Abstract: Systems for communicating over a network and between two or more network connected devices. In particular, the disclosure reveals systems which may utilize multicast communication protocols to facilitate secure communication among one or more network connected devices. A system for secured messaging may include a network system including a first server, a second server and a first node. Further, the first server is configured to authenticate the first node for secure multicast messaging, and the second server is configured to authenticate the first node for secure multicast messaging.

Abstract: A system, computer-readable storage medium, and method for secure network communication. A first device employs a first secret to establish a stream between the first and a second device. A third key, first ciphertext based on a first key, and hash of the first key are received from the second device by the first. A second key is applied to recover a second secret from the first ciphertext. The third key is encrypted to generate a second ciphertext including a third secret. Fourth and fifth keys are derived based on the first, second, and third secrets. A message authentication code is generated based on the fourth and third keys, first ciphertext, hash of the first key, and second ciphertext. The second ciphertext and message authentication code are transmitted by the first to the second device, and the fifth key is employed by the first device to modify the stream.

Abstract: A system, computer-readable storage medium, and method for secure network communication. A first device employs a first secret to establish a stream between the first and a second device. A third key, first ciphertext based on a first key, and hash of the first key are received from the second device by the first. A second key is applied to recover a second secret from the first ciphertext. The third key is encrypted to generate a second ciphertext including a third secret. Fourth and fifth keys are derived based on the first, second, and third secrets. A message authentication code is generated based on the fourth and third keys, first ciphertext, hash of the first key, and second ciphertext. The second ciphertext and message authentication code are transmitted by the first to the second device, and the fifth key is employed by the first device to modify the stream.

Abstract: Systems for communicating over a network and between two or more network connected devices. In particular, the disclosure reveals systems which may utilize multicast communication protocols to facilitate secure communication among one or more network connected devices. A system for secured messaging may include a network system including a first server, a second server and a first node. Further, the first server is configured to authenticate the first node for secure multicast messaging, and the second server is configured to authenticate the first node for secure multicast messaging.

Abstract: Systems for communicating over a network and between two or more network connected devices. In particular, the disclosure reveals systems which include a first node having a first node message sequence counter, a second node having a second node message sequence counter, and wherein the second node is configured to synchronize the first node message sequence counter based on the second node message sequence counter.

Abstract: Systems for communicating over a network and between two or more network connected devices. In particular, the disclosure reveals systems which may utilize multicast communication protocols to facilitate secure communication among one or more network connected devices. A system for secured messaging may include a network system including a first server, a second server and a first node. Further, the first server is configured to authenticate the first node for secure multicast messaging, and the second server is configured to authenticate the first node for secure multicast messaging.

Abstract: Systems for communicating over a network and between two or more network connected devices. In particular, the disclosure reveals systems which may utilize multicast communication protocols to facilitate secure communication among one or more network connected devices. A system for secured messaging may include a network system including a first server, a second server and a first node. Further, the first server is configured to authenticate the first node for secure multicast messaging, and the second server is configured to authenticate the first node for secure multicast messaging.

Abstract: Systems for communicating over a network and between two or more network connected devices. In particular, the disclosure reveals systems which include a first node having a first node message sequence counter, a second node having a second node message sequence counter, and wherein the second node is configured to synchronize the first node message sequence counter based on the second node message sequence counter.

Abstract: A method includes securely booting a device using a bootloader, where the bootloader is digitally signed using a first cryptographic key associated with the bootloader. The method also includes executing one or more kernel or user applications using the device, where the one or more kernel or user applications are digitally signed using one or more second cryptographic keys associated with the one or more kernel or user applications. In addition, the method includes using an in-band channel to update or replace the first cryptographic key.

Abstract: A method includes receiving, from a device, (i) a certificate request for a certification authority and (ii) a first digital certificate. The certificate request is digitally signed by the first device, and the first digital certificate is stored in the device. The method also includes verifying, at the certification authority, the first digital certificate using a second digital certificate of another certification authority. The method further includes verifying a digital signature of the certificate request using the first digital certificate. In addition, the method includes, after verifying the first digital certificate and the digital signature, transmitting a second digital certificate to the device.

Abstract: A method includes verifying that firmware of a device is trusted and contains a root of trust. The method also includes verifying that a protected storage of the device contains a private or secret key associated with a device certificate that is stored in a persistent storage of the device. The method further includes verifying the device certificate of the device using the root of trust. In addition, the method includes, in response to verifying that the protected storage contains the private or secret key associated with the device certificate and verifying the device certificate, determining that the device is a genuine device. The root of trust could include a trusted certificate or a trusted public key.

Abstract: A method includes generating a first encryption key based on a first cryptographic operation performed by cryptographic circuitry and involving a cryptographic key securely stored in a memory of the cryptographic circuitry. The method also includes encrypting data to be protected using the first encryption key and storing the encrypted data on a persistent storage device external to the cryptographic circuitry. The method could also include retrieving the encrypted data from the persistent storage device. The method could further include generating a second encryption key based on a second cryptographic operation performed by the cryptographic circuitry and involving the cryptographic key, where the second encryption key matches the first encryption key. In addition, the method could include decrypting the encrypted data using the second encryption key.

Abstract: A method includes receiving, from a device, (i) a certificate request for a certification authority and (ii) a first digital certificate. The certificate request is digitally signed by the first device, and the first digital certificate is stored in the device. The method also includes verifying, at the certification authority, the first digital certificate using a second digital certificate of another certification authority. The method further includes verifying a digital signature of the certificate request using the first digital certificate. In addition, the method includes, after verifying the first digital certificate and the digital signature, transmitting a second digital certificate to the device.

Abstract: An apparatus includes a first distributed control system (DCS) node. The first DCS includes at least one interface configured to communicate, over a network, with a second DCS node. The first DCS node also includes at least one processing device. The processing device is configured to exchange a security association policy with the second DCS node. The processing device is also configured to exchange public keys with the second DCS node using the security association policy. The processing device is also configured to send a public key of the second DCS node to a field programmable gate array of the first DCS node. The processing device is also configured to receive a shared secret from the field programmable gate array. The processing device is also configured to generate a hash of a message using the shared secret.

Abstract: A method includes verifying that firmware of a device is trusted and contains a root of trust. The method also includes verifying that a protected storage of the device contains a private or secret key associated with a device certificate that is stored in a persistent storage of the device. The method further includes verifying the device certificate of the device using the root of trust. In addition, the method includes, in response to verifying that the protected storage contains the private or secret key associated with the device certificate and verifying the device certificate, determining that the device is a genuine device. The root of trust could include a trusted certificate or a trusted public key.

Abstract: A method includes securely booting a device using a bootloader, where the bootloader is digitally signed using a first cryptographic key associated with the bootloader. The method also includes executing one or more kernel or user applications using the device, where the one or more kernel or user applications are digitally signed using one or more second cryptographic keys associated with the one or more kernel or user applications. In addition, the method includes using an in-band channel to update or replace the first cryptographic key.

Abstract: An apparatus includes a first distributed control system (DCS) node. The first DCS includes at least one interface configured to communicate, over a network, with a second DCS node. The first DCS node also includes at least one processing device. The processing device is configured to exchange a security association policy with the second DCS node. The processing device is also configured to exchange public keys with the second DCS node using the security association policy. The processing device is also configured to send a public key of the second DCS node to a field programmable gate array of the first DCS node. The processing device is also configured to receive a shared secret from the field programmable gate array. The processing device is also configured to generate a hash of a message using the shared secret.

Abstract: Devices, methods, and systems for securing a control system application layer protocol are described herein. One method includes receiving a request at a target device from a controlling device within a session between the controlling device and a target device, securing protocol-defined ALP functions by encapsulating one or more protocol-defined ALP functions within one or more user-defined ALP functions and adding at least authentication data, receiving a plurality of user-defined ALP functions on a target device on a computing device network, and determining whether a controlling device identity or a user of a controlling device is authorized to submit a particular ALP function with particular parameters on the target device.