Abstract: The present technology provides a less burdensome mechanism to bring media items owned or licensed in the physical world into an account hosted by an electronic media provider. A specific use case deals with magazine subscriptions wherein the electronic media provider can send entity identifying information to a publisher clearinghouse that has subscription data for many different magazines. If the entity information sufficiently matches subscription information, the clearinghouse sends back data identifying magazines for which the entity is entitled to a digital copy, and these magazines become available to the user through the electronic media provider.

Abstract: Techniques are disclosed for dynamically generating a digital certificate for a customer server. A customer server creates a certificate profile and receives an associated profile identifier from a certificate authority (CA). The customer server installs an agent application received from the CA. The agent application generates a public/private key pair and an identifier associated with the customer server. The agent application sends a signed request to the CA that includes the profile identifier, server identifier, and the public key corresponding to the key pair. Upon receiving the credentials, the CA generates a dynamically updatable certificate. Thereafter, if the customer changes information associated with the certificate (or if external conditions require a change to the certificate, such as a key compromise or change in security standards), the CA may generate an updated certificate based on the certificate profile changes and the public key.

Abstract: A technology for a streaming data marketplace is provided. In one example, a method may include requesting to receive a first stream of data from a first source via the streaming data marketplace. The first stream of data may be received and then correlated and combined with data from a second source as a combined stream. The combined stream may then be published to the streaming data marketplace.

Abstract: Disclosed is a method and an audio device system comprising at least a first device for transmitting and/or receiving audio over a first protocol, where the first device is configured for securely pairing with a second device, where the first device comprises a processor configured for: —generating a random passkey comprising a number of digits; —generating an image, where the digits of the random passkey is embedded in a challenge-response test image; —transmitting the image to the second device over a second protocol; and —pairing with the second device over the first protocol, when a first criterion related to the random passkey is satisfied.

Abstract: In one embodiment, a method is provided that may include one or more operations. One of these operations may include, in response, at least in part, to a request to store input data in storage, encrypting, based least in part upon one or more keys, the input data to generate output data to store in the storage. The one or more keys may be authorized by a remote authority. Alternatively or additionally, another of these operations may include, in response, at least in part, to a request to retrieve the input data from the storage, decrypting, based at least in part upon the at least one key, the output data. Many modifications, variations, and alternatives are possible without departing from this embodiment.

Abstract: A new approach is proposed that contemplates systems and methods to support bulk authentication of a device associated with a user to all cloud-based services the device intends to access in one transaction instead of authenticating the device against each of the services individually. First, the device generates and transmits to one or more authentication service clusters an authentication request that includes its identification and authentication credentials in order to access to a plurality of services. Upon receiving the authentication request, the authentication service cluster(s) authenticate the device for all of the services to be accessed based on the information in the authentication request. Once the device is authenticated, the authentication service cluster(s) then retrieve entitlement information of the services to be accessed by the device, and identify the service clusters/nodes that the device will connect to for the services with the fastest response time.

Abstract: Pre-validation of bootloader certificates for firmware bootloaders of an operating system boot list during a setup mode of BIOS boot initiation provides the end user with a tool to address boot certification problems associated with the firmware bootloaders before the operating system boot precludes execution of bootloaders that lack a valid certificate. For example, re-configuration of a boot list to address certification problems before exit of boot setup prevents boot to an inoperative state caused by lack of firmware execution during boot due to a failed certificate, such as a failure to load an unsigned option ROM.

Abstract: Methods and apparatus for portable network interfaces to manage authentication and license enforcement. A system may include a plurality of resource instances including a producer instance configured to implement a network-accessible service, and an authentication coordinator. The coordinator may assign an interface record to the service, wherein the interface record comprises an IP address and a set of security properties. The coordinator may configure the security properties to allow a client to request an attachment of the interface record to a selected resource instance, such that the selected resource instance is enabled to transmit network messages from the IP address using one or more physical network interfaces of the selected resource instance. The producer resource instance initiates authentication operations for the service, including at least one authentication operation based on the IP address of the interface record.

Abstract: A domain name registrar may provide a service for a domain name registrant to automatically and without further action by the domain name registrant (other than possibly paying for the service) enable secure socket layer (SSL) for a domain name to a third party hosting service, even when the domain name registrar does not own or control the third party hosting service. The invention allows a user (that may or may not be the domain name registrant) to use the domain name registered to the domain name registrant to communicate with a domain name registrant account (possibly a website) on the third party hosting service via a proxy server. The communication between the user and the proxy server may be encrypted such as by the SSL protocol.

Abstract: Efficient certificate revocation list (CRL) processing is disclosed. A desired modification to an encoded CRL is determined. A computing device sequentially processes, during a first pass, a first CRL stream comprising the CRL to identify a CRL length difference between the CRL and a modified CRL based on the desired modification. The computing device sequentially processes, during a second pass, a second CRL stream comprising the CRL. The computing device, during the second pass, streams a modified encoded header portion to a modified CRL stream that identifies a new length of the modified CRL based on the length difference, streams a modified encoded CRL entries portion comprising a plurality of CRL entries to the modified CRL stream that contains the desired modification, and streams a modified encoded trailer portion to the modified CRL stream that contains a new digital signature based on the desired modification.

Abstract: A computer program product for cross-site request forgery (CSRF) prevention is provided and includes a computer readable storage medium having program instructions embodied therewith. The program instructions are readable and executable by a processing circuit to cause the processing circuit to issue a server request for a certificate, which is associated with a user, responsive to a client request to visit a uniform resource indicator (URI) being received, validate the certificate upon receipt in fulfillment of the server request, compare a referrer listed in a header of the client request with a list of certificate elements in the certificate, authenticate the user in accordance with correlation between the referrer and at least one of the certificate elements and authorize the client request to visit the URI upon the user being authenticated.

Abstract: A method and apparatus for providing a security service for a vehicle-dedicated data channel in linking between a vehicle head unit and an external device is disclosed. The method of providing the security service for the vehicle-dedicated data channel may include: transmitting, to the terminal, a predetermined integrity verification request message for requesting integrity verification of application software and an operating system included in the terminal; receiving an integrity verification result message from the terminal, exchanging a plaintext symmetric key with the terminal when integrity of the operating system and the application software is successfully verified according to the integrity verification result message; and establishing a vehicle-dedicated data channel to the terminal and transmitting and receiving a packet encrypted using the plaintext symmetric key through the established vehicle-dedicated data channel when the plaintext symmetric key is successfully exchanged.

Abstract: Systems and methods for verifying end-to-end data consistency are disclosed herein. The system can include a source hub that can: generate a first message from data received from a user; and generate an initial message identifier. The system can include an intermediate hub that can: receive the first message from the source hub via the communication network; receive the initial message identifier from the source hub via the communication network; transmit an output message; and generate an output message identifier. The system can include a terminal hub that can: receive the output message; receive the output message identifier; calculate a result value from the received output message and the received output message identifier; and provide an alert to a user device when a data loss is identified based on the result value.

Abstract: This invention relates to methods for controlling and monitoring access to network servers. In particular, the process described in the invention includes client-server sessions over the Internet. In this environment, when the user attempts to access an access-controlled file, the server subjects the request to a secondary server which determines whether the client has an authorization or valid account. Upon such verification, the user is provided with a session identification which allows the user to access to the requested file as well as any other files within the present protection domain.

Abstract: Managing validity status of at least one associated credential includes providing a credential manager that selectively validates associated credentials for at least one device, the device invalidating a corresponding associated credential, and the device requesting that the credential manager validate the corresponding associated credential after invalidating the associated credential. The associated credential may be invalidated based on an external event, such as a user invalidating the associated credential from a UI of the device, a user improperly entering a pin value, a user indicating that a corresponding device is lost, the device entering sleep mode, the device locking a user interface thereof, the device shutting down, and a particular time of day. The at least one associated credential may be provided on an integrated circuit card (ICC) that may be part of a mobile phone and/or a smart card.

Abstract: A method for protecting data is disclosed that protects not only who may access data but also how it is used. This invention uses an intelligent proxy which controls access to protected data using any of a variety of already existing security measures and is also the only object capable of making use of the data so that the data may not be copied or otherwise used in any manner inconsistent with the design of a data protection scheme chosen to meet security needs.

Abstract: Techniques are disclosed for accelerating online certificate status protocol (OCSP) response distribution to relying parties using a content delivery network (CDN). A certificate authority generates updated OCSP responses for OCSP responses cached in the CDN that are about to expire. In addition, the certificate authority pre-generates cache keys in place of CDNs generating the keys. The certificate authority sends the OCSP responses and the cache keys in one transaction, and the CDN, in turn, consumes the new OCSP responses using the cache keys.

Abstract: In some embodiments, an authentication method comprises receiving a request for a digital signature of data from a delegate computer over a secure channel using cryptography to provide authentication, wherein the secure channel comprises at least one wireless communications link; displaying information derived from the data; prompting a user for approval of the request with information derived from the data; in response to receiving approval from the user, creating the digital signature of the data using one or more private keys stored in a key enclave; and sending the digital signature to the delegate computer over the secure channel.

Abstract: A method and apparatus are provided for initial certification enrollment in a wireless communication system. A first mobile device establishes a first wireless connection with an infrastructure and a second wireless connection with a second mobile device. The first mobile device receives, from the second mobile device, a first certification request that includes a request for a digital certificate for the second mobile device and first biometric data associated with a user of the first mobile device. The first mobile device obtains second biometric data associated with a user of the second mobile device and conveys a second certification request to the infrastructure that includes the request for the digital certificate for the second mobile device and the first and second biometric data. The first mobile device then receives, from the infrastructure, the digital certificate for the second mobile device and forwards, to the second mobile device, the digital certificate.

Abstract: A method for deriving a verification token from a credential may be provided. The credential may be a set of attributes certified by an issuer to a user using a public key of the issuer. The method may comprise generating the verification token out of the credential and binding the verification token to a context string, wherein the verification token may comprise at least one commitment. A commitment may be a blinded version of an attribute. The method may also comprise generating an opening key for the verification token enabling a generation of a confirmation for a validity of the attribute.

Abstract: Described herein are systems and methods for performing operations responsive to potentially malicious activity. Embodiments may include receiving an indication of the potentially malicious activity in a computer network; identifying, based on data included in the indication, at least one network account associated with the potentially malicious activity; determining, based on the identifying and further based on the data included in the indication and according to a defined policy, at least one responsive operation with respect to the at least one identified network account; and invoking, based on the determining, the at least one responsive operation, the at least one responsive operation being implemented to mitigate the potentially malicious activity in the computer network.

Abstract: There is provided a method for secure communications. The method includes a computing device receiving a notification comprising a message, a counter value, a signature signed by a signer and based on the message and the counter value, and an indication of the signer. The device obtains a current counter value based on an identity of the signer, checks the signature and compares the counter value with the current counter value; and, if the counter comparison and the signature checking is successful, accepting the message.

Abstract: Described herein are systems and methods for performing potentially malicious activity detection operations. Embodiments may include receiving data associated with a plurality of authentication messages; analyzing the received data associated with the plurality of authentication messages; determining, based on the analyzing, a plurality of characteristics of the data associated with the authentication messages; receiving data associated with a new authentication message communicated over the network; determining a plurality of characteristics of the data associated with the new authentication message; comparing at least one determined characteristic of the new authentication message data with at least one of: a determined characteristic of the plurality of authentication messages data, known valid data, and known invalid data; and generating, based on the comparison, an assessment of whether the new authentication message is indicative of the potentially malicious activity in the network.

Abstract: Disclosed are techniques that render a graphical user interface on a display device for performing transactions with a security system. The techniques include listening by a user device for a beacon from the security system, the beacon including a message and imitating by the user device the transaction with the security system in response to the message, with the message causing the user device to render a graphical user interface that has fields for entering an email address and a password to register the user device with a security server, with the graphical user interface rendering on the display a public key stored in a user digital wallet and a user digital wallet identification and sending in response to the message, a user's public key that is stored in the user's wallet and which is embedded in a code.

Abstract: Systems and methods for verification conducted at a secure element are disclosed. In a method of verification conducted at a secure element interacting with a mobile device, the secure element receives at least one of an identifier of a universal integrated circuit card (UICC) and an identifier of the mobile device. The secure element then compares each of the received at least one identifiers against a registered identifier of corresponding form stored in a non-volatile memory of the secure element. If the received at least one identifiers match corresponding registered identifiers stored in the non-volatile memory, the secure element permits further interaction with the mobile device. If at least one of the received identifiers do not match corresponding registered identifiers stored in the non-volatile memory, the secure element denies further interaction with the mobile device.

Abstract: A multi-party security protocol that incorporates biometric-based authentication and withstands attacks against any single party (e.g., mobile phone, cloud, or the user). The protocol involves the function split between mobile and cloud and the mechanisms to chain-hold the secrets. A key generation mechanisms binds secrets to a specific device or URL (uniform resource locator) by adding salt to a master credential. An inline CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) handling mechanism uses the same sensor modality as the authentication process, which not only improves the usability, but also facilitates the authentication process. This architecture further enhances existing overall system security (e.g., handling untrusted or compromised cloud service, phone being lost, impersonation, etc.) and also improves the usability by automatically handling the CAPTCHA.

Abstract: Systems and methods to rotate security assets used to for secure communications are disclosed. The system includes receiving a first certificate that includes a first subject name for the remote servers. The first certificate further includes a first public key. Next, the system receives a second certificate that includes the first subject name for the remote servers. The second certificate further includes a second public key that is different from the first public key. Next, the system stores the first and second certificates in a trust module. Next, the system receive a third certificate from a first server included in the plurality of remote servers. Next, the system identifies the first server is trusted. The identifying is based on the third certificate matching any one of the first certificate and the second certificate. Finally, the system establishes a secure communication session with the first server based on the identifying the first server is trusted.

Abstract: The disclosure relates to a digital identity system for creating a computer stored digital identity. The system includes a network interface configured to send and receive electronic messages, persistent electronic storage, a profile management module executing on a processor configured to receive from an entity an electronic message comprising a data item, extract the data item from the electronic message and store the data item in a digital profile in the persistent electronic storage. The system also includes a credential creation module executing on a processor, a publication module executing on a processor, and a receipt generation module executing on a processor.

Abstract: A certificate authority service receives a request to issue a long-duration digital certificate from an entity for validation purposes between the entity and the service. Upon issuance of the long-duration digital certificate, the entity submits a request to the service for issuance of a short-duration digital certificate that includes a shorter validity period than the long-duration digital certificate. The service may utilize the long-duration digital certificate to validate the entity and, upon validating the entity, issues the short-duration digital certificate to the entity. The entity may subsequently utilize the short-duration digital certificate to enable a user client to authenticate the entity and securely communicate with the entity.

Abstract: A non-transitory computer-readable medium having code stored thereon, the code includes instructions to receive an indication to communicatively couple a utility meter to an auxiliary device via a mobile electronic device, and capture a visual representation of a unique identifier of the utility meter via the mobile electronic device. The unique identifier includes an authentication mechanism configured to establish a first authentication and a second authentication of a user of the mobile electronic device. The code includes instructions to receive an acknowledgement to communicatively couple the mobile electronic device to the utility meter when the first authentication and the second authentication are satisfied.

Abstract: A device may receive a connection request including a digital certificate from an endpoint for establishing a secure connection for a communication, the digital certificate including a digital certificate chain identifying one or more certificate authorities associated with the digital certificate. The device may determine whether the digital certificate is valid based on the digital certificate chain identifying one or more certificate authorities trusted by the device. The device may determine whether the connection request includes a valid token. The device may generate a token based on the digital certificate being valid and an absence of a valid token included in the connection request. The device may associate the token with the digital certificate. The device may distribute the token to the endpoint. The device may establish the secure connection with the endpoint using the token associated with the digital certificate.

Abstract: In some embodiments, encrypted biometric data are stored in advance in a device that is possessed or carried by a user (for example, a smartcard, a communication terminal, or the like) based on a public key certificate, and a user authentication (first user authentication) is performed by a biometric matching in the device. A public key certificate matching the encrypted biometric data is used to perform a user authentication (second user authentication) for a transaction authorization in a service providing server. According to some embodiments, one time password, keystroke, dynamic signature, location information, and the like are employed as additional authentication factors to tighten the security of the first and second user authentications. According to some embodiments, an authentication mechanism including the first user authentication and the second user authentication is applied to control an access to the IoT device.

Abstract: In a computer-implemented method for automated provisioning a certificate in a computing system a certificate signing request is accessed from a computing node by a centralized management tool of the computing system. The certificate signing request is provided to a certificate authority by the centralized management tool. A signed certificate is accessed from the certificate authority for the computing node. The signed certificate is provided to the computing node, by the centralized management tool, such that there is automated provisioning of the signed certificate at the computing node to establish trust of the computing node in the computing system.

Abstract: Methods, systems, and computer program products relate to recommending settings include collecting operating parameter and usage condition data for a plurality of electronic devices from one or more databases, analyzing the data to create a predictive model to estimate predicted operating parameters based on usage conditions, applying current device usage conditions from a current device to the predictive model to determine recommended device settings, and changing current device settings based on the recommended device settings.

Abstract: Embodiments of the disclosure include a wireless device and a computer readable medium with programmable instructions which when executed cause a processor of the wireless device to securely store a message. The device and computer readable medium are configured to receive a message at the device, filter the message according to at least one predetermined criteria, encrypt the message if the message includes at least the one predetermined criteria, and store the encrypted message in the wireless device.

Abstract: An industrial automation gateway providing an extended web of trust is provided. The industrial automation gateway includes a cloud communication interface coupled with a cloud automation facility, a hardware memory, and a processor coupled with the cloud communication interface and the hardware memory. The cloud automation facility includes a cloud hardware memory storing a cloud root certificate from a first root certificate authority and a subordinate certificate. The hardware memory stores a gateway root certificate from a second root certificate authority and the subordinate certificate. The processor is configured to determine if the subordinate certificate has been certified by the first root certificate authority and the second root certificate authority.

Abstract: Systems, apparatus, and methods are disclosed for accurately identifying one or more mobile thing motion activity (MTMAs; e.g., stationary, walking, running, biking, driving, etc.) associated with a mobile thing (MT; e.g., a person) using sensor data from one or more sensors associated with a wireless communication device (WCD) transported by the MT and for facilitating purchase of a good or service based at least in part upon the one or more MTMAs and one or more predefined user preferences. The sensor data from the one or more sensors (e.g., accelerometer, gyroscope, magnetometer, etc.) is designed to produce data indicative of physical movement of the WCD in three dimensions of a three dimensional (3D) space. In some embodiments, the one or more MTMAs are a plurality of instances of the same MTMA (e.g., a plurality of running sessions) and the purchase of the good or service (e.g., new running shoes) is initiated when a total time duration or total travel distance exceeds a predefined threshold (e.g.

Abstract: In a general aspect, a digital certificate can be used with multiple cryptography systems (“cryptosystems”). In some cases, the digital certificate includes a public key field, which contains a first public key of an entity. The first public key of the entity is associated with a first cryptosystem. The digital certificate includes a signature value field, which contains a first digital signature of a certificate authority. The first digital signature is associated with the first cryptosystem. The digital certificate includes an extension. The extension contains a second public key of the entity, a second digital signature of the certificate authority or both. The second public key is associated with a second cryptosystem, and the second digital signature is associated with the second cryptosystem.

Abstract: Embodiments presented herein provide a validation service used to validate a certificate chain for both public facing servers as well as internal, non-public facing servers. To validate a certificate chain, the client generates a request with the network address and sends it to the validation service. In response, the validation service attempts to establish a connection with the server at the network address. If successful, the validation service receives a certificate chain from the server and can verify that the certificate chain is complete, valid, and chains to a trusted root. If the validation service cannot connect to the network address identified in the request, then the validation service sends a local validation component to the requesting client. The local validation component executes from the client and validates the certificate chain presented by the network server.

Abstract: The invention is a method for authorizing a device to establish a communication session with an access point of a WLAN. A secure token comprises a data related to a telecom network subscription and is connected to the device. The device comprises credentials required for establishing the communication session with the access point. The method comprises the following steps: asking the secure token to initiate an authentication by using the data, running an authentication process initiated by the secure token by using the data and a communication channel provided by the telecom network, in case of successful authentication, sending an authentication pattern from the secure token to the device, authorizing use of the credentials thanks to the authentication pattern in the device and establishing the communication session between the device and the access point by using said credentials.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for automating the collection of user information for account aggregation. In one aspect, a method includes receiving, at a server computer system from a mobile device of a user, a first user request to access account information; receiving, at the server computer system from a provider computer system, a plurality of mobile device applications; for each respective establishment of the plurality of establishments: storing, at the server computer system, establishment login credentials of the user to access account information of the user at a computer system of the respective establishment, and obtaining account information of the user at the respective establishment; aggregating, on the computer system, all the account information of the user from the respective mobile device application of each establishment; and providing to the mobile device the aggregated account information of the user.

Abstract: The subject disclosure is directed towards credential verification for accessing a service provider. A user may prove to the service provider the validity of the credential by communicating a non-revocation component that is based upon a prime-order cryptographic group without a bilinear pairing. In order to authenticate the user, a verification mechanism within an identity management system applies private cryptographic data, including a verifier-designated private key to the non-revocation component, which proves that the user's identity and therefore, the credential is not revoked. The presentation proof includes a hash value that is computed using the credential's commitment and the prime-order cryptographic group. By verifying that the hash value was computed using that commitment, the verification mechanism validates the credential and permits access to the service provider.

Abstract: Techniques are disclosed for generating multiple key pairs using different algorithms and similarly installing certificates signed using the different algorithms. A customer server receives a selection of algorithms for generating a public/private key pair (e.g., RSA, ECC, DSA, etc.). The customer server generates key pairs for each selection and also generates corresponding certificate signing requests (CSR). The customer server sends the CSRs to a certificate authority (CA). The CA generates certificates associated with algorithm and sends the certificates to the customer server. The customer server may prompt a user to select one or more of the certificates to install, and upon receiving the selection, the customer installs the certificates.

Abstract: The present disclosure is directed to secure sensor data transport and processing. End-to-end security may prevent attackers from altering data during the sensor-based security procedure. For example, following sensor data capture execution in a device may be temporarily suspended. During the suspension of execution, sensor interface circuitry in the device may copy the sensor data from a memory location associated with the sensor to a trusted execution environment (TEE) within the device. The TEE may provide a secure location in which the sensor data may be processed and a determination may be made as to whether to grant access to the secure resources. The TEE may comprise, for example, match circuitry to compare the sensor data to previously captured sensor data for users that are allowed to access the secured resources and output circuitry to grant access to the secured resources or to perform activities associated with a security exception.

Abstract: Provided herein is a method for registering an IoT device with a DNS registry. The method can include obtaining, at a DNS server, an identifier, IP address, and a public key of an asymmetric key pair associated with the IoT device from a network gateway device that is in communication with the IoT device, wherein the asymmetric key pair is provisioned onto the IoT device and an associated private key stored within a memory of the IoT device at a time that IoT device is manufactured or during a predetermined time window after manufacturing; creating at least one DNS record for the IoT device; assigning a domain name associated with the internet protocol (“IP”) address to the IoT device; storing the identifier, IP address, the domain name, and the public key in the at least one DNS record; and providing confirmation of the registration to the IoT device.

Abstract: In a system and method for upgrading software in a wireless mesh network, a first node in the network sends a first multicast request to a plurality of other nodes in the network that are in radio range of the first node. The first multicast request queries whether the other nodes are running a software version older than the software version and device type currently running in the first node. The first node then selects a node to upgrade and sends a request asking if any other nodes have already claimed that node. The first node then updates the nodes only if they have not been claimed for update by another node. In upgrading the claimed nodes, the first node copies to the claimed nodes the software it is currently executing in its internal flash memory thereby creating a clone, and does not store any additional copies of the updated software.

Abstract: A message including a digital signature of a message originator is received at a processor. In response to determining that the message originator is authorized by a data protection policy to originate the message, a determination is made as to whether a specific authorized certificate issuer is configured for the message originator within a data protection policy. In response to determining that the specific authorized certificate issuer is configured for the message originator within the data protection policy, a determination is made as to whether a message originator certificate used to generate the digital signature of the message originator is issued by the specific authorized certificate issuer configured for the message originator within the data protection policy.

Abstract: A message including a digital signature of a message originator is received at a processor. In response to determining that the message originator is authorized by a data protection policy to originate the message, a determination is made as to whether a specific authorized certificate issuer is configured for the message originator within a data protection policy. In response to determining that the specific authorized certificate issuer is configured for the message originator within the data protection policy, a determination is made as to whether a message originator certificate used to generate the digital signature of the message originator is issued by the specific authorized certificate issuer configured for the message originator within the data protection policy.

Abstract: Techniques are presented herein for authenticating local process to a web service, both executing on a common host computer server. The local process may present a self-signed certificate to the web service. In response, the web service may identify a file system directory on the first computer server containing a file storing the self-signed certificate. If the subject information identifying the owner of the process matches file system metadata indicating an owner of the file, then the web service may consider the process as being authenticated to the web service.

Abstract: A method in a network element includes processing input packets using a set of two or more functions that are defined over parameters of the input packets. Each function in the set produces respective interim actions applied to the input packets and the entire set produces respective end-to-end actions applied to the input packets. An end-to-end mapping, which maps the parameters of at least some of the input packets directly to the corresponding end-to-end actions, is cached in the network element. The end-to-end mapping is queried with the parameters of a new input packet. Upon finding the parameters of the new input packet in the end-to-end mapping, an end-to-end action mapped to the found parameters is applied to the new input packet, without processing the new input packet using the set of functions.