Abstract: Provided is an arrangement for monitoring, a monitoring device and intermediary device and method for monitoring an encrypted connection between a client and an access point in a network, wherein—an Extensible Authentication Protocol is used for access authentication of the client to the network on an authentication server, and—a transport layer security protocol having a key disclosure function is executed within the Extensible Authentication Protocol, in which security information for the cryptographic protection of the connection is provided to an intermediary device and is transmitted from the intermediary device to a monitoring device for monitoring the connection. Also provided is a computer program product of the same.

Abstract: A method for verifying an execution environment provided by a configurable hardware module, where the execution environment is used for execution of at least one hardware-application, includes receiving a hardware-application 16. The hardware-application includes configuration data describing an instantiation as a hardware-application component on the configurable hardware module. A received hardware-application is instantiated as the hardware-application component in the execution environment. The execution environment of the configurable hardware module that executes the hardware-application component in the respective execution environment is analyzed by an instantiated hardware-application component. The hardware application component communicates with a characterizing unit providing characterizing parameters for the execution environment of the configurable hardware module.

Abstract: A method for key management in a field-programmable integrated part of an integrated circuit is disclosed herein. According to the method, a hardware configuration for the field-programmable integrated part is loaded into the field-programmable integrated part. The hardware configuration includes a key derivation functionality. Further, using the key derivation functionality, a cryptographic key is derived based on information provided in the field-programmable integrated part.

Abstract: Various embodiments of the teachings herein include a method for issuing a cryptographically protected certificate of authenticity for a user comprising: providing a public user key; providing a public client key for a client, the public client key assigned to the user; forming a request including the public user key, wherein the public user key is protected with the aid of a private client key assigned to the provided public client key; and issuing a cryptographically protected certificate of authenticity containing the public user key and identifying the client. The cryptographically protected certificate of authenticity contains or references a cryptographic client identifier formed depending at least in part on the public client key.

Abstract: A die arrangement and a method of monitoring the same are provided. The die arrangement includes a plurality of dies and a physical interconnection structure extending between and traversing the plurality of dies. The physical interconnection structure is arranged for imparting unpredictable, yet reproducible properties to a digital signal being carried on the physical interconnection structure. The die arrangement further includes a monitoring logic for monitoring the properties of the digital signal. This enables detection of tampering of topological arrangements of semiconductor dies to one another.

Abstract: Provided is a method for transmitting data packets over a network from a sender to a receiver via a communication link consisting of at least one transmission section, via which the data packet is transmitted from a sender node to a receiver node, the method having the following steps for at least one transmission section: first security information, which includes information about a cryptographic protective function used in the transmission of the data packet via an adjacent transmission section, is assigned to the data packet by the sender node, the data packet having the assigned security information is transmitted to the receiver node of the transmission section, the security information is checked in the receiver node against a preset guideline, and at least one measure is provided in accordance with the result of the check.

Abstract: The proposal relates to a method for transmitting data in a network (NW) comprising a plurality M of communication apparatuses, with M?2, wherein the plurality M comprises a first communication apparatus (20) and a second communication apparatus (30), which are connected via a network connection section (NVA) for the purpose of transmitting data, having the steps of: a) ascertaining a time-of-flight property of data transmitted between the first communication apparatus (20) and the second communication apparatus (30) via the network connection section (NVA) by means of the first communication apparatus (20) and the second communication apparatus (30) in each case, b) deriving a secret by means of the first communication apparatus (20) and the second communication apparatus (30) in each case, by using the respective ascertained time-of-flight property, and c) transmitting a message protected by means of the derived secret between the first and second communication apparatuses (20, 30).

Abstract: A method for transfer of a dataset includes provisioning or generating a user-side Diffie Hellman key pair, including a secret user key and a public user key; transferring the public user key to the server; provisioning or generating a server-side Diffie Hellman key pair, including secret server and public server keys; provisioning a dataset on the server; generating a server-side Diffie Hellman key using the secret server key and the public user key, and encrypting the dataset to generate an encrypted dataset, via a resulting server-side Diffie Hellman key generated on the server side; transferring the encrypted dataset to the cloud service; retrieving the public server key and the encrypted dataset from the cloud service; and generating a user-side Diffie Hellman key using the secret user key and the public server key retrieved, and decrypting the encrypted dataset on the user device using the user-side Diffie Hellman key.

Abstract: Provided is a method for setting up access authorization for a subscriber apparatus to access a subnetwork of a mobile radio network, wherein the subnetwork is administrated by a mobile radio administration apparatus and the access authorization for the subscriber apparatus to access the subnetwork is checked by an access apparatus of the mobile radio network, wherein—access authorization to access the subnetwork is requested for the subscriber apparatus from the mobile radio administration apparatus by a local administration apparatus,—a subnetwork authorization token is assigned to the subscriber apparatus by the mobile radio administration apparatus and transmitted to the subscriber apparatus, wherein the subscriber apparatus is authorized to access the subnetwork only if the subnetwork authorization token is transmitted from the subscriber apparatus to the subnetwork during an access request and is confirmed as valid.

Abstract: A method for validating a digital user certificate of a user by a checking device is provided. The user certificate is protected by a digital signature with an issuer key of an issuance location which issues the user certificate. The method has the steps of: receiving the user certificate in the checking device, checking the user certificate using a certificate path positive list with at least one valid certificate path which is provided to the checking device by at least one positive path server, and confirming the validity of the user certificate if the issuer key of the user certificate can be traced back to a root certificate according to one of the valid certificate paths of the certificate path positive list. Also provided is a system, a checking device, a user device, a positive path server, and a computer program product which are designed to carry out the method for validating a digital user certificate.

Abstract: Provided is a method for proving authenticity of a device with the aid of a proof of authorization of the device, wherein the proof of authorization is provided in a first step and the integrity of identity details of the proof of authorization can be checked on the basis of a digital signature of a proof of authorization issuer, and wherein the proof of authorization has an item of hardware authentication information, and affiliation of the proof of authorization to the device is proved in a second step by means of a hardware secret of the device associated with the hardware authentication information. Two-factor authentication is therefore enabled, which authentication ties authentication of the device, in particular, to the fact that a hardware-specific secret is used for the check.

Abstract: A method, system, backend, terminal, and computer program product are disclosed for producing a secure communication channel for a terminal, the method having the following method steps. A first method step for setting up a secure communication channel between a communication partner and a backend by a communication protocol. A second method step for producing a communication channel between the communication partner and the terminal. A third method step for transmitting the channel binding information. A fourth method step for storing the channel binding information on the terminal. A fifth method step for creating a data structure and a first digital signature across the data structure y. A sixth method step for sending the data structure and the digital signature from the backend to the terminal. A seventh method step for checking authenticity of the data structure.

Abstract: A method for producing a cryptographic timestamp for a digital document using multiple time servers is provided. In the method, a nonce value is produced and a current hash value is formed from the nonce value and the digital document. Then, a time server is repeatedly selected, the current hash value is transmitted to the selected time server, a response comprising a digital signature of the current hash value and a time indication is received by the selected time server, and an additional hash value is determined from the received response and used as the current hash value. The cryptographic timestamp for the digital document is formed from the nonce value and the multiple received responses. The method produces a tamperproof timestamp on a majority basis and is suitable for dating and protocolling in the field of automation and IoT.

Abstract: Provided is a method for transferring data in a topic-based publish-subscribe system, including a key distribution server and a number of local client systems that can be coupled to the key distribution server, including: providing a group key by the key distribution server for a group selected from the local client systems, locally deriving a first-order sub-group key for a first-order subgroup of the group by key derivation parameters at least comprising the provided group key and a certain topic of the publish-subscribe system by means of the particular client system of the first-order sub-group, and transferring at least one message cryptographically protected by the derived first-order sub-group key between the client systems of the first-order sub-group. Differentiation within group communication according to topic by specific cryptographic keys is thereby enabled.

Abstract: Method, system, transmitter, and receiver for authenticating a transmitter. The authentication is performed using an asymmetric key pair and using a digital signature.

Abstract: A method for the disclosure of at least one cryptographic key used for encrypting at least one communication connection between a first communication subscriber and a second communication subscriber in which, in a publish-subscriber server, at least one of the communication subscribers logs on as a publishing unit and at least one monitoring device logs on as a subscribing unit, and in a subsequent negotiation of a cryptographic key by the publishing unit, automatically the negotiated cryptographic key is supplied from the publishing unit to the publish-subscribe server, the negotiated cryptographic key is transmitted from the publish-subscribe server to the at least one subscribing unit, and the encrypted communication connection from the subscribing unit is decrypted using the cryptographic key is provided. The following also relates to a corresponding system.

Abstract: An issuing device is configured to: respond to a challenge request by transmitting a challenge; and respond to a certification request including a public key and ownership information thereof by issuing a digital certificate certifying the ownership information. The ownership information includes counterparty identity information relating to a ledger of a distributed database. The digital certificate is issued if it is successfully verified that a valid response to the challenge has been posted to the ledger of the distributed database and is associated therein with the counterparty identity information of the certification request. The digital certificate facilitates proofing that an owner of a public key is a given counterparty to a blockchain ledger. Also, a corresponding requesting device and corresponding methods and computer program products for issuing and requesting a digital certificate are disclosed.

Abstract: A VPN box is connected upstream of a field device. The VPN box uses a secret cryptographic key of the field device for authentication when setting up a VPN tunnel and/or when setting up a cryptographically protected communication link.

Abstract: An apparatus for adapting authorization information for a terminal is provided. The apparatus has a communication unit for communicating with the terminal, the communication unit being configured to carry out the communication as a test communication using an encryption protocol, a checking unit for checking a configuration of the encryption protocol on the terminal, and a control unit for adapting the authorization information for the terminal on the basis of a result of the check. A corresponding method for adapting authorization information for a terminal is also proposed. The proposed apparatus makes it possible to check the options supported by a terminal in an encryption protocol. In this case, the check can be carried out, in particular, using an encrypted communication connection which could not be monitored by a firewall.

Abstract: Provided is a method for setting up access authorization for a subscriber apparatus to access a subnetwork of a mobile radio network, wherein the subnetwork is administrated by a mobile radio administration apparatus and the access authorization for the subscriber apparatus to access the subnetwork is checked by an access apparatus of the mobile radio network, wherein—access authorization to access the subnetwork is requested for the subscriber apparatus from the mobile radio administration apparatus by a local administration apparatus,—a subnetwork authorization token is assigned to the subscriber apparatus by the mobile radio administration apparatus and transmitted to the subscriber apparatus, wherein the subscriber apparatus is authorized to access the subnetwork only if the subnetwork authorization token is transmitted from the subscriber apparatus to the subnetwork during an access request and is confirmed as valid.