Abstract: Systems, methods, and computer-readable media for discovering trustworthy devices through attestation and authenticating devices through mutual attestation. A relying node in a network environment can receive attestation information from an attester node in the network environment as part of a unidirectional push of information from the attester node according to a unidirectional link layer communication scheme. A trustworthiness of the attester node can be verified by identifying a level of trust of the attester node from the attestation information. Further, network service access of the attester node through the relying node in the network environment can be controlled based on the level of trust of the attester node identified from the attestation information.

Abstract: Technologies for attestation techniques, systems, and methods to confirm the integrity of a device for establishing and/or maintaining a trustworthy encrypted network session. An example method can include sending, via a server and using a cryptographic security protocol, a message associated with establishing an encrypted network session; receiving a response from a client device; identifying a level of trust of the client device based on the response; determining whether to perform a next step in the cryptographic security protocol based on the level of trust, wherein the cryptographic security protocol comprises at least one of a Secure Shell (SSH) protocol, a Transport Layer Security (TLS) protocol, a Secure Sockets Layer (SSL) protocol, and an Internet Protocol Security (IPsec) protocol.

Abstract: Systems, methods, and computer-readable media for assessing reliability and trustworthiness of devices operating within a network. A recipient node in a network environment can receive a neighbor discovery (ND) message from an originating node in the network environment that are both implementing a neighbor discovery protocol. Trustworthiness of the originating node can be verified by identifying a level of trust of the originating node based on attestation information for the originating node included in the ND message received at the recipient node. Connectivity with the recipient node through the network environment can be managed based on the level of trust of the originating node identified from the attestation information included in the ND message.

Abstract: Systems and methods are provided for quantum-resistant secure key distribution between a peer and an EAP authenticator by using an authentication server. The systems and methods include receiving requests for a COMMON-SEED and a quantum-safe public key from a peer and an EAP authenticator. The COMMON-SEED is encrypted using the quantum-safe public key of the peer and the quantum-safe public key of the EAP authenticator, and the encrypted COMMON-SEED is sent to the peer along with a request for a PPK_ID from the peer to complete authentication of the peer. The PPK_ID is received from the peer, and the encrypted COMMON-SEED and PPK_ID is sent to the EAP authenticator. A quantum-resistant secure channel is established between the peer and the EAP authenticator when the peer and the EAP authenticator share the same COMMON-SEED and the same PPK-ID.

Abstract: A verifier peer system transmits a request to an application of another peer system to obtain integrity data of the application. In response to the request, the verifier peer system obtains a response that includes kernel secure boot metrics of the other peer system and integrity data of the application and of any application dependencies. If the verifier peer system determines that the response is valid, the verifier peer system evaluates the integrity data and the kernel secure boot metrics against a set of Known Good Values to determine whether the integrity data and the kernel secure boot metrics are valid. If the integrity data and the kernel secure boot metrics are valid, the verifier peer system determines that the other peer system is trustworthy.

Abstract: According to an embodiment, a node comprises one or more processors and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the node to perform operations. The operations comprise determining security validation information that the node associates with a packet, inserting into the packet an identifier associated with the node and the security validation information that the node associates with the packet, and transmitting the packet comprising the identifier associated with the node and the security validation information that the node associates with the packet. The security validation information comprises one or more proof of security attributes and/or one or more proof of security level attributes.

Abstract: Systems, methods, and computer-readable media for authenticating access control messages include receiving, at a first node, access control messages from a second node. The first node and the second node including network devices and the access control messages can be based on RADIUS or TACACS+ protocols among others. The first node can obtain attestation information from one or more fields of the access control messages determine whether the second node is authentic and trustworthy based on the attestation information. The first node can also determine reliability or freshness of the access control messages based on the attestation information. The first node can be a server and the second node can be a client, or the first node can be a client and the second node can be a server. The attestation information can include Proof of Integrity based on a hardware fingerprint, device identifier, or Canary Stamp.

Abstract: Systems and methods are provided for quantum-resistant secure key distribution between a peer and an EAP authenticator by using an authentication server. The systems and methods include receiving requests for a COMMON-SEED and a quantum-safe public key from a peer and an EAP authenticator. The COMMON-SEED is encrypted using the quantum-safe public key of the peer and the quantum-safe public key of the EAP authenticator, and the encrypted COMMON-SEED is sent to the peer along with a request for a PPK ID from the peer to complete authentication of the peer. The PPK ID is received from the peer, and the encrypted COMMON-SEED and PPK ID is sent to the EAP authenticator. A quantum-resistant secure channel is established between the peer and the EAP authenticator when the peer and the EAP authenticator share the same COMMON-SEED and the same PPK-ID.

Abstract: According to an embodiment, a node comprises one or more processors and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the node to perform operations. The operations comprise determining security validation information that the node associates with a packet, inserting into the packet an identifier associated with the node and the security validation information that the node associates with the packet, and transmitting the packet comprising the identifier associated with the node and the security validation information that the node associates with the packet. The security validation information comprises one or more proof of security attributes and/or one or more proof of security level attributes.

Abstract: The present disclosure is directed to systems and methods to address cryptoprocessor hardware scaling limitations, the method including the steps of establishing a communication path between a centralized server and a client device; generating, by the centralized server, a nonce for transmission to the client device, wherein the nonce is associated with an active time interval and corresponds to one of an existing nonce or a new nonce; transmitting the nonce to the client device; receiving a signed attestation result that includes the nonce from the client device, wherein, the signed attestation result comprises a previously-generated signed attestation result if the nonce corresponds to the existing nonce previously received by the client device; and the signed attestation result comprises a new signed attestation result if the nonce corresponds to the existing nonce newly received by the client device or corresponds to the new nonce.

Abstract: A verifier peer system transmits a request to an application of another peer system to obtain integrity data of the application. In response to the request, the verifier peer system obtains a response that includes kernel secure boot metrics of the other peer system and integrity data of the application and of any application dependencies. If the verifier peer system determines that the response is valid, the verifier peer system evaluates the integrity data and the kernel secure boot metrics against a set of Known Good Values to determine whether the integrity data and the kernel secure boot metrics are valid. If the integrity data and the kernel secure boot metrics are valid, the verifier peer system determines that the other peer system is trustworthy.

Abstract: Systems and methods are provided for quantum-resistant secure key distribution between a peer and an EAP authenticator by using an authentication server. The systems and methods include receiving requests for a COMMON-SEED and a quantum-safe public key from a peer and an EAP authenticator. The COMMON-SEED is encrypted using the quantum-safe public key of the peer and the quantum-safe public key of the EAP authenticator, and the encrypted COMMON-SEED is sent to the peer along with a request for a PPK_ID from the peer to complete authentication of the peer. The PPK_ID is received from the peer, and the encrypted COMMON-SEED and PPK_ID is sent to the EAP authenticator. A quantum-resistant secure channel is established between the peer and the EAP authenticator when the peer and the EAP authenticator share the same COMMON-SEED and the same PPK-ID.

Abstract: A verifier peer system transmits a request to an application of another peer system to obtain integrity data of the application. In response to the request, the verifier peer system obtains a response that includes kernel secure boot metrics of the other peer system and integrity data of the application and of any application dependencies. If the verifier peer system determines that the response is valid, the verifier peer system evaluates the integrity data and the kernel secure boot metrics against a set of Known Good Values to determine whether the integrity data and the kernel secure boot metrics are valid. If the integrity data and the kernel secure boot metrics are valid, the verifier peer system determines that the other peer system is trustworthy.

Abstract: Systems, methods, and computer-readable media for discovering trustworthy devices through attestation and authenticating devices through mutual attestation. A relying node in a network environment can receive attestation information from an attester node in the network environment as part of a unidirectional push of information from the attester node according to a unidirectional link layer communication scheme. A trustworthiness of the attester node can be verified by identifying a level of trust of the attester node from the attestation information. Further, network service access of the attester node through the relying node in the network environment can be controlled based on the level of trust of the attester node identified from the attestation information.

Abstract: A verifier peer system transmits a request to an application of another peer system to obtain integrity data of the application. In response to the request, the verifier peer system obtains a response that includes kernel secure boot metrics of the other peer system and integrity data of the application and of any application dependencies. If the verifier peer system determines that the response is valid, the verifier peer system evaluates the integrity data and the kernel secure boot metrics against a set of Known Good Values to determine whether the integrity data and the kernel secure boot metrics are valid. If the integrity data and the kernel secure boot metrics are valid, the verifier peer system determines that the other peer system is trustworthy.

Abstract: A method is provided for quantum-resistant secure key distribution between a peer and an extendible authentication protocol (EAP) authenticator by using an authentication server. The method may include receiving requests for a COMMON-SEED and a McEliece public key from a peer and an EAP authenticator by an authentication server using an EAP method, encrypting the COMMON-SEED using the McEliece public key of the peer and the McEliece public key of the EAP authenticator by the authentication server, and sending the encrypted COMMON-SEED from the authentication server to the peer along with a request for a PPK_ID from the peer using the EAP method to complete authentication of the peer. The method may also include receiving the PPK_ID from the peer using the EAP method, where the PPK_ID is from a key pair consisting of PPK_ID and PPK obtained from a first SKS server in electrical communication with the peer based upon the encrypted COMMON-SEED.

Abstract: The present disclosure is directed to systems and methods to address cryptoprocessor hardware scaling limitations, the method including the steps of establishing a communication path between a centralized server and a client device; generating, by the centralized server, a nonce for transmission to the client device, wherein the nonce is associated with an active time interval and corresponds to one of an existing nonce or a new nonce; transmitting the nonce to the client device; receiving a signed attestation result that includes the nonce from the client device, wherein, the signed attestation result comprises a previously-generated signed attestation result if the nonce corresponds to the existing nonce previously received by the client device; and the signed attestation result comprises a new signed attestation result if the nonce corresponds to the existing nonce newly received by the client device or corresponds to the new nonce.

Abstract: Systems, methods, and computer-readable media are disclosed for measurement of trustworthiness of network devices prior to their configuration and deployment in a network. In one aspect of the present disclosure, a method for pre-configuration of network devices includes receiving, at a dynamic host configuration server, a first request from a network device for configuration data, the configuration data including at least an IP address; sending, by the dynamic host configuration server, a second request to the network device for attestation information; verifying, by the dynamic host configuration server, the network device based on the attestation information; and assigning, by the dynamic host configuration server, the configuration data to the network device upon verifying the network device.

Abstract: Systems, methods, and computer-readable media for discovering trustworthy devices through attestation and authenticating devices through mutual attestation. A relying node in a network environment can receive attestation information from an attester node in the network environment as part of a unidirectional push of information from the attester node according to a unidirectional link layer communication scheme. A trustworthiness of the attester node can be verified by identifying a level of trust of the attester node from the attestation information. Further, network service access of the attester node through the relying node in the network environment can be controlled based on the level of trust of the attester node identified from the attestation information.

Abstract: Systems, methods, and computer-readable media for authenticating access control messages include receiving, at a first node, access control messages from a second node. The first node and the second node including network devices and the access control messages can be based on RADIUS or TACACS+ protocols among others. The first node can obtain attestation information from one or more fields of the access control messages determine whether the second node is authentic and trustworthy based on the attestation information. The first node can also determine reliability or freshness of the access control messages based on the attestation information. The first node can be a server and the second node can be a client, or the first node can be a client and the second node can be a server. The attestation information can include Proof of Integrity based on a hardware fingerprint, device identifier, or Canary Stamp.