Abstract: A method for providing restricted access to hardware component interfaces of a network device by one or more software components of the network device, wherein an access to a hardware component interface requested by a software component is permitted by a mandatory access control, MAC, mechanism implemented as part of the network device's operating system on the basis of a MAC security policy including access rights defined as access relations between software component security labels assigned to software component types and hardware component interface security labels assigned to hardware component interface types.

Abstract: An object of the disclosure is to simplify security enhancements based on trusted computing. For this, a first data processing apparatus configured to operate in accordance with one or more platform configuration is provided. The first data processing apparatus includes an attestation processor, a network interface, and a data storage device for storing validation data. The attestation processor is configured to establish attestation data that is indicative of a current platform configuration. The validation data facilitates a validity check of integrity data, which includes the attestation data. The first data processing apparatus is configured to provide the integrity and validation data.

Abstract: A transmitting data between a real first network and a real second network is provided. The transmission device has a first network port for coupling to the real first network and a second network port for coupling to the real second network and also comprises: a simulation unit which is connected to the first network port and which is configured to receive network-specific data from the real first network via the first network port, to provide, in accordance with the received network-specific data, a virtual simulation network of the real first network, and to prepare the provided virtual simulation network, via the second network port, for access to the provided virtual simulation network by the real second network. The transmission device provided allows an attacker to be deliberately deceived, which increases security against attempts to access the real first network from the real second network.

Abstract: A transmission device for transmitting data between a first network and a second network is provided. The transmission device includes a first network port for coupling to the first network and a second network port for coupling to the second network, and the transmission device further includes: a first detection unit which is connected to the first network port and is configured to receive data transmitted by the first network via the first network port and to detect anomalies with respect to the received data, and a second detection unit which is connected to the second network port and is configured to receive data transmitted by the second network via the second network port and to detect anomalies with respect to the received data. The provided transmission device leads to an optimized detection of anomalies in the first and the second network, thereby increasing security during data transmission between the first and the second network.

Abstract: Various embodiments of the teachings herein include an integrity monitoring system for runtime integrity monitoring of a control device connected to sensors and/or actuators and comprising an automation device for collecting operating state data of the control device. The system may include an integrity monitoring unit detachably connectable directly to the control device to monitor the integrity status of the control device on the basis of operating state data transferred from the automation device to the integrity monitoring unit.

Abstract: Provided is a method for erasing security-relevant information in a device, having the method steps of: ascertaining at least one movement parameter of the device over time, monitoring the ascertained movement parameters over time on the basis of at least one prescribed movement pattern, and triggering an erase process for the security-relevant information if the ascertained movement parameter over time is consistent with the at least one prescribed movement pattern. An apparatus and a computer program product for carrying out the method to ensure that security-relevant data of the device are erased reliably and completely even in the event of an accident or another unforeseen event is also provided.

Abstract: A method reconfigures an IoT device which is connectable to a cloud backend. The method includes: storing an access code that is input locally in the cloud backend and storing the access code or check information formed on the basis thereof on the IoT device. The method further includes reconfiguring the IoT device, requesting the access code from the cloud backend, inputting the requested access code on a local configuration interface of the IoT device or on an input device connected to the local configuration interface of the IoT device, and comparing the input access code against the access code stored on the IoT device, or the check information formed on the basis thereof. The IoT device is enabled for reconfiguration upon a positive comparison of the input access code against the access code stored, or the check information formed on the basis thereof.

Abstract: A transmission device for transmitting data between a first network and a second includes: a first unidirectional transmission unit which is coupled to the first network and is configured to exclusively receive data transmitted from the first network to the transmission device, a second unidirectional transmission unit which is coupled to the second network and is configured to exclusively send data from the transmission device to the second network, and an identification unit which is located between the first unidirectional unit and the second unidirectional unit and which is configured to receive the data received by the first unidirectional transmission unit and to identify anomalies in the received data. The provided transmission device achieves the reliable, optimized identification of anomalies in the first network and increases security in the identification unit against manipulation and against attacks or intrusion attempts from the second network.

Abstract: Signal, data transmission, and/or encryption units generating a cryptographic code using a cryptographic key before writing to a pseudorandom noise buffer memory. The PRN code generator comprises a first processor generating a PRN code from initial data using a cryptographic key. A second processor generates sections of the PRN code for integrity check purposes through computation using the same cryptographic key and initial data. Within the PRN code generator and before temporary storage of the PRN code in the buffer memory, there is a comparison device for comparing at least one duplicated section of the PRN code sequence cryptographically generated by the first processor with the section computed by the second processor. A blocking, stop and/or alarm function is activated in the comparison device and triggered on the basis of a predefined degree of matching between the section obtained through duplication and the computed section.

Abstract: A detection device which is suitable for receiving a service within a network assembly is provided, having the following: means for providing cryptographic security at or above the transport level of the communication protocol levels which can be used in the network assembly for at least one first existing communication connection between the detection device and a network access device which is arranged in the network assembly and which can be used to monitor data detected by the detection device and/or control an additional device within the network assembly using the data detected by the detection device, means for generating and/or determining network access configuration data for at least one additional second communication connection, which is to be cryptographically secured below the transport level, between the detection device and the network access device, means for providing the generated and/or determined network access configuration data to the network access device.

Abstract: A method for the cryptographically protected unidirectional data transmission of payload data, wherein one or more data packets includes the payload data are transmitted on an end-to-end data transmission link from a first communication unit in a first network via a one-way communication unit, which is arranged between the first network and a second network, to a second communication unit in the second network, is provided.

Abstract: A method and a device for a reaction-free and integrity-protected synchronization of log data between at least one first network and a second network is provided. The log data is copied by means of a monitoring device upon being transmitted from devices to a first log server in the first network. Metadata of the log data is additionally generated in a first managing unit, the metadata including time information, integrity information, origin information, and/or completeness information. The copied log data and the corresponding metadata are transmitted to the second network via a unidirectional coupling unit in a reaction-free manner. The lot data is checked and ordered chronologically in the second network using the metadata. Thus, a synchronized copy of the log data from the first network is promptly provided in the second network.

Abstract: Provided is a method for secure processing of an authorization verification request from a unit requesting authorization verification, the authorization verification request being included in a transaction of a block chain, wherein a registration entity performs a check on a block chain data structure and on the transaction protected by the block chain and, in the event of a successful check, forwards the authorization verification request to a certification entity. The authorization verification request is included in a transaction and the registration entity performs a check on a block chain data structure and on the transaction. The transaction and the authorization verification request are protected by the block chain. In particular, the authorization verification request can no longer be altered retrospectively and information that has been transmitted to the registration entity within the context of the authorization verification request is stored in the block chain and protected against manipulation.

Abstract: Provided is a network adapter for unidirectional transmission of a user data stream to a bidirectional network interface, the network adapter including: a first connection unit which is physically connected to a bidirectional network interface of a first device; a second connection unit which is physically connected to a bidirectional network interface of a second device; and a terminating unit which has at least one bit transmission module and which is designed to establish a bidirectional data link to the network interface of the first device, to receive the user data stream from the first device exclusively in a unidirectional fashion via the data link, and not to send a user data stream to the first device.

Abstract: A security unit which is suitable for a device, in particular an IOT device, for running one or more applications for a secure data exchange with one or more servers which provide web services is provided. The security unit is designed with the following:—means for imaging original data onto corresponding replacement data and/or vice versa, wherein the original and/or replacement data forms a respective original and/or replacement key and/or can be used to form same—means for detecting a replacement key which is supplied by an application being ran and which corresponds to an original key, and—means for providing a required original key which corresponds to the replacement key using the imaging means in order to allow the original key to be used for the secure data exchange with the server.

Abstract: A method for establishing a secure data communication based on a cryptographic key is provided. The method includes submitting a cryptographic key request to a trust module. A digital signature is verified based on a public key assigned to the processing device. An internal cryptographic key is generated based on the public key assigned to the processing device and a secret key assigned to the trust module. The cryptographic key is generated based on the internal cryptographic key and a key identifier of the processing device. The cryptographic key is encrypted using the public key assigned to the processing device. The encrypted cryptographic key is transmitted to the processing device. The trust module is implemented as a stateless Lambda trust anchor.

Abstract: Provided is a computer-implemented method and a transmission apparatus for transmitting data between a first network and a second network having high and low security requirements, wherein a first session is set up between the first and second networks, a first data packet is transmitted from a transmitting unit in the first network via a first one-way communication unit to a receiving unit in the second network, and a second session is set up and a second data packet is transmitted from a transmitting unit in the second network via a second one-way communication unit to a validation unit, the second data packet is validated in the validation unit on a prescribed rule, positive validation of the second data packet results in a third session being set up, and the second data packet is transmitted from the validation unit to a receiving unit in the first network.

Abstract: A method for computer-aided testing and confirmation of at least one system state of a first system by a confirmation device, is provided. After the testing of a first item of integrity information, which is provided by the first system, the confirmation device provides a second, combined item of integrity information and confirms the same cryptographically. The second item of integrity information includes at least part of the first item of integrity information and can be transmitted to a second system, in order to confirm the integrity of the first system to the latter. A confirmation device, to a first system, to a second system and to a computer program product in order to carry out the steps of the method is also provided.

Abstract: Provided is a method for configuring a wireless connection between a mobile wireless terminal and a mobile wireless network, in which the mobile wireless network contains at least one first subnetwork, which is accessible with a credential of at least a first type, and contains at least one second subnetwork, which is accessible with a credential of at least a second type, and a first wireless connection to a first subnetwork and a second wireless connection to a second subnetwork have different wireless transmission parameters. In the event of a request for access by the mobile wireless terminal to a selected subnetwork—a predetermined credential is determined for the request for access to the selected subnetwork, the type of the predetermined credential is determined, and—at least one wireless transmission parameter is selected and activated depending on the determined type of the predetermined credential.

Abstract: A method for setting up a communication channel for exchanging data between a server device and a client device is provided. The method includes: transmitting authentication information from an issuer device to the client device; transmitting the authentication information from the client device to the server device in a cryptographic security protocol, in particular in a TLS handshake protocol; authenticating the client device by means of the server device depending on the received authentication information; and setting up the communication channel between the server device and the authenticated client device by means of the cryptographic security protocol. The authentication of the client device can be carried out in the context of setting up the communication channel. In this case, the communication channel is established by means of the cryptographic security protocol.