Abstract: A method for setting up a communication channel for exchanging data between a server device and a client device is provided. The method includes: transmitting authentication information from an issuer device to the client device; transmitting the authentication information from the client device to the server device in a cryptographic security protocol, in particular in a TLS handshake protocol; authenticating the client device by means of the server device depending on the received authentication information; and setting up the communication channel between the server device and the authenticated client device by means of the cryptographic security protocol. The authentication of the client device can be carried out in the context of setting up the communication channel. In this case, the communication channel is established by means of the cryptographic security protocol.

Abstract: Provided is an arrangement for monitoring, a monitoring device and intermediary device and method for monitoring an encrypted connection between a client and an access point in a network, wherein—an Extensible Authentication Protocol is used for access authentication of the client to the network on an authentication server, and—a transport layer security protocol having a key disclosure function is executed within the Extensible Authentication Protocol, in which security information for the cryptographic protection of the connection is provided to an intermediary device and is transmitted from the intermediary device to a monitoring device for monitoring the connection. Also provided is a computer program product of the same.

Abstract: Provided is a transmission device for feedback-free unidirectional transmission of data from a first network zone into a second network zone for evaluation at a remote application server, containing: a data export device which is arranged in the first network zone and is designed to detect the data transmitted in a network data format in the first network zone and to transform the data from the network data format into a transport data format, a unidirectional data transmission unit, which is designed to transmit the data in the transport data format into the second network zone unidirectionally, a data import device which is designed to transform the data from the transport data format back into the network data format and to transmit the data to an application server, wherein the data import device and the application server are arranged in a second network zone remote from the first zone.

Abstract: A method for verifying an execution environment provided by a configurable hardware module, where the execution environment is used for execution of at least one hardware-application, includes receiving a hardware-application 16. The hardware-application includes configuration data describing an instantiation as a hardware-application component on the configurable hardware module. A received hardware-application is instantiated as the hardware-application component in the execution environment. The execution environment of the configurable hardware module that executes the hardware-application component in the respective execution environment is analyzed by an instantiated hardware-application component. The hardware application component communicates with a characterizing unit providing characterizing parameters for the execution environment of the configurable hardware module.

Abstract: A method for key management in a field-programmable integrated part of an integrated circuit is disclosed herein. According to the method, a hardware configuration for the field-programmable integrated part is loaded into the field-programmable integrated part. The hardware configuration includes a key derivation functionality. Further, using the key derivation functionality, a cryptographic key is derived based on information provided in the field-programmable integrated part.

Abstract: A die arrangement and a method of monitoring the same are provided. The die arrangement includes a plurality of dies and a physical interconnection structure extending between and traversing the plurality of dies. The physical interconnection structure is arranged for imparting unpredictable, yet reproducible properties to a digital signal being carried on the physical interconnection structure. The die arrangement further includes a monitoring logic for monitoring the properties of the digital signal. This enables detection of tampering of topological arrangements of semiconductor dies to one another.

Abstract: Various embodiments of the teachings herein include a method for issuing a cryptographically protected certificate of authenticity for a user comprising: providing a public user key; providing a public client key for a client, the public client key assigned to the user; forming a request including the public user key, wherein the public user key is protected with the aid of a private client key assigned to the provided public client key; and issuing a cryptographically protected certificate of authenticity containing the public user key and identifying the client. The cryptographically protected certificate of authenticity contains or references a cryptographic client identifier formed depending at least in part on the public client key.

Abstract: Incoming and outgoing communication of a hardware-application component is monitored and controlled at runtime of the hardware-application component. In this way, a kind of firewall is provided for ensuring secure and un-altered operation of a hardware-application performing security-critical functionalities on a field-programmable gate array. The hardware-application component may interact with other components directly and/or via an on-chip bus. The monitoring of incoming and/or outgoing communication is particularly advantageous when using third party hardware-applications or software applications, i.e., applications developed by untrusted parties. Another advantage is the possibility of monitoring and controlling all the communication between hardware-applications, hardware- and software applications, hardware-applications and peripherals, IO controllers, etc.

Abstract: A method for granting access to objects by entities in a computerized system includes: providing an access control list (ACL) specifying for each object access rights to the objects of the computerized system; assigning a capability requirement information to at least one of the objects in the ACL; assigning a capability information to at least one entity of the entities in the computerized system; requesting access to an object by an entity; checking if the requesting entity has an access right in accordance with the ACL; and granting access to the requested object by the requesting entity only when the capability information assigned to the requesting entity matches with the capability requirement information assigned to the requested object. The combination of an ACL based access to files with capabilities improves the security of the system.

Abstract: Provided is an apparatus (TFDC) for operating a software-configured processing unit (SDS) for a device, in particular a field device (TFD), wherein the apparatus, according to a prescribed and/or prescribable architecture, includes at least one processor (CPU) and a number of hardware units, having: a security unit (IOS; MS) configured to cause a change in the arrangement of the data bit sequence of at least one data stream provided and/or routed to the processing unit (SDS) to protect the hardware units from manipulation. The processing unit is trustworthy, i.e., is protected from manipulation and attack from the outside. The data stream arrives at the device. A “number” here and above denotes a number of one or more.

Abstract: Provided is a method for transmitting data packets over a network from a sender to a receiver via a communication link consisting of at least one transmission section, via which the data packet is transmitted from a sender node to a receiver node, the method having the following steps for at least one transmission section: first security information, which includes information about a cryptographic protective function used in the transmission of the data packet via an adjacent transmission section, is assigned to the data packet by the sender node, the data packet having the assigned security information is transmitted to the receiver node of the transmission section, the security information is checked in the receiver node against a preset guideline, and at least one measure is provided in accordance with the result of the check.

Abstract: Provided a method for configuring a security module with at least one derived key, having the following steps: providing a key; deriving a further key from the provided key or from a key previously derived from the provided key, wherein the further key is derived by using an alterable digital fingerprint as key derivation parameter, which is formed on the basis of a measurable current runtime configuration of a runtime environment communicating with the security module.

Abstract: The proposal relates to a method for transmitting data in a network (NW) comprising a plurality M of communication apparatuses, with M?2, wherein the plurality M comprises a first communication apparatus (20) and a second communication apparatus (30), which are connected via a network connection section (NVA) for the purpose of transmitting data, having the steps of: a) ascertaining a time-of-flight property of data transmitted between the first communication apparatus (20) and the second communication apparatus (30) via the network connection section (NVA) by means of the first communication apparatus (20) and the second communication apparatus (30) in each case, b) deriving a secret by means of the first communication apparatus (20) and the second communication apparatus (30) in each case, by using the respective ascertained time-of-flight property, and c) transmitting a message protected by means of the derived secret between the first and second communication apparatuses (20, 30).

Abstract: Provided is a method for setting up access authorization for a subscriber apparatus to access a subnetwork of a mobile radio network, wherein the subnetwork is administrated by a mobile radio administration apparatus and the access authorization for the subscriber apparatus to access the subnetwork is checked by an access apparatus of the mobile radio network, wherein—access authorization to access the subnetwork is requested for the subscriber apparatus from the mobile radio administration apparatus by a local administration apparatus,—a subnetwork authorization token is assigned to the subscriber apparatus by the mobile radio administration apparatus and transmitted to the subscriber apparatus, wherein the subscriber apparatus is authorized to access the subnetwork only if the subnetwork authorization token is transmitted from the subscriber apparatus to the subnetwork during an access request and is confirmed as valid.

Abstract: A programmable hardware security module, a method for securing a private key of a cryptographic key pair, and a method for securely providing a private key of a cryptographic key pair on a programmable hardware security module, wherein with the described devices and methods, a decentralised PKI is built, via which device keys and device certificates can be generated and target devices can be provided securely, where in this regard, the key-pair-specific transport key plays a central role in protecting the generated private key that is to be transferred, and where this is linked to the particular key pair intended for a target device via a key derivation from a master key utilizing a key-pair-specific derivation parameter.

Abstract: A method for providing messages which can be authenticated is provided. The method has a step of determining a repeating message content of the messages, a step of calculating sub-authentication codes for the messages using the repeating message content, wherein a first authentication code can be calculated for at least some of the messages from at least one part of the sub-authentication code in order to authenticate the repeating message content, and a step of providing the messages, wherein the messages contain the repeating message content and at least one respective sub-authentication code of the sub-authentication codes.

Abstract: A method for validating a digital user certificate of a user by a checking device is provided. The user certificate is protected by a digital signature with an issuer key of an issuance location which issues the user certificate. The method has the steps of: receiving the user certificate in the checking device, checking the user certificate using a certificate path positive list with at least one valid certificate path which is provided to the checking device by at least one positive path server, and confirming the validity of the user certificate if the issuer key of the user certificate can be traced back to a root certificate according to one of the valid certificate paths of the certificate path positive list. Also provided is a system, a checking device, a user device, a positive path server, and a computer program product which are designed to carry out the method for validating a digital user certificate.

Abstract: Provided is a method for proving authenticity of a device with the aid of a proof of authorization of the device, wherein the proof of authorization is provided in a first step and the integrity of identity details of the proof of authorization can be checked on the basis of a digital signature of a proof of authorization issuer, and wherein the proof of authorization has an item of hardware authentication information, and affiliation of the proof of authorization to the device is proved in a second step by means of a hardware secret of the device associated with the hardware authentication information. Two-factor authentication is therefore enabled, which authentication ties authentication of the device, in particular, to the fact that a hardware-specific secret is used for the check.

Abstract: A one-way coupling device for the feedback-free transmission of data from the first network with high security requirements into a second network with low security requirements, containing a request unit, an eavesdropping unit and a receiving unit, wherein the request unit is formed so as to provide a first communication link within the first network to at least one device and, moreover, to request first data from the at least one device and then to transmit the first data via a second communication link on a separate line loop of the request unit, and the eavesdropping unit, which is formed so as to eavesdrop on data on the separate line loop and to transmit data to a receiving unit which is arranged in the second network. Also, a corresponding request unit, a corresponding method and a corresponding computer program product is also provided.

Abstract: Provided is a method for transferring data in a topic-based publish-subscribe system, including a key distribution server and a number of local client systems that can be coupled to the key distribution server, including: providing a group key by the key distribution server for a group selected from the local client systems, locally deriving a first-order sub-group key for a first-order subgroup of the group by key derivation parameters at least comprising the provided group key and a certain topic of the publish-subscribe system by means of the particular client system of the first-order sub-group, and transferring at least one message cryptographically protected by the derived first-order sub-group key between the client systems of the first-order sub-group. Differentiation within group communication according to topic by specific cryptographic keys is thereby enabled.