Abstract: This disclosure sets forth systems and methods for recommending candidate computing platforms for migration of data and data-related workload from an original computing platform. The systems and methods further describe determining recommendations of candidate computing platforms based on a comparison of key performance and utilization statistics of the original computing platform under a user-generated workload with candidate computing platforms under a synthetic workload. Key performance and utilization statistics may relate to CPU, memory, file I/O, network I/O, and database I/O operations on the respective computing platforms. The synthetic workload may be defined by parameters that simulate the key performance and utilization statistics of the original computing platform under the user-generated workload. Further, the synthetic workloads may be executed on individual candidate computing platforms to determine service level capabilities that are ultimately used to form the recommendation.

Abstract: According to an example, a confidence factor function may be applied to determine a confidence factor for a condition of a rule to correlate events. The confidence factor may be an approximation of whether an event or a set of events satisfies the condition in the rule. The confidence factor may be compared to a threshold to determine whether the condition is satisfied.

Abstract: In one embodiment, a networking device in a local area network (LAN) establishes a virtual network overlay in the LAN to redirect traffic associated with a particular node in the LAN to a server for analysis. The networking device receives an indication from the server that at least a portion of the traffic associated with the particular node is trusted for local sending within the LAN and adjusts the virtual network overlay to locally send the trusted portion of the traffic associated with the particular node to one or more other nodes in the LAN without redirection to the server. The networking device collects characteristic information regarding the trusted portion of the traffic sent locally within the LAN via the adjusted virtual network overlay and sends the collected characteristic information to the server for analysis.

Abstract: A device designates a first set of computing resources, of a cloud computing environment, for management services. The management services include services that manage the cloud computing environment, and the first set of computing resources provides a particular quality of service for the management services. The device provisions the first set of computing resources with the management services, and designates a second set of computing resources for user services. The second set of computing resources is separate from the first set of computing resources, and the user services include services provided to users of the cloud computing environment. The device provisions the second set of computing resources with the user services, and designates a third set of computing resources for a pool of unused computing resources. The third set of computing resources is separate from the first set of computing resources and the second set of computing resources.

Abstract: Methods, systems, and apparatus, including a system that includes a secure hardware unit; and a database system including one or more processors; and a computer-readable medium having stored instructions that, when executed by the one or more processors, cause the one or more processors to perform operations including: receiving a client request to perform a database operation using first encrypted data as an encrypted value of a field to be operated on by the database operation, where the first encrypted data has been encrypted by a database client using a first encryption key; providing, to the secure hardware unit, a system request for performing one or more data processing operations, the system request including (i) the first encrypted data and (ii) data identifying the first encryption key; and receiving, from the secure hardware unit, output data representing an output of the one or more data processing operations.

Abstract: An access point selects a channel access policy for an electronic device in a wireless local area network (WLAN). During operation, an interface circuit of the access point receives a channel access preference from the electronic device. The channel access preference includes: a multi-user trigger-based channel access technique, a single-user contention-based channel access technique, or both. The interface circuit selects the channel access policy for the electronic device based, at least in part, on the received channel access preference. The channel access policy can also be selected based at least in part on a communication performance metric associated with communication in the WLAN. The interface circuit communicates the selected channel access policy to the electronic device, which subsequently accesses a communication channel and communicates packets with the access point in accordance with the channel access policy.

Abstract: Methods and systems for provisioning computing resource instances among implementation resources based on trust to reduce interference between computing resource instances implemented by the same implementation resources. In an embodiment, a trust rating is determined for a computing resource instance based at least in part on one or more trust factors. The suitability of an implementation resource to implement the given computing resource instance may be evaluated based at least in part on the trust rating of the computing resource instance and a trust rating of the implementation resource. In some embodiments, the trust rating of the implementation resource may be predefined or based on trust ratings of computing resource instances that are currently implemented by the implementation resource. An implementation resource may be selected to implement the computing resource instance based at least in part on its suitability thus determined.

Abstract: Some embodiments of reassembly-free deep packet inspection (DPD on multicore hardware have been presented. In one embodiment, a set of packets of one or more files is received at a networked device from one or more connections. Each packet is scanned using one of a set of processing cores in the networked device without buffering the one or more files in the networked device. Furthermore, the set of processing cores may scan the packets substantially concurrently.

Abstract: The disclosed computer-implemented method for reducing infection risk of computing systems may include (i) determining a distance between a computing system that is connected to a local network and an additional computing system that is not connected to the local network but is connected to the computing system via a series of connected devices, (ii) detecting that the additional computing system is infected with malware, (iii) calculating an infection probability for the computing system that is based at least in part on the distance between the computing system and the additional computing system that is infected, and (iv) performing a security action on the computing system that reduces a risk of infection of the computing system in response to the infection probability for the computing system meeting a predetermined threshold for infection probability. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A test apparatus (1) for testing a security of communication of a device under test, DUT, (4), wherein the test apparatus (1) comprises an RF unit (2) having an RF interface adapted to receive from the device under test, DUT, (4) an RF signal carrying Internet Protocol, IP, data including at least one IP address; and an IP unit (3) adapted to analyze IP data carried in the received RF signal to check communication security of the device under test, DUT, (4) using at least one security criterion, SC-CEP, related to a communication endpoint, CEP, addressed by the IP address.

Abstract: This disclosure relates to systems and methods for enabling the use of secret digital or electronic information without exposing the sensitive information to unsecured applications. In certain embodiments, the methods may include invoking, by a client application executing in an open processing domain, a secure abstraction layer configured to interface with secret data protected by a secure processing domain. Secure operations may be securely performed on the secret data by the secure abstraction layer in the secure processing domain based on an invocation from a client application running in the open processing domain.

Abstract: A method of verifying a challenge value may include receiving the challenge value from a client device; accessing an external data store to receive data rows that may be associated with a user of the client device; filtering data rows that are not sourced from computer systems associated with the challenge value; grouping the data rows into groups based on which of the computer systems each of the data rows were sourced; determining an input velocity for each of the groups; determining an interval value for each of the groups based on the input velocity; calculating a group value for each of the groups based on the interval value and the input velocity; calculating an estimated total value based on the group values; and determining whether the challenge value can be verified by determining whether the estimated total value is within a threshold of the challenge value.

Abstract: The described computing system may have a first electronic device capable of being coupled to a first communications network, a second electronic device capable of being coupled to a second communications network, an out-of-band management device capable of communicating with the first electronic device and the second electronic device. The first electronic device may be capable of accessing a remote program via the out-of-band management device thereby providing access to a remotely located second electronic device. In a preferred embodiment, this is done utilizing mobile communications technology.

Abstract: Described is a technology by which a signature used by network traffic intrusion prevention/detection systems includes logic that helps a prevention/detection engine detect that signature. A signature to detect is compiled into executable logic that is executed to communicate with an engine that evaluates network traffic. The signature logic provides an expression set (such as group of regular expressions) for the engine to match against a token corresponding to the network traffic. When matched, the engine notifies the logic and receives a further expression set to match, or a communication indicative that that the signature was detected. The signature thus directs the analysis, facilitating a lightweight, generic engine. Safety of the signature logic is described as being accomplished through layers, including by publisher signing, and by compilation and execution (e.g., interpretation) in safe environments.

Abstract: An image processing apparatus which is capable of restraining operation that does not comply with security policies even in a case where security policies are changed through setting of user modes. The security policies are set in advance in the image processing apparatus. The image processing apparatus has a UI operation unit that enables operation on the image processing apparatus. When settings of the image processing apparatus are changed via the UI operation unit, it is verified whether or not the changed settings match the security policies. Operation of the image processing apparatus is restrained until it is verified that the changed settings match the security policies.

Abstract: Disclosed are systems, methods, and machine readable storage media that cause a storage computer and a client computer to perform a method of providing access to one or more resources on the storage computer for the client computer. The storage computer is operable for initiation of a network connection between the client computer and the storage computer. Initiation of the network connection between the client computer and the storage computer by the storage computer is enabled, and initiation of the network connection between the client computer and the storage computer by the client computer is disabled. The client computer and the storage computer are operable for maintaining the network connection between the client computer and the storage computer.

Abstract: The present document describes systems and methods that utilize a cryptographic service for establishing a cryptographically protected communication session, such as a TLS connection, between a client computer system and a TLS termination point. The cryptographic service retains cryptographic material associated with a server that is represented by the TLS termination point. The TLS termination point uses the cryptographic service to perform cryptographic operations associated with establishing and maintaining the cryptographically protected communication session. The cryptographic service may be provided by the server itself, a cryptographic server, or a cryptographic accelerator such as an HSM. In some embodiments, the cryptographic service tokenizes unencrypted data to be provided to the TLS termination point. If a cryptographic accelerator is used, the cryptographic accelerator may include facilities to accelerate asymmetric cryptographic operations as well as symmetric cryptographic operations.

Abstract: Attributes of a session, between a source device and a verification device, for sending first verification data, such as a password and an account identifier, are determined. The verification device generates user device data based on an identifier, such as a mobile device number (MDN), for a user device associated with the account identifier. An identifier, such as an MDN, associated with the source device and an encryption key associated with the verification device are determined based on session attributes. Second verification data is generated based on the identifier associated with the source device. The second verification data is encrypted using the encryption key and forwarded to the verification device. The verification device decrypts the second verification data and compares the identifier for the user device to the identifier for the source device to determine whether the first verification data was sent from the user device.

Abstract: The disclosure is directed to a system for improving security of SSL communications. The system can include an device intermediary between one or more servers, one or more clients, a plurality of agents, and a web service. The servers can be configured to receive SSL connections and issue SSL certificates. The device can include a virtual server associated with a respective one of the servers, such that the SSL certificate of the respective server is transmitted through the device. The device can generate service fingerprints for the one or more servers. Each service fingerprint can include information corresponding to an SSL certificate of the virtual server, one or more DNS aliases for a virtual IP address of the respective virtual server, one or more port numbers serving the SSL certificate, and an IP address serviced by the device. The device also can transmit the service fingerprints to a web service.

Abstract: In response to a request for launching an application within an operating system of a data processing system, one or more extended entitlements are extracted from the application, where the one or more extended entitlements specify one or more resources the application is entitled to access. One or more security profile extensions corresponding to the one or more extended entitlements are dynamically generated. A security profile specifically for the application is created based on the one or more security profile extensions and a base security profile that has been previously compiled, where the base security profile specifies a list of a plurality of base resources. The application is then launched in a sandboxed operating environment that is configured based on the security profile specifically generated for the application.

Abstract: A method is provided for completing an authenticated commercial transaction over an internet protocol (IP) network (40) for an account holder (60) engaged in the transaction via a non-IP based telecommunications platform (30).

Abstract: Embodiments are directed to monitoring communication over a network using a network monitoring computer (NMC). If one or more flows include healthcare traffic provided by one or more healthcare services, the NMC may perform further actions. Healthcare values from the one or more healthcare services may be provided from the network traffic. Values from one or more network traffic flows that are separate from the healthcare traffic may be provided. Other healthcare values from other flows may be provided that include healthcare traffic provided by the healthcare services. Accordingly, if a comparison of the healthcare values and the other healthcare values meet certain conditions, additional actions may be performed based on rules, or policies. The healthcare traffic may be compliant with one or more of Health Level Seven (HL7) standard, Digital Imaging and Communications in Medicine (DICOM) standard, or the like.

Abstract: A system and method is disclosed for transporting application data through a communications tunnel between a host device and a guest device that each includes networked processors. The application data may be transported between the host device and the guest device through an allowed port of the host device, the communications tunnel, and a port of the guest device. Based on logon credentials, the guest device can be authenticated by a security server and a role may be determined. The role can include allowed ports and associated applications on the host that the guest is allowed to access. Remote access from the guest device to host devices or remote devices may be enabled without needing prior knowledge of their configurations. Secure access may be facilitated to remote host devices or remote devices, according to security policies that can vary on a per-session basis and takes into account various factors.

Abstract: A method for determining information about access barring includes the steps of: receiving a message set transmitted via a radio interface to a user equipment, the message set including at least a starting message that is a paging message; obtaining at least a first bit of a bit set from the starting message, wherein the bit set includes at least two bits and is intended for access barring; determining information of the bit set; the information at least disclosing whether the access barring is on or off; and receiving a system information block transmitted via the radio interface to the user equipment, the system information block comprising a scheduling information list that lists a further system information block that contains access barring parameters.

Abstract: A wireless communications device, that is constituted from a control station and a slave station that perform encryption communication using an encryption key, includes a controller that monitors communication quality of a state of a call to the slave station and, in a case where the communication quality degrades to below the same level as a state that is determined in advance, operates in such a manner that a procedure for changing the encryption key, which is determined in advance, is not activated.

Abstract: Key management methods and systems are provided, one of methods comprises, encrypting a service key used by an instance of a first user of a cloud service by using a master key, generating two or more key pieces for reconstructing the master key, distributing and storing the key pieces in two or more host servers included in a host group for providing the cloud service, receiving a request for the service key from the instance of the first user, receiving the key pieces from the two or more host servers and reconstructing the master key based on the received key pieces, and decrypting the encrypted service key by using the reconstructed master key.

Abstract: A TCP handshake is distributed by having an initiator device send, to a server SYN(m) with the IP address of a terminator device as source address. The initiator device can then forget any TCP state for the SYN(m). The server responds with a SYN-ACK(m+1, n) according to the normal TCP handshake, but the response goes to the terminator device that receives the message, reconstructs the TCP handshake as if it had sent the initial SYN message, and sends an ACK(n+1) to the server. The TCP handshake method can be used to avoid allocation of resources in for example device monitoring.

Abstract: In one embodiment, a system includes a processing circuit and logic integrated with and/or executable by the processing circuit. The logic is configured to cause the processing circuit to receive security results, using an application and data protection layer (ADPL) operating on a first host, from an end point protection agent (EPPA) configured to protect the first host. The logic is also configured to cause the processing circuit to provide the security results to one or more local applications operating on the first host. According to another embodiment, a method includes receiving security results, using an ADPL operating on a first host, from an EPPA configured to protect the first host. The method also includes providing the security results to one or more local applications operating on the first host. Other systems, methods, and computer program products are described in accordance with more embodiments.

Abstract: Customers of a computing resource service provider may utilize computing resources of the computing resources service provided to implement one or more computer systems. Furthermore, the customer may cause a host-based firewall to be executed by the one or more computer systems. The host-based firewall may collect network traffic information. The customer may then be provided with the network traffic information and be prompted to provide decisions associated with the network traffic information. The decisions may be used to generate a set of rules which may be enforced by the host-based firewall.

Abstract: Methods, systems, and devices are described that provide for D2D synchronization. The methods, systems, and/or devices may include tools and techniques that provide for synchronizing a mobile device based on detection of a reliability alarm. A reliability alarm may be used between mobile devices, which is transmitted and/or received on specific D2D resources. Since the resources are reserved for the reliability alarm, a mobile device which was previously isolated from network synchronization will be able to receive the reliability alarm that a reliable synchronization signal is close when it moves within range of a reliable device. Once a reliability alarm is received the mobile device may free other resources to allow it to receive synchronization signals from the reliable devices. The mobile device may then synchronize with the network based on the received synchronization signals and transmit its own reliability alarm for subsequent isolated devices to use.

Abstract: The present invention relates to a method and system for performing deep packet inspection of messages transmitted through a network switch in a Software Defined Network (SDN). Embodiments of the invention include a network switch, a controller, and a firewall in a software defined networking environment. In the present invention, the network switch is a simple network switch that is physically separate from the controller and the firewall. The invention may include a plurality of physically distinct network switches communicating with one or more controllers and firewalls. In certain instances, communications between the network switch, the controller, and the firewall are performed using the Open Flow standard communication protocol.

Abstract: A reader device may generate a first identifier. The reader device may transmit the first identifier to a mobile device. The reader device may receive encrypted data and unencrypted data from the mobile device in which the encrypted data includes a second identifier. The reader device may evaluate whether the first identifier and the second identifier correspond to one another.

Abstract: A log analysis system for analyze a detection log detected in a monitoring target system includes an acquisition device for detecting detection target processes performed in the monitoring target system, and acquiring a detection log of the detection target processes; and a processor device for processing the detection log acquired by the acquirer. The processor device includes a plurality of processing blocks that perform processing on the detection log sequentially. The processor device performs processing while sending the detection log in order from a most-upstream processing block to downstream processing blocks. A most-downstream processing block of the processor device notifies the most-upstream processing block of the processor device that the detection log has been received.

Abstract: A computer-implemented system and method for reformatting and delivering emails as conversations. The computer-implemented method includes: synchronizing with an email service and receiving an email message via a data network; parsing content of the received email message to identify and suppress email content not related to conversational content and retaining the conversational content; reformatting the received email message to include the conversational content in a chat style format as an expressive conversation; making the expressive conversation available to a client email application; and presenting the expressive conversation to a user via the client email application.

Abstract: In some embodiments, a non-transitory processor-readable medium stores code representing instructions to be executed by a processor. The code causes the processor to receive, from a source peripheral processing device, a portion of a data packet having a destination address associated with a destination peripheral processing device. The code causes the processor to identify, based on the destination address, a service to be performed on the portion of the data packet. The code causes the processor to select, based on the service, an identifier of a service module associated with the service. The code further causes the processor to send the portion of the data packet to the service module via a distributed switch fabric such that the service module performs the service on the portion of the data packet and sends the portion of the data packet to the destination peripheral processing device via the distributed switch fabric.

Abstract: A variety of techniques for performing identity verification are disclosed. As one example, a verification request is received from a remote user. The verification request pertains to a cryptographic key. In response to receiving a confirmation from a local user of the local device, a verification process is initiated. A result of the verification process is transmitted to the remote user. As a second example, a verification request can be received at the local device, from a local user of the device. A verification process with respect to the local user is initiated, and a result of the verification process is transmitted to a remote user that is different from the local user.

Abstract: A client device generates a plurality of application windows. For example, a first application window may be provided by a first application that has a first session established with a server system, and a second application window may be provided by a second application that has a second session established with the server system. The client device detects user activity in the first window. Based on the user activity in the first window, the client device sends a message to the server system. The message providing an indication of user activity in one or more of the plurality of windows. The message causes the server system to maintain the second session as active despite inactivity in the second application window.

Abstract: Methods, systems, and apparatus, including computer programs encoded on computer storage media, for computer network security risk assessment. One of the methods includes obtaining compromise likelihoods for user accounts. Information describing a network topology of a network is obtained, with the network topology being nodes each connected by an edge to other nodes, each node being associated with a compromise likelihood, and one or more nodes are high value nodes associated with a compromise value. Unique paths to each of the high value nodes are determined for a particular user account. An expected value for each path is determined based on the compromise likelihood of the particular user account, the compromise likelihood of each node included in the path, the communication weight of each edge included in the path, and the compromise value associated with the high value node. User interface data is generated describing at least one path.

Abstract: A node for determining a communication resource management algorithm is provided. The node includes a communication interface configured to obtain a measurement characteristic from a network device, and a circuitry containing instructions. When executed, the instructions cause the node to search a container repository to determine the existence of a measurement category for the measurement characteristic obtained from the network device, and when the container repository includes the measurement category for the network device, determine the communication resource management algorithm based at least on the measurement category.

Abstract: In one embodiment, a method includes receiving capability information from an end host at a centralized security matrix in communication with a firewall and a plurality of end hosts, verifying at the centralized security matrix, a trust level of the end host, assigning at the centralized security matrix, a firewall function to the end host based on the trust level and capability information, and notifying the firewall of the firewall function assigned to the end host. Firewall functions are offloaded from the firewall to the end hosts by the centralized security matrix. An apparatus and logic are also disclosed herein.

Abstract: Cryptographic keys can include logging properties that enable those keys to be used only if the properties can be enforced by the cryptographic system requested to perform one or more actions using the keys. The logging property can specify how to log use of a respective key. A key can also include a mutability property for specifying whether the logging property can be changed, and if so under what circumstances or in which way(s). The ability to specify and automatically enforce logging can be important for environments where audit logs are essential. These can include, for example, public certificate authorities that must provide accurate and complete audit trails. In cases where the data is not to be provided outside a determined secure environment, the key can be generated with a property indicating not to log any of the usage.

Abstract: A server establishes a secure session with a client device where a private key used in the handshake when establishing the secure session is stored in a different server. During the handshake procedure, the server receives a premaster secret that has been encrypted using a public key bound with a domain for which the client device is attempting to establish a secure session with. The server transmits the encrypted premaster secret to the different server for decryption along with other information necessary to compute a master secret. The different server decrypts the encrypted premaster secret, generates the master secret, and transmits the master secret to the server. The server receives the master secret and continues with the handshake procedure including generating one or more session keys that are used in the secure session for encrypting and decrypting communication between the client device and the server.

Abstract: The present invention provides an apparatus for processing at least one PDU (protocol data unit) in an N layer in a transmitting side of a broadcast system, the apparatus comprising a PDU processor for receiving at least one higher (N+1) layer PDU and generating a PDU including the received at least one higher (N+1) layer PDU and a PDU post-processor for post processing the generated PDU and transmitting the post-processed PDU to a lower (N?1) layer.

Abstract: An egress frame processing method, an Ethernet frame is received. Information defining an Internet Protocol (IP) tunnel between the network device and a peer network device over a public wide area network is determined. A media access control security (MACsec) policy that defines how to protect the Ethernet frame is determined based on the information defining the IP tunnel. The Ethernet frame is protected according to the MACsec policy. The following fields are appended to the protected Ethernet frame: (i) an unprotected layer 3 (L3) encapsulation identifying a layer 2 (L2)-over-L3 tunnel protocol; (ii) an unprotected IP header corresponding to the IP tunnel; and (iii) an unprotected outer Ethernet header, to produce a partly protected egress frame. The partly protected egress frame is transmitted to the peer network device over the IP tunnel of the public wide area network.

Abstract: Cryptographic keys can include logging properties that enable those keys to be used only if the properties can be enforced by the cryptographic system requested to perform one or more actions using the keys. The logging property can specify how to log use of a respective key. A key can also include a mutability property for specifying whether the logging property can be changed, and if so under what circumstances or in which way(s). The ability to specify and automatically enforce logging can be important for environments where audit logs are essential. These can include, for example, public certificate authorities that must provide accurate and complete audit trails. In cases where the data is not to be provided outside a determined secure environment, the key can be generated with a property indicating not to log any of the usage.

Abstract: A system for remotely storing data includes a communication component that is configured to receive a data file to be stored on a remote data storage system. An encryption system is configured to obtain at least one key and encrypt the data file with the at least one key. A processor is configured to generate a request to a master key storage system through the communication component to operatively encrypt the at least one key using a master key stored in the master key storage system. The communication component is configured to transmit the encrypted data file to at least one remote storage location. The processor is configured to receive the encrypted key(s) from the master key storage system and store the encrypted key(s) in a data store.

Abstract: In an egress processing method, an egress frame is received. The egress frame includes an outer Ethernet frame, an Internet Protocol (IP) header, a layer 3 (L3) encapsulation identifying a layer 2 (L2)-over-L3 tunnel protocol, and an inner Ethernet frame with a payload. The outer Ethernet frame, the IP header, and the inner Ethernet frame, and the L3 encapsulation are parsed. Based on results of the parsing, a media access control security (MACsec) policy that defines how to protect the inner Ethernet frame is determined, and the inner Ethernet frame is protected according to the MACsec policy, while leaving unprotected the outer Ethernet frame, the IP header, and the L3 encapsulation, to produce a partly protected output egress frame. The partly protected output egress frame is transmitted to the peer network device over a public wide area network.

Abstract: A system and method for adaptively securing a protected entity against cyber-threats. The method comprises: determining, based on at least one input feature, at least one normalization function, wherein the at least one input feature defines an attribute of a data flow to be evaluated by the SDE; receiving at least one engine rule describing an anomaly to be evaluated; and creating an inference system including at least one inference unit, wherein each inference unit is determined based on one of the received at least one engine rule, wherein the inference system computes a score of anomaly (SoA) respective of the at least one input feature.

Abstract: A security appliance may incorporate a touch screen or similar input/output interface, providing command and control over network functionality and configuration, without requiring log in via a network from another computing device. During denial of service attacks, commands from the local interface may be given priority access to processing resources and memory, allowing mitigating actions to be taken, such as shutting down ports, blacklisting packet sources, or modifying filter rules. This may allow the security device to address attacks without having to be manually rebooted or disconnected from the network.

Abstract: A network-based appliance includes a mechanism to intercept, decrypt and inspect secure network traffic flowing over SSL/TLS between a client and a server. The mechanism responds to detection of a session initiation request message from the client, the message being received following establishment of a TCP connection between the client and server. The mechanism responds by holding the session initiation request message, preferably by creating a fake socket to a local process, and then diverting the request message over that socket. The TCP connection is then terminated, and the mechanism initiates a new session in initiation request message, all while the original session initiation request message continues to be held. The server responds with its server certificate, which is then used by the mechanism to generate a new server certificate. The new server certificate is then returned to the requesting client as the response to the session initiation request message.