An Internet of things (IoT) system, including a distributed system of virtual machines, includes at least one IoT platform system control engine, that includes a platform system control engine secure system space and a IoT platform system control engine user defined space, at least one network node device that includes a network node device secure system space and an IoT network node device user defined space, and at least one edge device that includes an edge device secure system space and an edge device user defined space, where the secure system space of the control engine, the network node device, and the edge device are each configured to be secured to prevent unauthorized access, and the user defined spaces of the platform system control engine, the network node device and the edge device each define a respective virtual machine.

Apparatuses, systems, and methods for generating and utilizing improved initialization vectors (IVs) when performing encryption and authentication in wireless communications. In some scenarios, a wireless communication device may generate one or more pseudorandom multi-bit values, e.g., using a respective plurality of key derivation functions (KDFs). A first portion of each value may be used as a respective key for encryption or authentication of traffic on the user plane or the control plane. A second portion of each value may be used as a nonce value in a respective IV for use with a respective key for encryption or authentication of traffic on the user plane or the control plane. In some scenarios, the nonce values may instead be generated as part of an additional pseudorandom value (e.g., by executing an additional KDF), from which all of the IVs may be drawn.

A method is provided for establishing a secure communication session in a communication system. The method includes providing a handshake layer functional block and providing a record layer functional block separate from the handshake layer functional block. Functionality of the record layer functional block is not duplicated in the handshake layer functional block. The record layer functional block of a first communication peer generates an ephemeral key pair. A public key of the ephemeral key pair is transmitted to the handshake layer functional block of a second communication peer via the handshake layer functional block of the first communication peer. A session key is generated from the public key of the second communication peer and a private key of the first communication peer. Messages communicated between the first communication peer and the second communication peer are protected using the session key.

Embodiments provide a system and method for stateless session synchronization between inspectors for high availability deployments. Man in the Middle inspectors of a communication session between a client and server exchange a shared key that is used as a common seed value in a mapping function algorithm. Each inspector generates identical key-pairs using the common mapping function algorithm, and the inspectors generate the session keys from the key-pairs. Inspectors use the session keys to decrypt and either actively or passively inspect data transferred in a session between a client and server.

A method of protecting WLAN Control Protocol (WLCP) message exchange between a Trusted WLAN Access Gateway (TWAG) (112) of a Trusted WLAN Access Network (TWAN) (110) and a User Equipment (UE) (101) are provided. The method comprises deriving, by an Authentication, Authorization, and Accounting, (AAA) Server (103) of an Evolved Packet Core (EPC) network which is interfaced with the TWAN, and by the UE, a Master Session Key (MSK) and an Extended MSK (EMSK), sending, from the AAA Server to a Trusted WLAN AAA Proxy (TWAP) (113) of the TWAN and an Access Point (AP) (111) of the TWAN, the MSK or a key derived from at least the MSK, and deriving, by the TWAN or by the AAA Server, and by the UE, from the MSK, the EMSK, or the key derived from at least the MSK or the EMSK, a key for protecting the WLCP message exchange. Corresponding devices, computer programs, and computer program products are further provided.

Secure subscription based vehicle data services are provided. In one embodiment, a device comprises: a non-volatile memory comprising an embedded public key (EPK) that comprises a public key of a public-private key pair associated with a data service system not onboard the vehicle; a protocol that initiates a communication session that includes a session validation sequence that causes a processor to transmit a session request message and validate an authenticity of a session reply request using the EPK; the protocol includes a session initiation sequence that causes the processor to: transmit an initiation request message to the data service system that includes a key derivation key, and apply the key derivation key to a key derivation function to generate a message authentication key. The processor authenticates uplink messages exchanged with a host data service using the message authentication key.

Embodiments provide methods, and systems for cryptographic keys exchange where the method can include receiving, by a server system, a client public key being part of a client asymmetric key pair from a client device; sending, by the server system, a server public key being part of a server asymmetric key pair to the client device; generating, by the server system, a random value master key and sending the random value master key encrypted using the client public key to the client device; and generating, by the server system, an initial unique session key and sending the initial unique session key encrypted under the random value master key to the client device. A unique session key from the set of the unique session keys is used by the client device to encrypt a session data for transmission to the server system per session.

Embodiments of a wireless device and methods for rekeying with reduced packet loss in a wireless network are generally described herein. In some embodiments, during rekeying operations a new key for reception may be installed early (i.e., prior to receipt of a rekeying confirmation message). The use of the new key for transmission may be delayed until after receipt of the rekeying confirmation message. The early installation of the new key for reception may allow both the new key and old key to be active at the same time for use decrypting received packets to reduce packet loss during rekeying operations. The rekeying confirmation message may be the fourth message of a four-way handshake for rekeying. In some embodiments, two key identifiers may be alternated between four-way handshakes to prevent deletion of the old key.

This invention is directed to a computerized system for encryption and transmission of digital information comprising: an encryption server in communications with a sender computer device and a recipient computer device; and, a set of encryption server computer readable instructions included on the encryption server that, when executed by a processor, preform the steps of: receiving an original information set from the sender computer device, generating a sender symmetrical key, encrypting a portion of the original information set with the sender symmetrical key, generating an asymmetric key pair having a public and private key pair, encrypting the sender symmetrical key with the public key of the asymmetrical key pair, encrypting the private key of the asymmetrical key pair with a master key, generating a hyperlink to the encrypted portion of the original information set, transmitting the hyperlink to the recipient computer device.

The present application describes a method, system, and non-transitory computer-readable medium for end-to-end encryption during a secure communication session. According to the present disclosure, a first device initializes a secure communication session with at least one second device. Initializing the secure communication session includes transmitting an invitation to a secure communication session to the at least one second device. The at least one second device may generate a transmission root key, which may be used to derive a first key for encrypting data transmitted to the first device and a second key for decrypting received data from the first device. The at least one second device may transmit the transmission root key to the first device, which may use the transmission root key to derive a first key to encrypt data transmitted to the at least one second device and a second key to decrypt data received from the at least one second device.