Abstract: One embodiment described herein provides a system and method for secure attestation. During operation, a Trusted Platform Module (TPM) of a trusted platform receives a request for an attestation key from an application module configured to run an application on the trusted platform. The request comprises a first nonce generated by the application module. The TPM computes an attestation public/private key pair based on the first nonce and a second nonce, which is generated by the TPM, computes TPM identity information based on a unique identifier of the TPM and attestation key, and transmits a public key of the attestation public/private key pair and the TPM identity information to the application module, thereby enabling the application module to verify the public key of the attestation public/private key pair based on the TPM identity information.

Abstract: One embodiment described herein provides a system and method for negotiating quantum data keys between first and second entities. During operation, the system performs a mutual authentication between the first and second entities. In response to the mutual authentication succeeding, the first entity receives one or more sets of key-generation parameters from the second entity. In response to validating the sets of key-generation parameters, the first entity sends an acknowledgment message to the second entity, and extracts, from a quantum string shared between the first and second entities, one or more quantum data keys based on the key-generation parameters. A respective quantum data key comprises a number of bits extracted from the quantum string.

Abstract: A method and an apparatus for distinguishing humans from computers and for controlling access to network services. One intended application of the method is a CAPTCHA technique, deployed using a shared Trusted Computing technology over a trusted network of a user terminal, a network server, and a Trusted Party, any of which may be at a Decision Point. The method distinguishes a human user making a legitimate request for network access from a programmed computer making undesired requests, by detecting unusually high network access request frequencies made by an identifiable user and/or a trusted module from the user terminal. The CAPTCHA function is further used to improve the method for controlling access to network services. The information transmitted between the members of the trusted network may be encrypted.

Abstract: One embodiment described herein provides a system and method for facilitating user access to encryption keys stored within a hardware module. During operation, a server coupled to the hardware module receives a key request from the user, the key request comprising a user identifier and a key identifier. The server receives a voice message from the user, extracts voice features from a voiceprint associated with the received voice message, looks up voice features stored within the hardware module based on the user identifier, and compares the extracted voice features with the voice features stored within the hardware module. In response to the extracted voice features matching the stored voice features, the server retrieves from the hardware module an encryption key based on the user identifier and the key identifier.

Abstract: The disclosure provides a key generation method and apparatus. The key generation method comprises: encrypting a first key factor generated by a first device with an initial key, and sending the encrypted first key factor to a second device through a first secure channel, wherein the initial key is a key preset for the first device and the second device; receiving, through the first secure channel, a second key factor encrypted with the initial key, wherein the second key factor is generated by the second device; decrypting the second key factor encrypted with the initial key and received through the first secure channel, so as to obtain the second key factor; and generating a shared key between the first device and the second device according to the first key factor and the second key factor.

Abstract: One embodiment described herein provides a system and method for secure attestation. During operation, a Trusted Platform Module (TPM) of a trusted platform receives a request for an attestation key from an application module configured to run an application on the trusted platform. The request comprises a first nonce generated by the application module. The TPM computes an attestation public/private key pair based on the first nonce and a second nonce, which is generated by the TPM, computes TPM identity information based on a unique identifier of the TPM and attestation key, and transmits a public key of the attestation public/private key pair and the TPM identity information to the application module, thereby enabling the application module to verify the public key of the attestation public/private key pair based on the TPM identity information.

Abstract: Embodiments of the present application provide apparatus and methods for generating a shared key, including setting up a key negotiation connection, and determining an algorithm code by negotiating using the key negotiation connection. An algorithm corresponding to the algorithm code is retrieved from a pre-stored algorithm library, and a pre-stored seed key is calculated using the algorithm to obtain a shared key. Compared with traditional key generation methods, embodiments of the present invention avoid the problem of a high bit error rate that occurs in the traditional quantum key generation methods, especially quantum key generation methods. One exemplary method determines an algorithm code through negotiation, retrieves a pre-stored algorithm corresponding to the algorithm code, and generates a new shared key using a seed key.

Abstract: An identity authentication method for a quantum key distribution process includes selecting, by a sender, preparation bases of an identity authentication bit string in accordance with a preset basis vector selection rule; sending, by a sender, quantum states of the identity authentication bit string and quantum states of a randomly generated key bit string by using different wavelengths. The identity authentication bit string is interleaved in the key bit string at a random position and with a random length.

Abstract: Disclosed herein are methods, apparatuses, and systems for remotely accessing cloud applications. In one embodiment, the method comprises receiving an access request of a requester, sent by a cloud server, requesting being accessed by a controlling party; establishing a secure channel with the cloud server based on the access request of the requester, sent by the cloud server, requesting being accessed by the controlling party; receiving, via the safety channel, a login key generated based on the access request of the requester sent by the cloud server; generating, based on the login key, a login request for logging into the requester and sending the login request to the cloud server; receiving mode information of a login success returned by the cloud server after the cloud server verifies the login request; and receiving current mode information of the requester pushed by the cloud server, and entering a remote access mode for the requester.

Abstract: One embodiment described herein provides a system and method for secure data storage. During operation, a client device selects a quantum data key from a plurality of quantum data keys shared between the client device and a storage server, encrypts to-be-stored data using the selected quantum data key, and transmits a data-storage request to the storage server. The data-storage request comprises a key-identifier of the selected quantum data key and the encrypted data.

Abstract: One embodiment described herein provides a system and method for ensuring data and computation security. During operation, a server receives a key-negotiation request from a client and authenticates the client. In response to the client authenticating the server, the server negotiates, via a quantum-key-distribution process, a secret key shared between the client and the server; and stores the secret key in a trusted-computing module.

Abstract: One embodiment described herein provides a system and method for negotiating quantum data keys between first and second entities. During operation, the system performs a mutual authentication between the first and second entities. In response to the mutual authentication succeeding, the first entity receives one or more sets of key-generation parameters from the second entity. In response to validating the sets of key-generation parameters, the first entity sends an acknowledgment message to the second entity, and extracts, from a quantum string shared between the first and second entities, one or more quantum data keys based on the key-generation parameters. A respective quantum data key comprises a number of bits extracted from the quantum string.

Abstract: One embodiment described herein provides a system and method for establishing a secure communication channel between a client and a server. During operation, the client generates a service request comprising a first dynamic message, transmits the first service request to the server, which authenticates the client based on the first dynamic message, and receives a second dynamic message from the server in response to the first dynamic message. The client authenticates the server based on the second dynamic message, and negotiates, via a quantum-key-distribution process, a secret key shared between the client and the server. The client and server then establish a secure communication channel based on at least a first portion of the secret key.

Abstract: One embodiment provide a system and method for detecting eavesdropping while establishing secure communication between a local node and a remote node. During operation, the local node generates a random key and a regular optical signal based on the random key. The local node also generates a quantum optical signal based on a control sequence and a set of quantum state bases, and multiplexes the regular optical signal and the quantum optical signal to produce a hybrid optical signal. The local node transmits the hybrid optical signal to the remote node, sends information associated with the control sequence and information associated with the set of quantum state bases to the remote node, and receives an eavesdropping-detection result from the remote node based on measurement of the quantum optical signal, the information associated with the control sequence, and the information associated with the set of quantum state bases.

Abstract: A method and an apparatus for distinguishing humans from computers and for controlling access to network services. One intended application of the method is a CAPTCHA technique, deployed using a shared Trusted Computing technology over a trusted network of a user terminal, a network server, and a Trusted Party, any of which may be at a Decision Point. The method distinguishes a human user making a legitimate request for network access from a programmed computer making undesired requests, by detecting unusually high network access request frequencies made by an identifiable user and/or a trusted module from the user terminal. The CAPTCHA function is further used to improve the method for controlling access to network services. The information transmitted between the members of the trusted network may be encrypted.

Abstract: A terminal identification method, a machine identification code registration method and related system and apparatus are disclosed. After receiving a first request for which signature or certificate verification is to be performed from a terminal, a service network obtains a signature or certificate of a trusted party for a machine identification code identifier of the terminal from the first request, wherein the machine identification code identifier being an identifier allocated by the trusted party to the machine identification code of the terminal. The service network verifies the obtained signature or certificate, and if a verification result indicates legitimacy, identifies the terminal using the machine identification code identifier obtained from the signature or certificate. The present disclosure further provides a trusted party and a method of registering a machine identification code by the trusted party.

Abstract: A method and an apparatus for distinguishing humans from computers and for controlling access to network services. One intended application of the method is a CAPTCHA technique, deployed using a shared Trusted Computing technology over a trusted network of a user terminal, a network server, and a Trusted Party, any of which may be at a Decision Point. The method distinguishes a human user making a legitimate request for network access from a programmed computer making undesired requests, by detecting unusually high network access request frequencies made by an identifiable user and/or a trusted module from the user terminal. The CAPTCHA function is further used to improve the method for controlling access to network services. The information transmitted between the members of the trusted network may be encrypted.

Abstract: A terminal identification method, a machine identification code registration method and related system and apparatus are disclosed. After receiving a first request for which signature or certificate verification is to be performed from a terminal, a service network obtains a signature or certificate of a trusted party for a machine identification code identifier of the terminal from the first request, wherein the machine identification code identifier being an identifier allocated by the trusted party to the machine identification code of the terminal. The service network verifies the obtained signature or certificate, and if a verification result indicates legitimacy, identifies the terminal using the machine identification code identifier obtained from the signature or certificate. The present disclosure further provides a trusted party and a method of registering a machine identification code by the trusted party.

Abstract: One embodiment described herein provides a client-side process for performing dynamic-password authentication between a client and a server. This client-side process includes the steps of: generating, by the client, a service request comprising a first dynamic message; transmitting the first service request to the server; receiving a second dynamic message from the server in response to the first dynamic message for cross-validating the server; authenticating the second dynamic message to verify the validity of the server. If the validity of the server is verified, the client-side process further includes: generating a third dynamic message based on the second dynamic message; and transmitting the third dynamic message to the server for a final approval of the service request.

Abstract: A method and a system of distinguishing between a human and a machine are disclosed. The method includes: when a request for accessing a designated network service is received, recording information of the request which include a time of receiving the request and information of an access object that sends the request; computing a statistical value of requests sent by the access object in real time based on a record; and determining the access object to be abnormal when the statistical value of the requests sent by the access object falls outside a predetermined normal range. The disclosed system of distinguishing between a human and a machine includes a recording module, a computation module and a determination module. Identification between humans and machines using the disclosed scheme is difficult to be cracked down and can improve an accuracy rate of human-machine identification.