A method for intercepting, by a security gateway, a secure data session comprises the steps of establishing a first secure data session between a client device and a server device, intercepting the first secure data session by the security gateway, establishing a second secure data session between the server device and the security gateway, receiving a first secure session request from the client device, generating a second secure session request based on the first secure session request, receiving a server certificate from the server device, sending the second secure session request to the server device, receiving first secure content from the client device over the first secure data session, creating first encrypted secure content using the first secure content and the server certificate, and sending the first encrypted secure content to the server device over the second secure data session.

An authentication engine may be configured to receive an authentication request and credentials from a client. The authentication engine may then generate a proxy agent configured to interact with an identity provider to authenticate the client on behalf of the client, using the credentials. In this way, the authentication engine may receive an assertion of authentication of the client from the identity provider, by way of the proxy agent.

The subject matter discloses a method operated on at least two servers for a third-party client, the method comprising receiving by a first server a first result of the first irreversible function applied to a secret key from a first third-party client, receiving by a second server a second result of the second irreversible function applied to the secret key from the third-party client, receiving by the first server, a message from a second third-party client, the first server computing a first hash function on said first result and on said message, and sending a result of the first hash function from the first server to the second server, the second server computing a second hash function on said second result and on the result of the first hash function sent from first server and outputting the result generated by second server as HMAC result.

Client requests may be directed through a secret holding proxy system such that the secret holding proxy system may insert a secret into a client request before arriving at the destination. The insertion of a secret may include inserting a digital signature, token or other information that includes a secret or information based upon a secret, which may include secret exchange or authentication protocols. The secret holding proxy system may also remove secrets and/or transform incoming messages such that the client may transparently receive the underlying content of the message.

In an embodiment, a computer-implemented method comprises receiving a first authentication request from one or more first computing devices; in response to receiving the first authentication request, performing a first authentication service for the one or more first computing devices on behalf of a second computing device using a first set of identity information; in response to performing the first authentication service, generating and queuing a first set of one or more transactions corresponding to at least one of the one or more first computing devices; receiving a second authentication request from the second computing device configured to access the first set of one or more transactions; in response to receiving the second authentication request, performing a second authentication service for the second computing device on behalf of a third computing device using a second set of identity information; in response to performing the second authentication service, encrypting and sending the first set of one or more transactions to the second computing device.

A security device (6) is provided for facilitating management of secret data items such as cryptographic keys which are used by a remote server (2) to authenticate operations of the server (2). The device (6) has a user interface (13), control logic (16) and a computer interface (11) for connecting the device (6) to a local user computer (5) for communication with the remote server (2) via a data communications network (3). The control logic is adapted to establish via the user computer (5) a mutually-authenticated connection for encrypted end-to-end communications between the device (6) and server (2). In a backup operation, the secret data items are received from the server (2) via this connection. The control logic interacts with the user via the user interface (13) to obtain user authorization to backup secret data items and, in response, stores the secret data items in memory (10). To restore secret data items to the server, the control logic interacts with the user via the user interface (13) to obtain user authorization to restore secret data items and, in response, sends the secret data items to the server (2) via said connection.

Methods, apparatus, computer program product and computer readable medium are disclosed for authentication. A method comprises: receiving an authentication request from a user apparatus (802); sending a verification code to the user apparatus, wherein the verification code comprises a combination of pattern codes and the pattern codes are associated with encrypted bio-patterns that the user has registered respectively (804); receiving first encrypted bio-information of the user corresponding to the verification code (806); and calculating a first encrypted deviation between the registered encrypted bio-patterns corresponding to the combination of pattern codes and the codes and the pattern codes are associated with encrypted first encrypted bio-information (808).

A security keys broker residing on a core mobile communication network may manage security keys associated with network-enabled devices, such as Internet-of-Things devices. The security keys broker may authenticate, encrypt, or decrypt communications with the network-enabled devices using the associated security keys. Characteristics of the communications with the network-enabled devices may be determined, and the security keys broker may determine insecure communications based on the characteristics. Responsive to determining that an insecure communication has occurred, the security keys broker may update one or more of the security keys.

Systems and methods for securing network devices through the use of an out-of-band beacon are described. In some embodiments, a method may include broadcasting, by a gateway, a wireless beacon that is out-of-band with respect to communications between the gateway and a plurality of devices over a network, where the wireless beacon includes a token; receiving an encrypted packet at the gateway as part of the communications; decrypting the encrypted packet into an intermediate payload by the gateway using a public key, where the public key corresponds to a certificate provisioned to each of the plurality of devices; and decrypting the intermediate payload into a decrypted packet by the gateway using the token.

An application server sends a public key from an asynchronous key-pair to a user system to encrypt a user encryption secret that forms part of a first encryption key. The application server uses a second encryption key provided by a key derivation server to encrypt a private key from the asynchronous key-pair. The application server then deletes the second encryption key to prevent decryption of the user encryption secret received from the user system. The application server receives the encrypted user encryption secret from the user system and sends a request to the key derivation server to re-encrypt the user encryption secret. The key derivation server uses a key encryption secret to generate the second encryption key and decrypt the private key. The key derivation server uses the decrypted private key to decrypt the user encryption secret and then re-encrypts the first encryption secret to prevent decryption by the application server.