This disclosure relates to, among other things, systems and methods for deriving key identifiers and managing mapping between keys and key identifiers. Consistent with embodiments disclosed herein, the disclosed systems and methods may provide a mechanism that allows multiple parties to reconstruct unique identifiers given a set of known inputs that may be used to look up, identify, and/or otherwise access services and/or data objects. In some embodiments, this may allow for a service provider and a rights management service to independently derive key identification information based on information that both entities share (e.g., a content document such as a Content Protection Information Exchange Format document), thereby reducing requirements to maintain such mappings.

An exemplary embodiment of the present disclosure provides a physically unclonable function (PUF) cell capable of exhibiting a stable performance and showing an excellent repeatability while being less affected by environmental factors such as a noise, temperature, and bias voltage. The PUF cell generates an output value by combining a scheme of amplifying a threshold voltage difference and a scheme of amplifying an oscillation frequency difference. In an oscillator that generates oscillation signals of different frequencies, the frequency difference of the oscillation signals is amplified by alternately supplying bias voltages of different magnitudes generated by utilizing the threshold voltage difference to a plurality of stages in the oscillator.

A request may be received to transfer from a first entity to a second entity a right related to a digital asset stored in an on-demand database system. The on-demand database system may provide computing services to a plurality of entities via the internet. A token associated with the digital asset may be identified. The token may being included in a smart contract recorded within a distributed trust ledger and may be owned by a first distributed trust ledger account. The smart contract may be executed within the distributed trust ledger to record a transfer of the token from the first distributed trust ledger account to a second distributed trust ledger account. The on-demand database system may be updated to include one or more database entries reflecting the recorded transfer.

Methods, systems, and apparatus, including computer programs encoded on computer storage media, for managing sensor communications in a monitored environment. One of the methods includes receiving, by a server and from a device that is accepted to connect with a first network using acceptance data that includes a first key indicating the device is associated with the first network, a request a) to join a second network different from the first network b) that identifies the first key; determining, by the server and using the identification of the first key in the request, that the device that transmitted the request is associated with the first network; and providing, by the server, an notification i) to a user associated with the first network ii) indicating that the device has moved outside the first network.

A system and method for providing secure Single-Sign-On (SSO) authentication in a zero-knowledge architecture. A first server component may operate as a first relying party in a first SSO flow. When the user of an application successfully authenticates to a first identity provider, a first part of a secret key may be provided to the application. Additionally, a second server component may operate as a second relying party in a second SSO flow. When the first part of the secret key is received by the application, authentication information may be provided to a second identity provider. Based on a successful authentication, a second part of the secret key may be provided to the application. The first and second parts of the secret key may be combined by the application to generate a final secret key that may be used to decipher encrypted user data.

Systems and methods for sharing secrets including passwords, keys, and other confidential information used in computing environments. A secrets record generated at a secrets vault client device is encrypted using an application key associated with a computing environment. The encrypted secrets record is stored in the secrets vault server. The secrets vault client device configures a sharing client device and associated with an access token. The secrets vault client device hashes the access token and sends to the secrets vault server as a client identifier. The sharing client device performs a first-time authentication using a hashed access token with the secrets vault server. Upon successful authentication, the sharing client device requests secrets records from the secrets vault server using the client identifier.

The disclosure herein describes securing access to a service resource within a security boundary. A security gateway instance receives a request from an edge deployment outside the security boundary. The request includes identity data identifying the edge deployment. The identity data is validated based on allowed identity data of the security gateway instance and based on a validation handler associated with the service resource. Based on validating the identity data and validating the request, the identity data is transformed using security data specific to the security gateway instance. The transformed identity data indicates the request has been validated by the security gateway instance. Based on transforming the identity data of the request, the transformed identity data and the request are forwarded to the service resource via a network link within the security boundary, wherein the service resource is configured to process the request based on identifying the transformed identity data.

A mesh network system suitable for connection to a cloud server is provided. The system includes: a first node device, configured to store a first private key and encrypt to-be-verified data according to the first private key to generate first encrypted data; and a second node device, configured to receive the first encrypted data and send the first encrypted data to the cloud server. After sending the first encrypted data, the second node device obtains, from the cloud server, second encrypted data generated by encrypting a first key according to the first public key. The second node device sends the second encrypted data to the first node device. The first node device decrypts the second encrypted data according to the first private key to obtain the first key from the second encrypted data, and performs encrypted communication with the cloud server according to the first key.

Systems and methods are described for a cyber-physical vehicle management system generated by an Integrated Secure Device Manager (ISDM) Authority configured to manage licensing and approval of Cyber-Physical Vehicle (CPV)s, a public/private key pair and a unique ID for the Authority, create a self-signed Authority token signed by the private key, send the Authority token to a plurality of ISDM Node device configured to verify Module device authenticity and in communication with the Authority, store, by each Node, the Authority token, and mark, by each Node, the Authority token as trusted.

In one embodiment, data communication apparatus includes a network interface for connection to a network and configured to receive a sequence of data packets from a remote device over the network, the sequence including data blocks, ones of the data blocks having block boundaries that are not aligned with payload boundaries of the packets, and packet processing circuitry to cryptographically process the data blocks using a block cipher so as to write corresponding cryptographically processed data blocks to a memory, while holding segments of respective ones of the received data blocks in the memory, such that the packet processing circuitry stores a first segment of a data block of a first packet in the memory until a second packet is received, and then cryptographically processes the first and second segments together so as to write a corresponding cryptographically processed data block to the memory.