Abstract: A communication method includes: generating an extremely high-throughput physical layer protocol data unit (EHT PPDU) that comprises a legacy physical layer preamble and a new physical layer preamble, wherein the legacy physical layer preamble comprises a legacy short training field (L-STF), a legacy long training field (L-LTF), a legacy signal (L-SIG) field in turn, and a first field of the new physical layer preamble is a repeat of a field in the legacy physical layer preamble and is modulated by binary phase shift keying (BPSK); and sending the PPDU.

Abstract: Methods, systems, and devices for wireless communication are described. Wireless communications systems may support beamformed transmissions between devices (e.g., to improve coverage range). The beamformed transmissions may depend on discovery and maintenance of receive and transmit beams over which a given device may communicate with another device. Various receive and transmit beams for a given device may be compared using reference signals. As the number of devices attempting to access a cell increases, the number of reference signals to be transmitted may scale proportionally. Large numbers of reference signals may flood time-frequency resources of the system and/or require excessive processing at a mobile device. Scrambling sequences for reference signals may be employed to improve efficiency of resource usage. In aspects, the scrambling sequences may be implicitly determined (e.g., based on resources over which the access request was transmitted).

Abstract: The present disclosure relates to reference signal sending methods, signal detection methods, and apparatus. One example method includes determining an initial seed parameter of a pseudo-random sequence, and generating the pseudo-random sequence based on the initial seed parameter, where the initial seed parameter is determined based on attribute information of a terminal device, determining a cyclic shift value based on the pseudo-random sequence, and determining a reference signal based on the cyclic shift value, and sending the reference signal to a network device.

Abstract: A system, method, and device for ensuring a number of Phase Tracking Reference Signal(s) (PT-RSs) are the same for multiple slots. A wireless transmit/receive unit (WTRU) may receive control information including a number of scheduled resource blocks (RBs) then determine a PT-RS density based on the number of scheduled RBs. The WTRU may determine a RB offset value for the WTRU based on a WTRU-ID modulo the maximum RB offset value, where the maximum value for the RB offset value may be based on at least one of the number of the scheduled RBs and the PT-RS density. The WTRU may then transmit or receive a signal with PT-RS based on the RB offset value.

Abstract: Techniques for signaling dynamic region for PRACH transmission are described. In an aspect, the disclosure describes a method for receiving, at a user equipment (UE), an indication of a number of symbols that the UE is to use when transmitting via a physical random access channel (PRACH), and transmitting, by the UE, via the PRACH over one or more slots based on the number of symbols. In another aspect, the disclosure describes a method for generating, at a network device, an indication of a number of symbols that a UE is to use when transmitting PRACH, transmitting, by the network device, the indication to the UE. A UE and network device configuration as well as apparatuses and computer-readable medium related to these methods are also described.

Abstract: Provided are an information feedback method and apparatus, an information receiving method and apparatus, a device, and a storage medium. The information feedback includes the following: a second node configures a report configuration and sends the report configuration to a first node; the first node receives the report configuration sent by the second node and determines channel state information according to the report configuration, where the channel state information includes a reference signal, and the reference signal satisfies a grouping criterion associated with the report configuration; the channel state information is fed back to the second node through a report instance; and the second node receives the channel state information fed back by the first node through the report instance.

Abstract: A method, performed by a User Equipment (UE), includes receiving, from a cell, configuration signaling configuring the UE with one or more PUCCH resources on an active UL BWP, the one or more PUCCH resources not being configured with PUCCH-SpatialRelationInfo, and the configuration signaling indicating that a default spatial relation behavior for PUSCH transmission scheduled by a DCI format 0_0 is enabled; receiving, from the cell, the DCI format 0_0 on an active DL BWP, the DCI format 0_0 providing scheduling information for a PUSCH; and transmitting the PUSCH according to the default spatial relation behavior which determines a spatial relation with reference to a QCL-TypeD RS corresponding to a QCL assumption of a pre-determined CORESET on the active DL BWP of the cell.

Abstract: Apparatuses, methods, and systems are disclosed for selectively deactivating a bandwidth part. One apparatus includes a transceiver that receives one or more UL BWP configurations and receives a SL BWP configuration. Here, the one or more UL BWP configurations includes an active UL BWP and the SL BWP is associated with a first numerology. The apparatus also includes a processor that identifies a second numerology of an active UL BWP and determines whether the first numerology matches the second numerology. If the first numerology does not match the second numerology, the processor selectively deactivates one of the SL BWP and the active UL BWP.

Abstract: The present disclosure provides a method for determining a channel detection mechanism, a wireless communication device, and a storage medium. The method is applied to a scene where a broadband spectrum on an unlicensed spectrum is employed for transmission. The broadband spectrum includes multiple sub-bands. The method includes: determining a detection mode on the broadband spectrum; determining a channel detection mechanism corresponding to the broadband spectrum based on at least one sub-band in the multiple sub-bands in a case that the detection mode is a broadband detection mode; and determining a channel detection mechanism corresponding to each sub-band based on the sub-band in the multiple sub-bands in a case that the detection mode is a sub-band detection mode.

Abstract: Methods, systems, and devices for wireless communications are described. A user equipment (UE) may receive a configuration for a set of transmission time intervals (TTIs) including at least one TTI to be used for full-duplex communications. The UE may receive control signaling that indicates a frequency domain resource allocation (FDRA) for a physical uplink channel transmission in a first TTI. The UE may determine whether a second TTI is available for transmitting one or more repetitions of the physical uplink channel transmission based on comparing the FDRA to resources allocated to the second TTI. For example, the second TTI may be available if one or more physical resource blocks (PRBs) of the FDRA are non-overlapping in a frequency domain with downlink resources allocated to the second TTI. The UE may transmit the one or more repetitions in the second TTI based on the second TTI being available.

Abstract: Systems and methods for intelligent interference mitigation for time division multiplexing broadband networks. One example embodiments of a wireless base station includes an electronic processor and a transceiver coupled to the electronic processor. The electronic processor is configured to operate to communicate wirelessly via the transceiver with subscriber units utilizing time division duplexing (TDD) and a first frame configuration, and characterize each of a plurality of sub-frames of the first frame configuration as being either conflicting or non-conflicting. The electronic processor is configured to estimate link conditions for the subscriber units and determine, based on the link conditions, whether the subscriber units are resilient or non-resilient. The electronic processor is configured to assign resilient subscriber units to conflicting sub-frames and non-resilient subscriber units to non-conflicting sub-frames.

Abstract: It must be understood that such structure comprising CP1 and CS1 is implicitly there, even if the transmitter only explicitly prepends a CP1. Indeed, and explained by example of a full duplex multicarrier system, the receiver will still be required to discard a number of samples equivalent to a cyclic suffix from the received time samples of each symbol to obtain orthogonality with the echo received from the transmit symbols.

Abstract: Various aspects of the present disclosure generally relate to wireless communication. In some aspects, a user equipment (UE) may map an ultra-reliable low-latency communication (URLLC) transmission to a set of symbols for uplink transmission, wherein the mapping relates to at least one of an orphaned symbol repetition of the URLLC transmission, a transport block size determination, a shared channel mapping type of a repetition of the URLLC transmission, or a priority of an aperiodic sounding reference signal (A-SRS) of the URLLC transmission. The UE may transmit the URLLC transmission based at least in part on the mapping. Numerous other aspects are provided.

Abstract: Disclosed are example machine-learning approaches for determining maturity metrics of chatbot users. One or more datasets with words used during past conversations between a chatbot and a set of users with known maturity metrics are generated. A machine learning model is trained by applying machine learning to the one or more datasets such that the machine learning model is trained to output maturity metrics based on words received as inputs. A set of words or phrases spoken or written by the user during a conversation is fed to the machine learning model to determine a maturity metric of the user. A response is identified based on the determined maturity metric, and the response is presented during the conversation with the user. Words and phrases of a user conversing with a chatbot are used to determine the user's age or another maturity metric to generate responses that enhance the user experience.

Abstract: Methods, systems, and media for generating a notification in connection with a video content item are provided. In some embodiments, the method comprises: causing a video content item and a message interface to be presented on a plurality of user devices, wherein the video content item is created by a content creator; receiving, from at least a portion of the plurality of user devices, a plurality of messages via the message interface; identifying at least one topic included in a portion of the plurality of messages within a given period of time; causing a notification that indicates the at least one topic to be superimposed on the presentation of the video content item on the plurality of user devices; determining that the at least one topic is no longer included in more than a predetermined number of the plurality of messages; and causing presentation of the notification to be inhibited on the plurality of user devices.

Abstract: An example method of dynamically distributing messaging resources in a software as a service (SaaS) platform includes: receiving, by a processing device, from a first tenant associated with a first tenant set of a plurality of tenant sets, a request to forward a first message to a recipient within a specified destination; identifying, among a plurality of queues associated with the plurality of tenant sets, a subset of queues associated with the first tenant; queuing the first message into a first queue of the subset of queues associated with the first tenant; assigning, to each queue of the plurality of queues, a score reflecting a respective tenant portion of a messaging resource quota associated with the specified destination; retrieving a second message from a queue associated with a highest score; and forwarding the second message to a messaging gateway associated with the specified destination.

Abstract: The present invention enables a user to easily reference information of a communication destination related to email-related information included in an email transmitted to a terminal connected to a network for which communication with another network is restricted. Prescribed email-related information is extracted from a received email, a conversion is carried out, from communication destination information of a communication destination related to the email-related information, into read information wherein the communication destination information can be read by a method not utilizing a network by a first terminal that is not connected to a network to which a second terminal receiving the email is connected, and an email to which the read information has been appended is output to the second terminal.

Abstract: A computer system for facilitating communications between users is configured for: (A) receiving, from a first user, one or more user watch area attributes; (B) using the one or more user watch area attributes to define a watch area; (C) receiving, from a second user, a message associated with a geographical location; (D) determining whether the geographical location is located within the user watch area; (E) at least partially in response to determining that the geographical location is located within the user watch area, subscribing the first user to a thread of messages that includes the message; and (F) dynamically adjusting a shape of the user watch area based, at least in part, on a factor selected from a group consisting of: (1) a number of message postings within the user watch area; and (2) a population density of an area that is within the user watch area.

Abstract: A first electronic device of the present invention comprises at least one communication circuitry, at least one display, at least one memory configured to store instructions, and at least one processor operatively coupled with the at least one communication circuitry and the at least one display. The processor is configured to (1) access to a first server for a navigation service through an application for the navigation service linked with a first account for accessing to a second server, (2) receive a user input through the application, (3) transmit, via the first server to a second electronic device of a second user that is authenticated through the application linked with a second account for accessing to the second server, a message, (4) periodically transmit, via the first server to the second electronic device, information, and (5) display a positional relationship between the two electronic devices over an electronic map.

Abstract: A distributed resource may be mapped into a virtual network, where the resource is distributed across a large number of nodes that are uniquely addressable within the distributed resource service's address space. The resource can be represented using a relatively small number of private VIP addresses within the virtual network, while still enabling access to all of the nodes that are uniquely addressable within the address space of the distributed resource service. A resource map may be created that relates the distributed resource service's address space to the virtual network's address space. The resource map may be used by a gateway that facilitates access to a distributed resource by clients. The resource map may also be used to translate packets that are sent from clients within a virtual network into the distributed resource service's address space.

Abstract: This document describes techniques, apparatuses, and systems for allocating internet protocol (IP) addresses for data sessions based on a location of a visited network. A home network can receive a request to establish a data session for a user equipment (UE) subscribed to the home network and located on a visited network operated by a visited network operator. The home network may identify a country in which the UE or the visited network is located and determine, based on a look-up table, a group of IP addresses associated with the country. The home network can allocate, from the group of IP addresses associated with the country, an IP address for the data session. In doing so, the IP address can be allocated based on the location of the visited network.

Abstract: A method performed by a WTRU may comprise receiving context information from infrastructure equipment and selecting a SLAP quadrant for MAC address allocation. The selecting may be based on the context information received from the infrastructure equipment, which may be a bootstrapping server for the WTRU. The method may further comprise transmitting, to a DHCP server, a DHCP message indicating the selected SLAP quadrant. In response to the transmitted DHCP message, a MAC address may be received and configured to the WTRU. Context information includes, but is not limited to, a number of nodes in a network, a type of network deployment, a type of network, a mobility configuration, a type of device management, a battery lifetime, a location or privacy configuration.

Abstract: A method, apparatus, and system are described. A method in an access point (AP) configured for medium access control (MAC) address designation (MAAD) is described. The AP is configured to wirelessly communicate with a station (STA). The method comprises determining a first MAC address of the STA, where the first MAC address is usable as a transmitter address (TA) of the STA for a subsequent association to the AP by the STA, and transmitting the first MAC address to the STA in one of a response action frame and a message of a multiple-message handshake process.

Abstract: A system includes a memory and at least one processor to set a network throughput level setting to a default network traffic rate in a computer network, begin a data protection operation at the network throughput level setting in the computer network, continually monitor the computer network and determine that a condition has occurred in the computer network, dynamically adjust the network throughput level setting in response to the condition by one of decreasing the network throughput level setting by a network traffic rate increment and increasing the network throughput level setting by the network traffic rate increment, and dynamically shape network or storage traffic for the data protection operation using the network throughput level setting.

Abstract: A computer-implemented method causes data processing hardware to perform operations for training a firewall utilization model. The operations include receiving firewall utilization data for firewall connection requests during a utilization period. The firewall utilization data includes hit counts for each sub-rule associated with at least one firewall rule. The operations also include generating training data based on the firewall utilization data. The training data includes unused sub-rules corresponding to sub-rules having no hits during the utilization period and hit sub-rules corresponding to sub-rules having more than zero hits during the utilization period. The operations also include training a firewall utilization model on the training data. The operations further include, for each sub-rule associated with the at least one firewall rule, determining a corresponding sub-rule utilization probability indicating a likelihood the sub-rule will be used for a future connection request.

Abstract: A method comprising maintaining, in a central database, stored host device information related to one or more host devices associated with providing harmful data, which potentially includes harmful content; configuring a VPN server to receive, from a DNS server, obtained host device information associated with a host device based at least in part on receiving an indication that data of interest is to be requested from the host device; configuring the VPN server to determine that the data of interest potentially includes harmful content based at least in part on determining that the obtained host device information matches the stored host device information; and configuring the VPN server to transmit, based at least in part on determining that the data of interest potentially includes harmful content, a notification indicating that the data of interest to be requested potentially includes harmful content. Various other aspects are contemplated.

Abstract: A method in a virtual private network (VPN) environment, the method including determining, by a processor, first substitute domain information by utilizing a hashing function to hash a first time marker and a string of alphanumeric characters; determining, by the processor, second substitute domain information by utilizing the hashing function to hash a second time marker and the string of alphanumeric characters, the second time marker being different than the first time marker; and transmitting, by the processor, a connection request utilizing the second substitute domain information to reach a VPN service provider based at least in part on determining that the VPN service provider is unreachable via utilization of the first substitute domain information. Various other aspects are contemplated.

Abstract: A method that is performed to access data nodes of a data cluster. The method includes obtaining, by a data access gateway (DAG), a request from a host; and in response to the request, obtaining bidding counters from the data nodes; obtaining metadata mappings from the data nodes; identifying, based on the bidding counters and metadata mappings, a data node of the data nodes associated with a highest bidding counter of the bidding counters and an appropriate metadata mapping of the metadata mappings; and sending the request to the data node.

Abstract: Various embodiments of the present application set forth a computer-implemented method that includes receiving, by a trusted tunnel bridge and from a first application executing in a first network, a first encrypted data packet, where the first encrypted data packet includes an encrypted portion of data, and a destination device identifier (DDI). The method further includes determining, by the trusted tunnel bridge, a particular device in a second network and associated with the DDI included in the first encrypted data packet. The method further includes sending, by the trusted tunnel bridge directly to the particular device, the first encrypted data packet.

Abstract: According to an embodiment, a communication control device includes a first communication system connected between a first device and a network communication network, and a second communication system connected between the first device and the network communication network separately from the first communication system. The first communication system and the second communication system each include a controller. The controller executes switching such that one of the communication systems executes communication in the first communication mode, and when a problem is detected in the communication system that is executing communication in the first communication mode, the other communication system executes communication in the first communication mode.

Abstract: According to one embodiment, a method performed by a first communication device for generating a symmetric session key for encrypted communication with a second communication device is described comprising generating a blinding value for each of a first and a second private key component, generating a blinded public key from the first private key component, the second private key component, and the blinding values using a public key generation function, transmitting the blinded public key to the second communication device for encryption of a shared secret, receiving the shared secret, generating a session key for encrypted communication with the second communication device from the shared secret, encrypting, using the session key, an information from which the blinding values are derivable and transmitting the encrypted information to the second communication device.

Abstract: A base key that is stored at a device may be received. A network identification may further be received. A device identification key may be generated based on a combination of the network identification and the base key. Furthermore, the device identification key may be used to authenticate the device with a network that corresponds to the network identification.

Abstract: Various embodiments of the present technology generally relate to authentication. More specifically, some embodiments relate to systems and methods for mobile application infrastructure and framework for application authentication. Currently, methods and systems for authentication are not flexible or dynamic and over-authentication has become a solution because it is cheap and easy. In contrast, in accordance with some embodiments of this application, the methods and systems can analyze authentication challenges and non-authentication challenges received from a server over a network in a client side infrastructure. The client side infrastructure can determine a customized, flexible, and dynamic plan for responding to authentication challenges in manner that avoids over-authentication on the client side.

Abstract: In an embodiment, a method of securing remote technical support includes monitoring a computing environment for at least one indicator of remote-control software in the computing environment in accordance with stored authentication settings. The method also includes, responsive to the monitoring, detecting the at least one indicator of remote-control software in the computing environment. The method also includes, responsive to the detection, identifying an authentication profile in the stored authentication settings that is applicable to the at least one indicator of remote-control software. The method also includes executing an authentication workflow in accordance with the authentication profile. Other embodiments of this aspect include corresponding computer systems, apparatus, and computer programs recorded on one or more computer storage devices, each configured to perform the actions of the methods.

Abstract: In response to determining that the authentication function operating on the authentication node on a network is not responsive, a re-direct message may be communicated to at least one edge device on the network that requests of the authentication function on the authentication node be re-directed to a different authentication node.

Abstract: Techniques of dynamic authentication scheme selection in distributed computing systems are disclosed herein. One example technique includes analyzing a received authentication request for an indicator of an authentication scheme that is supported by a computing service submitting the authentication request. The example technique can also include determining whether the authentication scheme associated with the indicator is also supported by the authentication service and in response to determining that the authentication scheme associated with the indicator is also supported by the authentication service, initiating an authentication process with the computing service according to the authentication scheme that is supported by both the computing service and the authentication service. As such, the authentication scheme can be dynamically selected at the authentication service for the received authentication request.

Abstract: According to examples, an apparatus may include a processor that may determine that an application was accessed through a portal. Based on a determination that the application was accessed through the portal, the processor may determine whether a first credential type or a second credential type was supplied to access the application, in which the first credential type may include a set of personal credentials of a user and the second credential type may include a set of single sign-on credentials that the user may use to access multiple applications. The processor may also output a trace that may indicate an identification of the application that was accessed and the type of the credential supplied to access the application, in which a backed entity may analyze the data included in the trace.

Abstract: Systems and methods are disclosed for accessing protected data. A computing device may have a secured stared storage accessible by two or more applications operating on the mobile device. The computing device may obtain a first token from an authorization service to verify user identity for a first application. The first token may be stored in the shared storage area, and be accessible to one or more applications sharing the storage space. In response to a user attempt to access a web service using a second application, the user identity may be verified using the first token. The authorization service may verify user credentials, and send a second token to the computing device. The second token may be a proxy ticket authorizing access and exchange of protected data between the second application and a web service. The second token may also be stored in the secure storage area.

Abstract: A method, system, and computer-readable memory containing instructions include receiving a DNS request containing authentication information, validating the authentication information, determining an appropriate action to take based on the validating status, and taking the appropriate action. Actions may include responding with an individualized network layer address or service location address, delaying sending a response message, sending a network layer address or service location address corresponding to a site containing authentication information, and sending a response with a network layer address or service location address with a web address configured to mimic the website related to the requested resource.

Abstract: Examples of renewal of security certificates of supplicant devices are described. In an example, a request to authenticate a supplicant device based on a security certificate is received by an authenticator device and from a supplicant device. The request comprises information relating to the security certificate which is expired. A login history of the supplicant device and presence of a valid account associated with the supplicant device in a directory database is determined. An authentication successful message is sent to the supplicant device based on the login history and presence of the valid account in the directory database. The supplicant device is redirected to a captive web portal for authentication of the supplicant device based on the login credential. In response to a successful authentication of the supplicant device in the captive web portal, a renewed security certificate for the supplicant device is provided.

Abstract: A messaging system for exchanging messages between nodes in a network via a broker that uses a publish-subscribe message protocol, which nodes have object identifications (IDs). Messages between the nodes are routed using the object IDs of the nodes. Secure communication is provided using authentication according to digital certificates being used as first and second tiers by a commissioning broker and a data broker, respectively, in which the second tier certificate used by the data broker has a shorter lived expiration time.

Abstract: A system for communicating email messages using tokens receives a request to send an email message to a receiver. The email message is associated with a sender's email address. The system determines whether the sender's email address is associated with a token from a plurality of tokens stored in a token-email address mapping table. The system generates a particular token for the sender's email address in response to determining that the sender's email address is not associated with a token, where the particular token uniquely identifies the sender's email address. The system sends the email message using the particular token instead of the sender's email address, such that the sender's email address remains anonymous from the perspective of the receiver.

Abstract: The disclosed technology is generally directed to web authentication. In one example of the technology, authentication of a broker is obtained with an identity provider. Obtaining the authentication includes at least communication between the broker and a top-level frame and communication between the broker and the identity provider. The broker is executing in a descendant frame of the top-level frame. The top-level frame and the broker are hosted on different domains. At the broker, from an embedded application that is executing on another descendant frame of the top-level frame, a token request is received. Via the broker, a token is requested from the identity provider. The token is associated with an authorization of secure delegated remote access of at least one resource by the embedded application. At the broker, from the identity provider, the token is received. Via the broker, the token is provided to the embedded application.

Abstract: In IP communication, an authentication code AC1 uniquely generated by a receiving-side communication device 1b is sent to an originating-side communication device 1a (S1, S2), and stored in the originating-side communication device (S3). Packets in which the stored authentication code is embedded are sent to the receiving-side communication device 1b on connection from the originating-side communication device 1a to the receiving-side communication device 1b (S4), and it is determined at the receiving-side communication device whether the originating-side communication device is true or false depending on if the authentication code sent from the receiving-side communication device is contained in the packets received from the originating-side communication device or not (S5).

Abstract: A computer implemented method and system for near field communication authentication sharing techniques is disclosed. The method comprises providing user credentials to access an application on a first device; sending a request to share the authentication with a second device; in response to the request, receiving an authentication code; and transmitting the authentication code to the second device, wherein sharing enables the second device to access the application on the second device without providing user credentials.

Abstract: The method provides an automated and scalable system for device onboarding and an asset metadata-based device directory service. It helps perform zero touch device onboarding at first-time power cycle of a device in operational environments with device two-factor authentication to configure and manage the lifecycle of device and application-level quantum-safe keys for secure communications with client authentication, data authentication, and data encryption over secure and insecure transport protocols. It helps achieve device onboarding and accelerated provisioning with secure scanning of printed device labels for device identifiers assigned by the device manufacturer and/or device owners/operators. It helps provision device and application-level pre-shared keys for client authentication, data authentication, and data encryption over any transport or network protocol stack for secure authenticated communications between devices and services hosted on-cloud or on-premises.

Abstract: Disclosed embodiments include identity verification and management services in which users authenticate their identities during an enrollment process, and may access and modify their identity information via a secure portal. The enrollment process includes collecting various identifying data and biometric data of a user. A live interview portion during the enrollment process is used to check the liveness and verify the collected identifying data and biometric data. Once the user is enrolled, the user's identity can be verified for multiple entities using the same enrolled identity, and the user can manage the specific data used to verify their identity with different entities. This provides users with the ability to use their authenticated/verified identity across various industries, markets, locations, and the like, while keeping their identifying data private. Other embodiments may be described and/or claimed.

Abstract: The communication system is a communication system including a management communication apparatus, a first communication apparatus, and a second communication apparatus. The first communication apparatus is capable of communicating using a plurality of Internet Protocol (IP) addresses in different versions from each other, and includes a first communication unit configured to notify the management communication apparatus of a first IP address among the plurality of IP addresses in a first authentication process for entering the communication system, and to notify the management communication apparatus of a second IP address among the plurality of IP addresses after the first authentication process, the first authentication process being performed between the first communication apparatus and the management communication apparatus.

Abstract: Examples include service authentication for a principal. A request to access a first service of a plurality of services of a network may be received from a principal by an identity intermediary. An identifier of the first service may be stored at the identity intermediary, and an unsigned credential of the principal and a principal identifier may be transferred from the identity intermediary to a credential provider. The principal identifier and the credential signed by the credential provider may be received, and the signed credential may be transmitted to the first service for authentication.

Abstract: The present invention provides a method for packet processing according to a access control list table, comprising: receiving a packet, wherein the packet includes a packet information and match items for matching; providing an access control list (ACL) codeword table; providing a mask table, wherein the ACL codeword table corresponds to the mask table; obtaining a hash key by performing a multiplexing logic operation, wherein the hash key is made by combining a multiplex result of the packet information and the mask table; obtaining a hash value by performing a hash function based on the hash key, wherein the hash value is composed of X+Y, wherein X is a signature table (hash table) index and Y is a key digest; performing a hash table indexing, based on the signature table index, wherein the signature table index is the index to an address of signature table; performing a fast pattern match, wherein the signature table contains signature fields, and if any second signature field in the signature table is mat