connection is established to check a state of an application program for causing the wireless communication device to execute a specific function. The processor maintains or cuts off the wireless connection with the terminal device based on a state of a response of the terminal device with respect to the query.

Abstract: The described technology is generally directed towards caching session state data on a client device, so that services called by the client device and other services can use the session state data without having to recollect such information from a server or servers that maintain the ground truth values for the session state data. The session state data can be divided into payload datasets based on domains or the like, so that only a relevant part of the session state data need be attached to a given communication, and/or updated when a session variable changes in some way. A payload dataset can be encoded or encrypted so that a service can verify the integrity of the payload dataset before using it, such as for service-to-service communication.

Abstract: A session configuration method and a session configuration apparatus are disclosed. According to the session configuration method, a terminal device sends, to a session management network element, a session establishment request used to request to establish a first session. After receiving the session establishment request, the session management network element sends redundant transmission security information to an access network device. After receiving the redundant transmission security information, the access network device sends the redundant transmission security information to the terminal device. The redundant transmission security information is used to indicate security keys and security policies of the first session and a second session that need to be established by the terminal device. The second session is a redundant session of the first session.

Abstract: A network node operates a Session Management Function (SMF) in a control plane of a core network of a wireless network. The network node authenticates a User Equipment (UE) with an Extensible Authentication Protocol (EAP) server in a secondary authentication process that uses the SMF as an EAP authenticator. The EAP server is outside of the core network and the UE is separately authenticated with a further network node in the control plane of the core network via a primary authentication process. Authenticating the UE in the secondary authentication process comprises exchanging EAP messages between the SMF and the UE and between the SMF and the EAP server. The SMF authorizes a data session between the UE and the external network through a user plane of the core network based on the UE having successfully authenticated via both the primary authentication process and the secondary authentication process.

Abstract: An initiator device can broadcast a witness request to one or more authentication devices. The one or more authentication devices can then determine an assurance level from a range of assurance levels and determine a token share corresponding to the assurance level. The initiator device can then receive, from the one or more authentication devices, at least one witness response comprising the token share corresponding to the assurance level. The initiator device can generate an authentication token using a set of token shares. The initiator device can then transmit the authentication token to an authentication server, wherein the authentication server verifies the authentication token.

Abstract: Systems and methods for backing up data are provided. Data objects or blocks of data can be encrypted with individualized keys. The keys are generated from the unencrypted data objects or blocks. The encrypted data objects or blocks and fingerprints of the encrypted data objects or blocks can be uploaded to a datacenter. Even though the data objects or blocks are encrypted, deduplication can be performed by the datacenter or before the data object is uploaded to the datacenter. In addition, access can be controlled by encrypting the key used to encrypt the data object with access keys to generate one or more access codes. The key to decrypt the encrypted data object is obtained by decrypting the access code.

Abstract: A subscription system and method of facilitating permission-based access to a subset of vehicle sensor data in a vehicle electronic control unit (ECU) to augment an information application. The system includes a vehicle subscription server. The method includes generating, by the vehicle subscription server, a sensor key and a subscription key, installing in a memory of the vehicle ECU the vehicle sensor key. In response to a request for a subscription by a mobile device, transmitting by the vehicle subscription server the subscription key. The vehicle ECU uses the subscription key to authenticate the mobile device as having a current subscription, and augments the information application with the subset of vehicle sensor data accessed based on the sensor subscription key.

Abstract: A method for encrypting and decrypting data across domains based on privacy computing is provided. A data provider deploys a base key for a data user in advance, and when the data user needs to use the data at a later stage, the data provider generates a data token about a data key based on the base key, and then transmits encrypted data and the data token to the data user. The user obtains the data key based on its own base key in a privacy environment according to the data token, and uses the data key in the privacy environment to realize use of the encrypted data. A transmission process does not involve transmission of the key; therefore, even if a transmission channel is not secure, security of the data can still be ensured, and even if private data is used, the data itself cannot be obtained.

Abstract: The present invention relates to a terminal device and a method by which a terminal device switches a data transmission path, the terminal device being capable of switching a data transmission path by determining by itself whether the data transmission path for transmission of user plane data is switched without a link, among core configurations of respective networks in a mutual interworking environment among heterogeneous networks.

Abstract: A method for providing a secured client computer that includes peripheral components. Each peripheral component processes a corresponding peripheral component data of a data type that is not compatible with peripheral component data types processed by a processor of other peripheral components. The processor of each peripheral component codes the corresponding data of the data type for establishing a secured peer-to-peer communication with other peripheral components.

Abstract: The present disclosure provides techniques that may be applied, for example, for providing network policy information in a secure manner. In some cases, a UE may receive a first message for establishing a secure connection with a network, wherein the first message comprises network policy information, generate a first key based in part on the network policy information, and use the first key to verify the network policy information.

Abstract: A request generated by an unmanaged app to access a resource is received from a mobile device. A notification is sent to the mobile device. A device level VPN connection to the mobile device is established. A unique identifier is associated with the device level VPN. App level traffic received via the device level VPN is tagged with the unique identifier. Access to the resource is allowed in response to the request based at least in part on a determination based on the tags that app level traffic from a trusted app and app level traffic from the unmanaged app are associated with the same mobile device.

Abstract: A set of data packets transmitted by an IoT device is received at a system. At least one packet included in the set of data packets is analyzed. An Authentication, and Account (AAA) message, including contextual information associated with the IoT device, is transmitted on behalf of the IoT device.

Abstract: Results of an authentication process are received. The authentication process allows for a graded level of authentication using a plurality of authentication types (e.g., a username/password and a fingerprint scan). Encrypted data is then accessed. The encrypted data has been encrypted using a plurality of encryption levels. The data is unencrypted based on the graded level of authentication. In a second embodiment, a system and method are provided that establish a communication session (e.g., a voice or email communication session). The communication session is between a plurality of users. During the communication session, an indication is received to change an encryption level for the communication session. In response to receiving the indication to change the encryption level for the communication session, an encryption level of the first communication session is dynamically changed from a first level of encryption to a second level of encryption.

Abstract: A method for a serving network to selectively employ perfect forward security (PFS) based on an indication from a home network is described. The method includes receiving, by the serving network, a PFS indicator from the home network; determining, by the serving network, whether the PFS indicator indicates that the home network has instructed the serving network to employ PFS for communications with a piece of user equipment; and performing, by the serving network, a PFS procedure with the piece of user equipment in response to determining that the PFS indicator indicates that the home network has instructed the serving network to employ PFS for communications with the piece of user equipment.

Abstract: The techniques described herein provide for authentication of a reader device over a wireless protocol (e.g., NFC or Bluetooth, BLE). The mobile device can receive and store the static public key of the reader device and one or more credentials, each credential specifying access to an electronic lock. The mobile device can receive an ephemeral reader public key, a reader identifier, and a transaction identifier. The mobile device can generate session key using the ephemeral mobile private key and the ephemeral reader public key and send the ephemeral mobile public key to the reader device. The reader device can receive the ephemeral mobile public key and sign and transmit a signature message to the mobile device. The mobile device can validate a reader signature and generate an encrypted credential that the reader can use to access an electronic lock. The reader device can authenticate the mobile device for mutual authentication.

Abstract: An image forming system includes: a transmission terminal; a reception terminal; and an image forming apparatus. The transmission terminal i) selects the reception terminal transmitting image data and outputs selection information, ii) receives terminal position information of the reception terminal and apparatus position information of the image forming apparatus, iii) acquires the terminal position information and the apparatus position information, vi) authenticates the reception terminal and the image forming apparatus based on the terminal position information and the apparatus position information, and outputs authentication information, and v) transmits job data based on the authentication information. The reception terminal i) acquires terminal position information based on the selection information, and ii) transmits the terminal position information. The image forming apparatus forms an image of the job data on a sheet.

Abstract: Disclosed herein are methods and systems for transferring trust between authentication devices associated with the same user. The user accessing secure online resource(s) uses a first (authentication) client device which is not yet associated (verified) with the user for accessing the secure online resource(s). In response to receiving an authentication request from the client device, an authentication message is transmitted to the first client device. The authentication message is transferred from the first client device to a second client device already associated (verified) with the user for accessing the secure online resource(s). The second authenticator transmits back the authentication message which may be verified against the authentication message transmitted to the first client device.

Abstract: In accordance with an example embodiment, there is provided an apparatus, such as a user equipment, configured to receive, from a communication network, an authentication request which comprises a nonce and a received sequence number, check, whether the received sequence number is advanced with respect to a first sequence number, the first sequence number being from a most recent previous authentication request handled by the apparatus, check, responsive to the received sequence number not being advanced with respect the first sequence number, whether the nonce is identical to one from among plural stored nonces, and send, responsive to the nonce being identical to the one stored nonce, a response to the authentication request which comprises as a synchronization failure token a dummy value which is not derived from the first sequence number.

Abstract: Techniques and mechanisms to reduce double encryption of packets that are transmitted using encrypted tunnels. The techniques described herein include determining that portions of the packets are already encrypted, identifying portions of the packets that are unencrypted, and selectively encrypting the portions of the packets that are unencrypted prior to transmission through the encrypted tunnel. In this way, potentially private or sensitive data in the packets that is unencrypted, such as information in the packet headers, will be encrypted using the encryption protocol of the encrypted tunnel, but the data of the packets that is already encrypted, such as the payload, may avoid unnecessary double encryption. By reducing (or eliminating) the amount of data in data packets that is double encrypted, the amount of time taken by computing devices, and computing resources consumed, to encrypted traffic for encrypted tunnels may be reduced.

Abstract: A method, non-transitory computer readable medium, and device that transmits a cryptographic variable input to a detachably coupled smart card. Execution of at least one of protected cryptographic algorithm operation by the smart card which requires the cryptographic variable input and a cryptographic constant input stored on the smart card to generate one or more cryptographic products is requested. The one or more generated cryptographic products from the smart card are received. An encrypted signal simulation based on execution of a simulator using the received one or more generated cryptographic products is generated and is output.

Abstract: Disclosed is a method for validating a digital request in which cooperating entities are able to use security processors loaded with an application for processing the request, each processor issuing, on request, a digital certificate of integrity; wherein said method includes: an application integrity verification process such that, based on the issued certificates, each entity ensures that each of the other entities implements an application identical to its own; a process by which entities create a common secret and thus form a group of Creative entities; and a process by which entities of the group of Creative entities designate the signatory entities, thus forming a group of cooperating signatory entities, so that, as such, the group has access to the common secret; in order for the request to be validated if and only if entities of the group of signatory entities implement the application by means of the common secret.

Abstract: A method and apparatus for a first IAB node for securely communicating with at least one second IAB node is provided. A secure connection with a node of a network is established. A message is received, from the node, indicating a secure messaging protocol to use to communicate with the at least one second IAB node, the message including one of at least one nonce or a key. A control message to be sent to the at least one second IAB node is transformed into a secure control message using the secure messaging protocol. The secure control message is transmitted to the at least one second IAB node.

Abstract: A method of authenticating a first device at a second device for two wirelessly communicating devices, the method comprising: determining the distance between the two devices based on a property of a received communication; at each device, determining at least one shared physical layer property of the communication channel between the two devices; and authenticating the first device based on the determined distance between the two devices and the determined physical layer property of the communication channel.

Abstract: Exemplary embodiments relate to techniques for end-to-end encrypted interactive messaging between users of a communication system. For example, the interactive messaging may be based on a message template. An end-to-end encrypted message may be sent to a recipient. The encrypted message may contain at least a template identifier associated with the message template and one or more dynamic parameters. The receiving device may decrypt the message and hydrate the message template with the one or more dynamic parameters.

Abstract: There is disclosed a method of a User Equipment, UE, in a 3rd Generation Partnership Project, 3GPP, compliant mobile communications network supporting dual connectivity, and a corresponding UE. The method comprises detecting a signalled reconfiguration procedure of a Data Radio Bearer, DRB, having or changing to a DRB type in which downlink, DL, data is received from only serving cells of a Secondary Cell Group, SCG, connected to a Secondary eNB, SeNB, via an SCG DRB, or in which DL data is received from a SCG and also from serving cells of a Master Cell Group, MCG, connected to a Master eNB, MeNB, via a split DRB.

Abstract: Systems and methods are provided for securely managing vehicle information. A first digital signature associated with the vehicle may be generated based on a first public-private key pair, and a second digital signature associated with a mobile application may be generated based on a second public-private key pair. The mobile application may be associated with a mobile device operated by a user. The first digital signature and the public key of the first public-private key pair may be transmitted to, and stored by, the vehicle, and the second digital signature and the public key of the second public-private key pair may be transmitted to, and stored on the mobile device via the mobile application. The systems and methods may determine that a request to access the vehicle information has been received, and permit access to the vehicle information based on the first digital signature and the second digital signature.

Abstract: Systems, methods, and computer-readable storage media for ensuring electronic communications have not been intercepted and manipulated. An exemplary device generates a public/private pair of keys, and transmits the public key to another device with information about the data to be shared. The second device encrypts associated data, while also executing a hash function on at least a portion of the data. The first device receives the encrypted data, decrypts it, and verifies its accuracy using a third party. The third party also executes the hash function on the data received from the first device, and transmits the output of that hash function to the first device. Both the first device and second devices and display the hash values, allowing users to visually determine if the data has been manipulated during the transaction.

Abstract: Provided herein are method and apparatus for channel coding in the fifth Generation (5G) New Radio (NR) system. An embodiment provides an apparatus for a Next Generation NodeB (gNB), including circuitry, which is configured to: generate Downlink Control Information (DCI) payload for a NR-Physical Downlink Control Channel (NR-PDCCH); attach Cyclic Redundancy Check (CRC) to the DCI payload; mask the CRC with an Radio Network Temporary Identifier (RNTI) using a bitwise modulus 2 addition operation, wherein the number of bits for the RNTI is different from the number of bits for the CRC; and perform polar encoding for the DCI payload with the masked CRC.

Abstract: An encryption mechanism used on cooperative multi-band wireless STA architecture that enables full duplex operations. In encrypting a frame, an AAD can be constructed by using a selected MAC address, which may not be associated with a band to be used for transmitting the frame in an upcoming TXOP. An STA that supports simultaneous transmission in a multi-band operation uses the same MAC address to encrypt the frames to be transmitted on different bands. An AAD is constructed by using a same MAC address corresponding to one of the transceivers. A transmit STA may specify band information used for encryption in the MAC header, which serves to signal the receive STA to decrypt the frame by using the proper information.

Abstract: A key fob, comprising an electronic communication circuit, a processor, and a battery configured to power the electronic communication circuit and the processor, further comprises: a communication module for exchanging data with an external electronic communication device, an access control module for exchanging access control data with an external electronic access control device, and a user activatable operating element which activates the communication module, or the access control module, depending on actuation of the operating element by a user.

Abstract: A system and method for protecting copyright in content distributed online, in combination with specified business rules. A portion of content presented for upload on a network is analyzed to detect an image associated with a content owner; the image is compared with reference images to identify the content owner; and business rules are applied to control unauthorized uploading of the content. The identifier may be a logo included in the content as a digital graphic, or a non-visual marker. Analysis is advantageously performed on a sample of video frames or a segment of preselected length. If the content is found to be copyrighted, and the attempted upload is unauthorized, uploading may or may not be permitted, and the user may or may not be charged a fee for subsequent access to the content.

Abstract: An apparatus of a Radio Access Network (RAN) node, a system, and a method. The apparatus includes one or more processors to, during a non-dual connectivity (non-DC) radio link control (RLC) acknowledged mode (AM) handover of a user equipment (UE) from a source RAN node to the RAN node: process a message including information on at least one of an uplink (UL) COUNT value, a downlink (DL) COUNT value, or a hyper frame number (HFN) corresponding to UL or DL packet data convergence protocol (PDCP) data units (DUs) communicated between the UE and the source RAN node; determine the at least one of the UL COUNT value, the DL COUNT value or the HFN from the message; and process the PDCP DUs based on the at least one of the UL COUNT value, the DL COUNT value.