Systems, methods, and instrumentalities are disclosed for integrity protecting log entries generated from a first unit in a distributed system. For example, a first secret key may be received or obtained from a central management system and storing the first secret key in non-volatile memory. A second secret key may be calculated where the second secret key may be shared with a plurality of units within the same local communication domain as a unit using a secure key calculation. The second secret key may further be stored in volatile memory. The first and second keys may be used to calculate a first secret integrity protection key and a first broadcast encryption key. A security sensitive log entry may be generated and may be protected using the first integrity key and the first broadcast encryption key. The log entry may be broadcast to the plurality of units within the domain.

A method for identification of malicious domains is provided. The method extracts a set of domain information from one or more input streams. The set of domain information includes a set of domains and a set of domain characteristics describing each domain. The method clusters the set of domains to generate a set of campaign clusters of related domains. The clusters are based on the set of domain characteristics. The method modifies the set of campaign clusters with a set of threat intelligence ratings to generate a set of enriched campaign clusters. A portion of the set of threat intelligence ratings correspond to one or more domains within the set of campaign clusters. The method determines a cluster designation for each campaign cluster of the set of enriched campaign clusters and distributes the cluster designations for each campaign cluster to one or more threat intelligence resource.

A method includes requesting, by a first computing device having a first application and a first Transport Layer Security (TLS) library, a sequence of cryptographic keys obtained by a first agent, the sequence of cryptographic keys based on an agent key and provided from the first agent to the first TLS library, requesting, by a second computing device having a second application and a second TLS library, the sequence of cryptographic keys obtained by a second agent, the sequence of cryptographic keys based on the agent key and provided from the second agent to the second TLS library, and communicating between the first application of the first computing device to the second application of the second computing device using the sequence of cryptographic keys based on the agent key.

A method of protecting WLAN Control Protocol (WLCP) message exchange between a Trusted WLAN Access Gateway (TWAG) (112) of a Trusted WLAN Access Network (TWAN) (110) and a User Equipment (UE) (101) are provided. The method comprises deriving, by an Authentication, Authorization, and Accounting, (AAA) Server (103) of an Evolved Packet Core (EPC) network which is interfaced with the TWAN, and by the UE, a Master Session Key (MSK) and an Extended MSK (EMSK), sending, from the AAA Server to a Trusted WLAN AAA Proxy (TWAP) (113) of the TWAN and an Access Point (AP) (111) of the TWAN, the MSK or a key derived from at least the MSK, and deriving, by the TWAN or by the AAA Server, and by the UE, from the MSK, the EMSK, or the key derived from at least the MSK or the EMSK, a key for protecting the WLCP message exchange. Corresponding devices, computer programs, and computer program products are further provided.

Methods, systems and devices for generating an authentication key are provided. Two or more communications devices can generate an authentication key by monitoring a physical stimulus that is experienced by both devices (e.g., a common physical stimulus). Each device can then use an identical, predetermined algorithm to generate a common authentication key based on the stimulus. The devices can use the common authentication key to establish a secure network.

Embodiments of the invention relate to the communications field, and provide a key generation method, device, and system. The method includes: after receiving a first command, obtaining, by UE located in a first-standard network, a type identifier of a second-standard network that needs to provide a service to the UE, where the first command is a service request response message, or a handover command, or any message in an air interface secure activation process; determining, by the UE, an access key according to the type identifier of the second-standard network, a key of the first-standard network, and a NAS count of the first-standard network by using a preset key derivation algorithm; and generating, by the UE, an AS key of the second-standard network according to the access key. The present invention can resolve problems of relatively long total communication latency and relatively high communication load of a heterogeneous network.

According to a first aspect of the present disclosure, a method for facilitating secure communication in a network is conceived, comprising: encrypting, by a source node in the network, a cryptographic key using a device key as an encryption key, wherein said device key is based on a device identifier that identifies a destination node in the network; transmitting, by said source node, the encrypted cryptographic key to the destination node. According to a second aspect of the present disclosure, a corresponding non-transitory, tangible computer program product is provided. According to a third aspect of the present disclosure, a corresponding system for facilitating secure communication in a network is provided.

Some embodiments provide a method for establishing a secured session with backward security between a first device and a second device. In some embodiments, the method establishes a communication session between the first and second devices using shared keys stored at the first and second devices. The method exchanges encrypted data between the first and second devices as a part of the communication session. The method, upon completion of the communication session, modifies the shared key at the first device in a predictable way. The shared key is modified at the second device in the same predictable way. The method then stores the modified shared key at the first device. The modified shared key cannot be used to decrypt any portion of the encrypted data of the current and previous communication sessions.

Systems and methods are provided for securing data using a mobile device. The method may include determining securing global positioning data values of the mobile device; measuring a securing direction of the mobile device relative to a magnetic north direction; capturing a securing password by the mobile device; and securing the data against unauthorized access using the determined global positioning data values, the securing password, and the securing direction as a combined password.

A network can operate a WiFi access point with credentials. An unconfigured device can support a Device Provisioning Protocol (DPP), and record bootstrap public keys and initiator private keys. The network can record bootstrap public and responder private keys and operate a DPP server. A responder proxy can establish a secure and mutually authenticated connection with the network. The network can (i) derive responder ephemeral public and private keys, (ii) record the initiator bootstrap public key, and (iii) select a responder mode for the responder. The network can derive an encryption key with at least the (i) recorded the initiator bootstrap public key and (ii) derived responder ephemeral private key. The network can encrypt credentials using at least the derived encryption key and send the encrypted credentials through the responder proxy to the initiator, which can forward the encrypted credentials to the device, thereby supporting a device configuration.