A digital message is signed and, if a request is approved, receives a time stamp. The request is computed as a first function of the message and a current one of a sequence of passwords computed such that each password corresponds to an index unit. Each of the passwords may be computed as a function, such as a hash function, pseudo-random function, or encryption function, of the subsequent password, whereby the sequence terminates with an initial password that forms a public key parameter for the password sequence. At least one hash tree uses at least a subset of the passwords as inputs to a hash tree used to verify the passwords.

A secure boot method includes: obtaining a certificate digest at a digest processor from a write-once, always-on memory; calculating a flash digest using the digest processor by cryptographically processing a sensitive information image; and comparing, using the digest processor, the flash digest with the certificate digest.

A method for controlling access to data being processed by a remote computing resource includes issuing a public encryption key for a data creator from a public certificate authority, detecting an encounter with a data owner, creating private encryption keys for the data creator and the data owner in response to detecting the encounter, encrypting data being sent to the remote computing resource with the public encryption key, the data creator's private encryption key, and the data owner's private encryption key, decrypting the data based on public verification of the public encryption key and local verification of the data creator's private encryption key and the data owner's private encryption key at the remote computing resource, and controlling the data creator's access to the data by altering the permission of at least one of the public encryption key and data creator's private encryption key.

One or more computer processors identify a first certificate that is used to establish a secure Internet connection. One or more computer processors identify a stored second certificate that shares at least one attribute with the first certificate. One or more computer processors determine a policy action based, at least in part, on a result of a comparison between an attribute of the first certificate and an attribute of the second certificate.

A method for deploying credentials in a server and a client system including three devices. The second device has primary credentials including a public key, a private key and a primary certificate. After successful authentication of a user, the first device generates a new private key/public key pair and wraps the new private key. After successful authentication of the user, the second device derives a new certificate comprising the new public key, the new certificate having the same usage specified in the primary certificate. The second device signs the new certificate using the private key of the primary credentials. The third device forwards to the server the primary certificate and the new credentials combining the new public key, the wrapped private key and the new certificate. The server verifies the chain of trust of the new credentials and, in case of successful verification, associates the new credentials to the user.

Embodiments describe systems and methods for analyzing digital certificates. A computer-implemented method can include identifying a plurality of digital certificates, individual digital certificates of the plurality of digital certificates including respective internal information. External information associated with the individual digital certificates can be determined, the external information not contained within the respective digital certificate. The external information can be updated in a database with additional external information that is collected on a periodic basis. A query can be run against the database to identify one or more vulnerable digital certificates associated with a client based on the internal information and the external information. A notification can be sent to the client regarding the one or more vulnerable digital certificates.

The techniques herein are directed generally to a zero-knowledge data management network. Users are able to share verifiable proof of data and/or identity information, and businesses are able to request, consume, and act on the dataall without a data storage server or those businesses ever seeing or having access to the raw sensitive information (where server-stored data is viewable only by the intended recipients, which may even be selected after storage). In one embodiment, source data is encrypted with a source encryption key (e.g., source public key), with a rekeying key being an encrypting combination of a source decryption key (e.g., source private key) and a recipient's public key. Without being able to decrypt the data, the storage server can use the rekeying key to re-encrypt the source data with the recipient's public key, to then be decrypted only by the corresponding recipient using its private key, accordingly.

The techniques herein are directed generally to a zero-knowledge data management network. Users are able to share verifiable proof of data and/or identity information, and businesses are able to request, consume, and act on the data-all without a data storage server or those businesses ever seeing or having access to the raw sensitive information (where server-stored data is viewable only by the intended recipients, which may even be selected after storage). In one embodiment, source data is encrypted with a source encryption key (e.g., source public key), with a rekeying key being an encrypting combination of a source decryption key (e.g., source private key) and a recipient's public key. Without being able to decrypt the data, the storage server can use the rekeying key to re-encrypt the source data with the recipient's public key, to then be decrypted only by the corresponding recipient using its private key, accordingly.

System and method for providing secure machine to machine, M2M, communications comprising a device management, DM, server configured to obtain credentials of one or more M2M devices and provision the one or more M2M devices with credentials of a virtual private network, VPN. An application programming interface, API. A VPN server comprising a first communications interface configured to communicate API requests and API responses with the API. A second communications interface configured to provide a VPN for the one or more M2M devices. Logic configured to issue an API request, wherein the request includes the credentials of the VPN. Receive an API response from the DM server including an indication of the one or more M2M devices provisioned with the credentials of the VPN. Initiate a VPN over the second interface between the one or more M2M devices and the VPN server.

A method for controlling access to data being processed by a remote computing resource includes issuing a public encryption key for a data creator from a public certificate authority, detecting an encounter with a data owner, creating private encryption keys for the data creator and the data owner in response to detecting the encounter, encrypting data being sent to the remote computing resource with the public encryption key, the data creator's private encryption key, and the data owner's private encryption key, decrypting the data based on public verification of the public encryption key and local verification of the data creator's private encryption key and the data owner's private encryption key at the remote computing resource, and controlling the data creator's access to the data by altering the permission of at least one of the public encryption key and data creator's private encryption key.