Abstract: Disclosed in some examples are methods, systems, and machine readable mediums for secure end-to-end digital communications involving mobile wallets. The result is direct, secure, in-band messaging using mobile wallets that may be used to send messages such as payments, requests for money, financial information, or messages to authorize a debit or credit.

Abstract: Examples described herein relate to apparatuses and methods for associating a first account with a second account, the first account being hosted by a first server, the second account being hosted by a second server, including but not limited to, authenticating, by the first server, first login credentials associated with the first account, wherein the first login credentials are received from a user device, receiving, by the first server from the user device, second login credentials associated with the second account, sending, by the first server, the second login credentials to the second server for authentication, in response to determining that the second login credentials are authenticated by the second server, associating, by the first server, the first account with the second account, and connecting, by the first server to the second server, to allow the user device to access services commensurate with the second account without prompting the user device for the second login credentials.

Abstract: A device may determine that a network function of a network is to use a secure communication protocol. The network function may be configured to facilitate communication via the network. The device may identify a component of a resource configuration that is to instantiate the network function. The device may instantiate, using the component, a proxy for the network function. The device may configure the proxy to obtain a certificate that is associated with the secure communication protocol. The device may cause the proxy to use the certificate to communicate with another proxy that is associated with the network function to perform an operation associated with the network function.

Abstract: A satellite communication system which supports encrypted DNS at the customer premise equipment terminal to provide the benefits of local DNS caching. Some implementations use Certificate Authority (CA)-signed Transport Layer Security (TLS) certificates. Implementations may provide encrypted DNS service at the CPE, where the system installs CA-signed TLS certificate at the customer premise equipment (CPE) terminal. The same certificate can be used at multiple terminals using a wild-card certificate distributed by the satellite to provide value added services at a CPE as secure web services to off-the-shelf web clients and applications.

Abstract: Disclosed are methods, systems, and non-transitory computer-readable medium for detecting data anomalies on a device. For instance, the method may include: receiving an initial data measurement transmitted by the device, wherein the initial data measurement includes a measurement of data stored in the device using a unique key associated with the device; transmitting a request for a subsequent data measurement of data stored in the device; receiving the subsequent data measurement transmitted by the device; comparing the subsequent data measurement to the initial data measurement; and determining whether an anomaly exists in the data stored in the device based on the comparison.

Abstract: In one example, a system for asymmetric device attestation includes a physically unclonable function (PUF) configured to generate a response to a challenge. A pseudo-random number generator generates a set of random numbers based on the response. A key generator determines co-prime numbers in the set of random numbers and generates a key pair using the co-prime numbers, wherein the public key is released to a manufacturer of the component for attestation of authenticity of the component. Through extending the PUF circuitry with a pseudo-random number generator, the present techniques are able to withstand unskilled and skilled hardware attacks, as the secret derived from the PUF is immune to extraction.

Abstract: Methods, systems, and devices for wireless communications are described. A user equipment (UE) and a serving base station may locally store secret information (e.g., side information, such as a secret key, a public key, etc.) that is used to protect physical (PHY) layer channel or signal transmissions. The UE and the serving base station may determine a next value of a pseudo random sequence that is a function of a current value of the pseudo random sequence and the secret information and may use the next value to determine a time-varying parameter. The UE and the serving base station may use this time-varying parameter to determine which tones, which symbols periods, or which sequence, is being used for a subsequent communication of a PHY layer channel or signal.

Abstract: The disclosure provides an approach for certificate management for cryptographic agility. Embodiments include receiving, by a cryptographic agility system, a cryptographic request related to an application. Embodiments include selecting, by the cryptographic agility system, a cryptographic technique based on contextual information associated with the cryptographic request. Embodiments include determining, by the cryptographic agility system, based on the cryptographic request, a certificate for authenticating a key related to the cryptographic technique. Embodiments include providing, by the cryptographic agility system, the certificate to an endpoint related to the cryptographic request for use in authenticating the key.

Abstract: Systems and procedures are provided for importing cryptographic credentials of a customer to an IHS (Information Handling System). During factory provisioning of the IHS, a signed inventory certificate is uploaded to the IHS that includes an encrypted access code for unlocking the IHS and also includes encrypted credentials provided by the customer. Upon delivery and initialization of the IHS, the inventory certificate is retrieved by a pre-boot validation process. A cryptographic challenge is issued that presents the encrypted access code. Further initialization of the IHS is halted until a response to the challenge is received from the customer that provides the decrypted access code. When the decrypted access code is received, further initialization of the IHS is enabled and the encrypted credentials from the inventory certificate are imported to the IHS, thus allowing the customer to establish an independent root of trusted components using the IHS.

Abstract: Techniques are disclosed relating to securely storing file system metadata in a computing device. In one embodiment, a computing device includes a processor, memory, and a secure circuit. The memory has a file system stored therein that includes metadata for accessing a plurality of files in the memory. The metadata is encrypted with a metadata encryption key that is stored in an encrypted form. The secure circuit is configured to receive a request from the processor to access the file system. In response to the request, the secure circuit is configured to decrypt the encrypted form of the metadata encryption key. In some embodiments, the computing device includes a memory controller configured to receive the metadata encryption key from the secure circuit, retrieve the encrypted metadata from the memory, and decrypt the encrypted metadata prior to providing the metadata to the processor.

Abstract: Disclosed is a method for obtaining emergency device access for field devices in process automation technology by means of a security token. The method includes the field device receiving and storing a public key before an emergency occurs; connecting the security token to the field device; sending a challenge from the field device to the security token; calculating a response to the challenge by means of a private key on the security token and sending the response from the security token to the field device; and granting emergency access if the response is correct.

Abstract: A secure executable container executed by an endpoint device establishes a two-way trusted relationship in a secure peer-to-peer data network with a user entity, generates an endpoint identifier for the endpoint device in the secure peer-to-peer data network, and associates the endpoint device with a federation identifier identifying the user entity in the secure peer-to-peer data network. The secure executable container also: establishes a two-way trusted relationship between the endpoint device and a target network device; securely obtains, via the secure peer-to-peer data network, a user interface element definition describing a user interface element executable by the target network device; and supplies the user interface element definition to a secure keyboard resource executed in the endpoint device, causing the secure keyboard resource to generate a local representation of the user interface element for control of the target network device via the secure keyboard resource.

Abstract: A method of separating identity IPs for identification of applications from the locator IPs for identifying the route is provided. A virtual service layer (VSL) protocol stack uses the IP addresses assigned by network administrators to the application endpoints to support the TCP/IP stack as the identity IP addresses that are not published to the underlay network for routing. On the other hand, the VSL stack uses the IP addresses assigned by the underlay network to the VSL enabled endpoints and VSL enabled routers as the locator IP addresses for routing packets. The VSL stack formats application flow packets with identity headers as identity packet and encapsulates identity packet with the locator header to route the packet. The separation of the identity and locator identifications are used to eliminate the network middleboxes and provide firewall, load balancing, connectivity, SD-WAN, and WAN-optimization, as a part of the communication protocol.

Abstract: In one embodiment, a method comprises: receiving, by a secure executable container executed by an endpoint device, a request from an originating entity for initiating a secure peer-to-peer communication with a second network entity via a secure data network, the originating entity and second network entity having established a two-way trusted relationship in the secure data network; processing, by the secure executable container, the request based on providing the originating entity sole and exclusive authority to control the secure peer-to-peer communication, including cryptographically secure termination and removal of the secure peer-to-peer communication from any network device in the secure data network; and initiating, by the secure executable container, the secure peer-to-peer communication by securely sending, to the second network entity via the secure data network, a secure peer-to-peer invitation for the second network entity to join the secure peer-to-peer communication.

Abstract: A device configured to obtain a first graphical code that represents a public encryption key for an organization and to extract the public encryption key for the organization from the first graphical code. The device is further configured to obtain a second graphical code that represents a digital document comprising data and a digital signature that was signed using a private encryption key for the organization. The device is further configured to extract the digital document from the second graphical code and to validate the second graphical code using the public encryption key for the organization. The device is further configured to determine the second graphical code passes validation using the public encryption key for the organization and to store the digital document in a digital document repository.

Abstract: A user device may share encrypted health data with an electronic health record (EHR) system associated with a health institution. A unique data identifier that identifies a portion of the health data and a cryptographic key may be shared with the EHR system. The encrypted health may be shared with a service provider and a unique data identifier. To access the health data, the EHR system may query the service provider with the unique data identifier.

Abstract: Several round-efficient solitary multi-party computation protocols with guaranteed output delivery are disclosed. A plurality of input devices and an output device can collectively perform a computation using methods such as fully homomorphic encryption. The output of the computation is only known to the output device. Some number of these devices may be corrupt. However, even in the presence of corrupt devices, the output device can still either generate a correct output or identify that the computation was compromised. These protocols operate under different assumptions regarding the communication infrastructure (e.g., broadcast vs point-to-point), the number of participating devices, and the number of corrupt devices. These protocols are round-efficient in that they require a minimal number of communication rounds to calculate the result of the multi-party computation.

Abstract: The disclosed technology provides for establishment of a secure tunnel with implicit device identification. The implicit device identification can be provided during establishment of a secure tunnel with a server by performing a mutual authentication with the server using a device-specific private key of the device. The device-specific private key may be provisioned during manufacturing of the device and stored by a secure hardware component of the device. Establishing the secure tunnel using implicit device identification can be helpful for operations in which a server is configured to only establish secure communications with one or more particular types of device, and can be performed without the use additional device identification communications.

Abstract: Sensitive information can be managed using a trusted platform module. For example, a system can encrypt target information using a cryptographic key to generate encrypted data. The system can also receive an encrypted key from a trusted platform module, where the encrypted key is a version of the cryptographic key that is encrypted using a public key stored in the trusted platform module. The system can then transmit the encrypted data and the encrypted key to a remote computing system, for example to store the encrypted data and the encrypted key on the remote computing system. Using these techniques, the target information may be secured and stored in remote locations.

Abstract: A system and method for signing data is presented. In one embodiment, the method comprises: generating a data signing key; transforming the data signing key into a first subkey and a second subkey; encrypting the first subkey according to a secret key of an ODSS; generating a signature verification public key; providing the signature verification public key, the encrypted first subkey, and the second subkey for storage in a client device; accepting a request to sign the data, the request having a representation of the data and the encrypted first subkey; generating a partially computed signature of the data according to the representation of the data and the encrypted first subkey; and providing the partially computed signature of the data to the client device.