Provided is a process that establishes user identities within a decentralized data store, like a blockchain. A user's mobile device may establish credential values within a trusted execution environment of the mobile device. Representations of those credentials may be generated on the mobile device and transmitted for storage in association with an identity of the user established on the blockchain. Similarly, one or more key-pairs may be generated or otherwise used by the mobile device for signatures and signature verification. Private keys may remain resident on the device (or known and input by the user) while corresponding public keys may be stored in associated with the user identity on the blockchain. A private key is used to sign representations of credentials and other values as a proof of knowledge of the private key and credential values for authentication of the user to the user identity on the blockchain.

A service provider receives a set of credentials from a customer and a request to access one or more services provided by the service provider. An authentication service of the service provider receives the set of credentials and, based at least in part on the received set of credentials, one or more activities performed by the customer, the customer's user profile, and the system configuration of the customer's computing device, calculates a risk score. The authentication service subsequently utilizes the calculated risk score to determine a credential rotation schedule for the set of credentials. The authentication service updates one or more servers to enforce the new credential rotation schedule and enables the customer to utilize the set of credentials to access the one or more services.

The generation device (20) is a generation device for generating certification information used for verification using zero-knowledge proof, and includes a conditional expression generation unit (23a) and a certification information generation unit (23b). The conditional expression generation unit (23a) generates, for different conditions, a plurality of conditional expressions that defines confidential information under one or more conditions. The certification information generation unit (23b) generates, as the certification information, a plurality of proofs based on each of the conditional expressions.

A software defined (SD) process control system (SDCS) includes a control container having contents which are executable during run-time of the process plant to control at least a portion of an industrial process. The SDCS also includes a security service associated with the control container and including contents which define one or more security conditions. The security service executes via a container on a compute node of the SDCS to control access to and/or data flow from the control container based on the contents of the security container.

A software defined (SD) process control system (SDCS) includes a control container having contents which are executable during run-time of the process plant to control at least a portion of an industrial process. The SDCS also includes a security service associated with the control container and including contents which define one or more security conditions. The security service executes via a container on a compute node of the SDCS to control access to and/or data flow from the control container based on the contents of the security container.

One exemplary embodiment is a method including receiving, at a distributed attestation system, user identification information from a user device. Next, the method includes generating an asymmetric user identifier based on the user identification information. Next, the method includes transmitting the asymmetric user identifier and an attestation identifier to a centralized certificate authority. Next, the method includes receiving a digital certificate generated based on the asymmetric user identifier of the user identification information. Finally, the method includes transmitting the digital certificate to the user device.

One exemplary embodiment is a method including receiving, at a distributed attestation system, user identification information from a user device. Next, the method includes generating an asymmetric user identifier based on the user identification information. Next, the method includes transmitting the asymmetric user identifier and an attestation identifier to a centralized certificate authority. Next, the method includes receiving a digital certificate generated based on the asymmetric user identifier of the user identification information. Finally, the method includes transmitting the digital certificate to the user device.

Technologies are shown for session centric access control of a remote connection that involve receiving a connection request, redirecting the request to a trusted authority, and receiving a redirection of the request along with a profile or role determined for the client. A container is created for a remote connection with a certificate and a public key along with an identifier for each endpoint authorized in association with the profile or role determined for the client. Single use credentials are created and a secure shell initialized for the remote connection using the credentials, certificate and public key. The secure shell is presented to the client and the credentials expired. When an access request for an endpoint is received via the shell, it is determined whether an identifier corresponding to the requested endpoint is stored in the container for the shell and, if so, access is allowed to the requested endpoint.

A terminal A transmits an owner identity confirmation start request to a terminal B including owner server association information capable of identifying an owner of the terminal and a terminal management server A of the terminal. The terminal B transmits an owner identity confirmation request to the terminal management server B of the terminal, the owner identity confirmation request including the owner server association information received and the owner server association information including information of the terminal B. The terminal management server B transmits, to the terminal management server A, an inter-server owner identity confirmation request including the identity confirmation information of the owner of the terminal B and the owner server association information of the terminal A. The terminal management server A compares the identity confirmation information of the owner of the terminal A with the identity confirmation information received, and confirms the owner identity of the two terminals.

A terminal A transmits an owner identity confirmation start request to a terminal B including owner server association information capable of identifying an owner of the terminal and a terminal management server A of the terminal. The terminal B transmits an owner identity confirmation request to the terminal management server B of the terminal, the owner identity confirmation request including the owner server association information received and the owner server association information including information of the terminal B. The terminal management server B transmits, to the terminal management server A, an inter-server owner identity confirmation request including the identity confirmation information of the owner of the terminal B and the owner server association information of the terminal A. The terminal management server A compares the identity confirmation information of the owner of the terminal A with the identity confirmation information received, and confirms the owner identity of the two terminals.