Abstract: A request to establish an encrypted VPN connection between a network external to a provider network connected to the provider network via a dedicated direct physical link and a set of resources of the provider network is received. A new isolated virtual network (IVN) is established to implement an encryption virtual private gateway to be used for the connection. One or more protocol processing engines (PPEs) are instantiated within the IVN, address information of the one or more PPEs is exchanged with the external network and a respective encrypted VPN tunnel is configured between each of the PPEs and the external network. Routing information pertaining to the set of resources is provided to the external network via at least one of the encrypted VPN tunnels, enabling routing of customer data to the set of resources within the provider network from the external network via an encrypted VPN tunnel implemented over a dedicated direct physical link between the external network and the provider network.

Abstract: A method of authenticating devices for secure data exchange. A system receives a scheduling request and generates a ledger of participants authorized to be admitted to a communication session during a time window. For each participant, the ledger includes a participant identifier, a participant key, and a meeting identifier corresponding to the communication session. The participant key and meeting identifier are encoded into a short-code which is redeemed, by the participants, for an access token authorizing a peer-to-peer connection between devices within a meeting room during the communication session. The participants include a host who has special privileges during the communication session, and one or more clients.

Abstract: A network device may load, via a boot ROM application, a provider bootloader application from a memory of the network device and may calculate a first hash value based on decrypting a provider bootloader signature with a provider public key. The network device may calculate a second hash value based on the provider bootloader application and may utilize, when the first hash value and the second hash value are equivalent, the provider bootloader application to load an original equipment manufacturer (OEM) bootloader application from the memory. The network device may calculate a third hash value based on decrypting an OEM bootloader signature with one of a plurality of OEM public keys. The network device may calculate a fourth hash value based on the OEM bootloader application. The network device may complete, when the third hash value and the fourth hash value are equivalent, a boot process for the network device.

Abstract: In various examples, firewalls may include machine learning models that are automatically trained and applied to analyze service inputs submitted to input processing services and to identify whether service inputs are desirable (e.g., will result in an undesirable status code if processed by a service). When a service input is determined by a firewall to be desirable, the firewall may push the service input through to the input processing service for normal processing. When a service input is determined by the firewall to be undesirable, the firewall may block or drop the service input before it reaches the input processing service and/or server. This may be used to prevent the service input, which is likely to be undesirable, from touching a server that hosts the input processing service (e.g., preventing a crash).

Abstract: Disclosed herein is a data storage device. A data port transmits data between a host computer system and the data storage device. A non-volatile storage medium stores encrypted user content data and a cryptography engine uses a cryptographic key to decrypt the encrypted user content data stored on the storage medium in response to a request from the host computer system. An access controller receives a request from a manager device to initialize the data storage device. The controller generates the cryptographic key, generates a manager key configured to provide manager access for the manager device and provide access to the cryptographic key, and stores, on a data store, authorization data indicative of the manager key and accessible based on a private key stored on the manager device.

Abstract: A method for verification of a data value via a Merkle root includes: storing, in a memory of a processing server, a Merkle root; receiving at least a data value, a nonce, and a plurality of hash path values; generating a combined value by combining the data value and the nonce; generating a first hash value via application of a hashing algorithm to the combined value; generating a subsequent hash value via application of the hashing algorithm to a combination of the first hash value and a first of the plurality of hash path values; repeating generation of the subsequent hash value using a combination of the next hash path value of the plurality of hash path values and the most recent subsequent hash value; and verifying the data value based on a comparison of the Merkle root and the last generated subsequent hash value.

Abstract: Secure credentials (e.g., Diffie Helman (DH) key pairs) may be generated independently of requests to establish communication channels between storage system ports (SSPs) and remote ports, such that secure credentials are pre-generated relative to the requests for which they are utilized to establish secure communication channels. For example, DH key pairs may be pre-generated, and each DH key pair stored in an entry of a DH key table. The number of DH keys to generate and store may be determined based on user input and/or the number of potential communication channels for the storage system. In response to a request to establish a communication channel, an IKE session may be executed, during which a pre-generated DH key pair may be obtained from the DH key table, from which symmetric for secure communication between the SSP and the remote port may be derived.

Abstract: A method, a computer system, and a computer program product for cryptography are provided. A guest virtual server registers with a trusted hypervisor by using guest credentials. A guest wrapping key associated with the guest credentials is generated. A satellite virtual server instance that shares a master key with the virtual guest server is generated in the trusted hypervisor. A copy of the guest wrapping key is passed to the satellite virtual server instance. A random guest key is wrapped with the guest wrapping key, thereby producing a wrapped guest key. The wrapped guest key is rewrapped with the master key to form a protected guest key.

Abstract: Briefly, example methods, apparatuses, and/or articles of manufacture are disclosed that may be implemented, in whole or in part, using one or more processing devices to facilitate and/or support cryptographically associating a particular computing device with a new system owner based at least in part on a new system owner public key of a new system owner public/private key pair and a current system owner private key of a current system owner public/private key pair.

Abstract: In some instances, a method for authenticating a user using key pair authentication is provided. The method comprises enrolling the user into key pair authentication by generating a private and public key pair for an authentication domain, accessing the content on the first domain based on enrolling the user into the key pair authentication with a key pair authentication server using the private and public key pair for the authentication domain, requesting access for different content on a second domain, based on enrolling the user into the key pair authentication for the first domain, redirecting a browser from the second domain to the authentication domain, and accessing the different content on the second domain based on performing the key pair authentication with the key pair authentication server using the private and public key pair for the authentication domain.

Abstract: Secure protocols for external-facing authentication are provided for both user templates stored on their devices and the biometric measurement captured by external sensors of an access device. The protocols provide different levels of security, ranging from passive security with some leakage to active security with no leakage. A packing technique is also provided. Zero-knowledge techniques are used during enrollment to validate a norm of user templates and knowledge of the plaintext biometric template. Once enrolled, the verifier can sign the encrypted template for use in a later matching phase with an access device.

Abstract: A method including encrypting, by a multiuser device, a first folder based on utilizing a first symmetric key and a second folder based on utilizing a second symmetric key, the first folder and the second folder being stored on the multiuser device; encrypting, by the multiuser device, the first symmetric key based on utilizing a first assigned public key and the second symmetric key based on utilizing a second assigned public key; and providing access, by the multiuser device, to the encrypted first folder by decrypting the encrypted first symmetric key based on verifying first biometric information and to the encrypted second folder by decrypting the encrypted second symmetric key based on verifying second biometric information, the first biometric information being different from the second biometric information is disclosed. Various other aspects and techniques are contemplated.

Abstract: A distributed key management system, which contains a server, a plurality of key-holding devices adapted to communicate with the server; and a key-requesting device adapted to communicate with the server. Each one of the plurality of key-holding devices is adapted to hold a different fragment of a private key. The server is adapted to reconstruct the private key based on the fragments received from the plurality of key-holding devices. The key-requesting device is adapted to obtain the private key from the server. The systems according to the invention provide a zero-trust model key management scheme and would eliminate the risk of key leakage to unauthorized person while providing flexibility of authorizing devices.

Abstract: This application relates to a computing device that can be configured to implement a method for enabling a nearby computing device to access a wireless network by carrying out the techniques described herein. In particular, the method can include the steps of (1) receiving a request from the nearby computing device to access the wireless network, where the request includes user information associated with the nearby computing device, (2) presenting a notification associated with the request in response to determining, based on the user information, that the nearby computing device is recognized by the computing device, and (3) in response to receiving an approval for the nearby computing device to access the wireless network: providing, to the nearby computing device, a password for accessing the wireless network.

Abstract: A system for generating a virtual private key using personal credentials, comprising: personal knowledge and a suite of algorithms and methodologies integrated, without using third party information, in such a manner that the private key can be securely generated without exposing the credentials entity.

Abstract: Systems and methods of managing a certificate associated with a component located at a remote location from a certificate authority system are provided. A certificate request is received, wherein the certificate request comprises a key associated with the component. A certificate is generated corresponding to the key received in the certificate request, and a validity status of the certificate is caused to be set to invalid. The certificate is provided to the component and it is determined whether the component matches the certificate. Upon determining that the component matches the certificate, the validity status is caused to be set to valid.

Abstract: A method comprises a server generating a server nonce and transmitting a server public key, a key signature and the server nonce to a device, the device verifying the server public key, signing the server nonce with a device private key, generating a device nonce, and transmitting the server nonce, the server nonce signature, a device public key, a device key signature, and the device nonce to the server, the server verifying the server nonce and the device public key, generating a session key, encrypting the session key with the device public key, signing the device nonce and the session key with a server private key, and transmitting the device nonce, the signed device nonce and session key, and the encrypted session key to the device, and the device verifying the device nonce, decrypting the encrypted session key with the device private key, and verifying the decrypted session key.

Abstract: Provided is a process for authentication of a user on a mobile device. The user of the mobile device may authenticate with the mobile device, and credentials may be conveyed to a server via a relying device. The mobile device may directly communicate credentials to the relying device. In some examples, the user of the mobile device may authenticate using the mobile device without inputting credentials on the relying device. Credentials conveyed to the server by the relying device and authenticated by the server may permit user access to the relying device or access to an online resource from the relying device.

Abstract: A method including encrypting, by a processor associated with a user device, authentication information associated with authenticating the user device with a service provider, the authentication information including first factor authentication information for determining a first factor and second factor authentication information for determining a second factor; detecting, by the processor, an attempt to access a service to be provided by the service provider; determining, by the processor based at least in part on detecting the attempt, the first factor based at least in part on decrypting the first factor authentication information and the second factor based at least in part on decrypting the second factor authentication information; and enabling, by the processor, authentication of the user device with the service provider based at least in part on utilizing the first factor and the second factor. Various other aspects are contemplated.

Abstract: Systems and methods for key management. An aspect of the disclosure provides for a key management system including an authenticating function, a key-management function, and at least one function. The system provides for separation of authentications and key-management functions. The authenticating function configured for receiving an authentication request associated with a terminal device (TD), authenticating the request, and sending an authentication response to the at least one function. The key-management function configured for receiving a key request associated with the TD, generating a key according to the key request, and sending the key to the at least one function. The at least one function configured for receiving a request for service, sending, to the authenticating function, the authentication request, and receiving, from the authenticating function, the authenticating response.