This application provides a key distribution and authentication method, system, and an apparatus. The method includes: a service center server distributes different keys to terminal devices, and then the terminal devices perform mutual authentication with the network authentication server based on respective keys and finally obtain communication keys for communication between the terminal devices and a functional network element. This provides a method for establishing a secure communication channel for the terminal device, having a broad application range.

Control systems and methods for securely authenticating and validating a control system. The control system may include a plurality of dependent control nodes and master control nodes. Each dependent control node is communicatively coupled to one or more peripheral devices. Each control node maintains a unit level distributed ledger, where each unit level distributed ledger includes information from corresponding peripheral devices. Each control node may transmit a portion of the unit level distributed ledger to a master control node. Each master control node may maintain a system level distributed ledger that includes information from the corresponding unit level distributed ledgers. Each master node may transmit a portion of the system level distributed ledger to a central node that maintains a separate secure distributed ledger. The master node may authenticate the control system based on the received portion of the system level distributed ledgers and the secure distributed ledgers.

A sending device may send data intended for a target device. An intermediate device may intercept the data sent from the sending device and forward the communications to the target device. Security data (e.g., a security certificate for authentication) along with an encrypted version of the security data may be sent at the application layer such that it passes from the sending device, through the intermediate device, and to the target device without being analyzed or modified by the intermediate device. The target device may use the encrypted security data and the security data to verify the identity of the sending device.

An Ethernet switch for a vehicle, a method of controlling the Ethernet switch are provided. The method includes detecting a first connection between a connector of the diagnostic device and a first port of the Ethernet switch and establishing a second connection with the diagnostic device by referring to a virtual local area network identifier (VLAN ID) table. A third connection is established between the controller and an electronic control unit (ECU) of the vehicle by referring to the VLAN ID table. A certificate-based secure access procedure is performed between the diagnostic device and the controller. A mode of the Ethernet switch is switched from a lock mode to an unlock mode and a fourth connection is established between the diagnostic device and the ECU by referring to the VLAN ID table.

A key management method includes: sending, by a security chip of a computer device, a request for obtaining a service key to a key management service; receiving, by the security chip, a service key ciphertext from the key management service, wherein the service key ciphertext is obtained by encrypting the service key by the key management service based on a migration key of the security chip; decrypting, by the security chip, the service key ciphertext based on the migration key to obtain the service key; storing, by the security chip, the service key in the security chip; and providing, by the security chip, the service key to an application program of the computer device when the application program needs to encrypt data based on the service key.

Techniques are discussed for performing a demand reset in a wireless meter reading environment, in a manner such that demand data may not be lost. In response to receiving a command from a mobile device of a requester, a meter may store demand value(s) in a log, reset register(s) that store the demand value(s) and wirelessly provide the demand value(s) to the mobile device of the requester. Due to the lack of reliability associated with wireless communications between the meter and a requestor, the requestor may not actually receive the demand value(s). Upon receiving a subsequent command for the demand value(s), the meter may determine that the command is a replay, and provide the demand value(s) without resetting the register(s). Techniques are also discussed for generating the commands, securing the commands, and providing the commands to mobile devices in route packages.

Data may be protected using a combination of symmetric and asymmetric cryptography. A symmetric key may be generated and the data may be encrypted with the symmetric key. The symmetric key and a only a portion of the symmetrically encrypted data may then be encrypted with an asymmetric public key. The entire set of encrypted data, including the asymmetrically encrypted symmetric key, the doubly encrypted portion of data, and the remainder of the symmetrically encrypted data may then be sent to a remote device using insecure communications.

A method and a server for providing transaction keys for a transaction system includes transaction units which use pre-delivered transaction keys, and are provided by a key provisioning server and wherein the transaction key usage is checked by a transaction checking server. A transaction key is derived from a master key of a transaction unit, wherein a varying derivation parameter is used in the step of deriving. The step of deriving comprises a first sub step of deriving a key from the master key and a second sub step of deriving the transaction key from the derived key. The first sub step or the second sub step of deriving is performed dependent on a security level of the transaction unit.

Systems and methods for secure resource access and network communication are provided. A plurality of policies are received on a client device, each policy comprising a respective resource and a respective permission for a respective action that can be performed by a user of the client device in regards to the resource. A first application, which is configured to store data in an encrypted repository on the client device, receives a request to open a resource. The first application determines that one of the policies prohibits access by the resource to the encrypted repository and, based thereon, selects a different second application to open the resource that does not have access to the encrypted repository. The second application then opens the resource.

In an example implementation, a method of controlling activity of a device includes concurrently detecting multiple unique device identifier (UDIDs) within proximity of a primary device, and determining that the multiple UDIDs are associated with a primary device activity. The method includes performing the activity while the concurrent detection of the multiple UDIDs persists, and stopping the activity when the concurrent detection of the multiple UDIDs stops.