Abstract: The present disclosure provides an approach for a blockchain system in which (a) data of past transactions can be removed from the storage of network nodes based on node permissions, and (b) in which data can be made invisible to users based on user-specific or group-specific permissions. The blockchain system stores cryptographic proofs of data on an immutable ledger. The data itself is maintained within the blockchain system such that it can be partially or fully removed, while maintaining the integrity of the ledger.

Abstract: The present disclosure provides an approach for a certificate authority (CA) that is distributed among nodes of a network, such that only a portion of the network nodes are required to sign and issue a digital certificate. Each node of the network includes a partial private key, the partial private key having been obtained by sharding the full private key. The sharding may be performed by a process known in the art, such as Shamir Secret Sharing and Distributed Key Generation. Systems that are inherently distributed may use the techniques herein to create a CA that is not centralized. The techniques herein leverage a database in the form of a distributed blockchain to store issued certificates and status of the certificates.

Abstract: The present disclosure provides an approach for a blockchain system in which (a) data of past transactions can be removed from the storage of network nodes based on node permissions, and (b) in which data can be made invisible to users based on user-specific or group-specific permissions. The blockchain system stores cryptographic proofs of data on an immutable ledger. The data itself is maintained within the blockchain system such that it can be partially or fully removed, while maintaining the integrity of the ledger.

Abstract: The present disclosure provides an approach for a certificate authority (CA) that is distributed among nodes of a network, such that only a portion of the network nodes are required to sign and issue a digital certificate. Each node of the network includes a partial private key, the partial private key having been obtained by sharding the full private key. The sharding may be performed by a process known in the art, such as Shamir Secret Sharing and Distributed Key Generation. Systems that are inherently distributed may use the techniques herein to create a CA that is not centralized. The techniques herein leverage a database in the form of a distributed blockchain to store issued certificates and status of the certificates.

Abstract: The present disclosure provides an approach for a blockchain system in which (a) data of past transactions can be removed from the storage of network nodes based on node permissions, and (b) in which data can be made invisible to users based on user-specific or group-specific permissions. The blockchain system stores cryptographic proofs of data on an immutable ledger. The data itself is maintained within the blockchain system such that it can be partially or fully removed, while maintaining the integrity of the ledger.

Abstract: A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client device in accordance with an authentication protocol, and authenticate the client device based on a comparison of the first form to a value derived from a second form of the password stored in a password database, where the comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client device over the secure connection, authenticate the client device by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client device when the authentication server receives the first form.

Abstract: A device receives, from a managed device, endpoint information associated with an unmanaged device connected to the managed device in a network. The device also receives unmanaged device information that partially identifies the unmanaged device, and completely identifies the unmanaged device based on the endpoint information and the unmanaged device information.

Abstract: A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client device in accordance with an authentication protocol, and authenticate the client device based on a comparison of the first form to a value derived from a second form of the password stored in a password database, where the comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client device over the secure connection, authenticate the client device by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client device when the authentication server receives the first form.

Abstract: A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client device in accordance with an authentication protocol, and authenticate the client device based on a comparison of the first form to a value derived from a second form of the password stored in a password database, where the comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client device over the secure connection, authenticate the client device by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client device when the authentication server receives the first form.

Abstract: In general, techniques are described for provisioning layer two access in computer networks. A network device located in a public network comprising an interface and a control unit may implement the techniques. The interface establishes a session with a mobile device. The control unit requests security state data identifying a security state of the mobile device via the established session. The interface receives a mobile device identifier and the security state data from the mobile device via the session. The mobile device identifier identifies the mobile device. The control unit publishes the security state information to a database such that the security state information is associated with the mobile device identifier.

Abstract: A device receives, from a managed device, endpoint information associated with an unmanaged device connected to the managed device in a network. The device also receives unmanaged device information that partially identifies the unmanaged device, and completely identifies the unmanaged device based on the endpoint information and the unmanaged device information.

Abstract: A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client device in accordance with an authentication protocol, and authenticate the client device based on a comparison of the first form to a value derived from a second form of the password stored in a password database, where the comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client device over the secure connection, authenticate the client device by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client device when the authentication server receives the first form.

Abstract: A device receives, from a managed device, endpoint information associated with an unmanaged device connected to the managed device in a network. The device also receives unmanaged device information that partially identifies the unmanaged device, and completely identifies the unmanaged device based on the endpoint information and the unmanaged device information.

Abstract: A device may include an authentication server and a server. The authentication server may receive a first form of a password from a client in accordance with an authentication protocol, and authenticate the client based on a comparison of the first form to a value derived from a second form of the password stored in a password database. The comparison fails when the first form is not comparable to a value derived from the second form. The server may establish a secure connection to the client, receive a plain-text password from the client over the secure connection, authenticate the client by comparing a value derived from the plain-text password with a value derived from the second form, and update the password database with a third form of the password that permits the authentication server to successfully authenticate the client when the authentication server receives the first form.

Abstract: In general, techniques are described for provisioning layer two access in computer networks. A network device located in a public network comprising an interface and a control unit may implement the techniques. The interface establishes a session with a mobile device. The control unit requests security state data identifying a security state of the mobile device via the established session. The interface receives a mobile device identifier and the security state data from the mobile device via the session. The mobile device identifier identifies the mobile device. The control unit publishes the security state information to a database such that the security state information is associated with the mobile device identifier.

Abstract: A user device receives a captured image of an encoded identifier, analyzes the encoded identifier via the captured image, and extracts, based on the analysis, network access configuration data from the encoded identifier. The user device provides the network access configuration data to a network access control (NAC) device, and receives, based on the network access configuration data, access to the NAC device. The user device permits the NAC device to inspect the user device via the access to the NAC device, and receives, based on the inspection of the user device, access to a network.

Abstract: A device receives, from a managed device, endpoint information associated with an unmanaged device connected to the managed device in a network. The device also receives unmanaged device information that partially identifies the unmanaged device, and completely identifies the unmanaged device based on the endpoint information and the unmanaged device information.

Abstract: A device may include a processor to execute a thread. The processor may be further configured to execute a set of wrappers that are called from within the thread to invoke a set of one-shot signal objects to generate delayed signals. Each of the set of wrappers may be configured to detect whether different ones of one-shot signal objects that were invoked from within the thread have generated signals at periodic time intervals, determine a delay to be used for invoking one of the set of one-shot signal objects, and invoke the one of the set of one-shot signal object to generate one of the delayed signals based on the delay when the different ones of one-shot signal objects have generated signals at periodic time intervals. The processor may be further configured to receive the delayed signals generated from the set of one-shot signal objects over a time period.

Abstract: A device receives, from a managed device, endpoint information associated with an unmanaged device connected to the managed device in a network. The device also receives unmanaged device information that partially identifies the unmanaged device, and completely identifies the unmanaged device based on the endpoint information and the unmanaged device information.

Abstract: In general, the invention is directed toward techniques for controlling access to a network or other computing resource in order to slow down the execution of a password attack while providing minimal obstruction to normal network activity. The method includes generating a history of successful network logins, detecting symptoms of a network password attack, and activating countermeasures in response to the detection. The method further includes receiving a valid login request from the user while the countermeasures are activated and analyzing the history of successful network logins to determine whether the valid login request satisfies a match condition. The method further includes granting the user access to the network when the valid login request satisfies the match condition and denying the user access to the network when the valid login request does not satisfy the match condition even though the valid login request contains a valid username and a valid password.