A system and method for providing payments is disclosed. A method can include establishing a wireless link between a mobile device and a merchant device. After an instruction is displayed on the mobile device, a combination of a first type of input and a second type of input are received on the mobile device, first type of input including at least one button press of a physical button and the second type of input received from a user to confirm a payment for the purchase. Based on the inputs, payment data is retrieved from a memory of the mobile device. The method includes receiving the payment data at the merchant device to make the purchase, wherein receiving the payment data, via the wireless link, at the merchant device to make the purchase is performed according to a protocol for communicating the payment data to the merchant device.

A method of device authentication comprises receiving a password into an application of a user device; transmitting verification information of the password from the application to an authentication device; verifying, by the authentication device, validity of the password using the verification information; granting, by the authentication device, access by the user device to a secure resource when the password is valid; sending no indication of an invalid password to the user device when the authentication device determines the password is invalid; and blocking access of the user device to the secure resource when a predetermined number of passwords are determined to be invalid by the authentication device.

Methods and apparatuses for providing cryptographic authentication within a voice channel are disclosed. The methods and apparatuses can provide cryptographic authentication solely within a voice channel or can use a combination of a voice channel and another data channel. A method for providing cryptographic authentication within a voice channel can operate between telephonic systems and be suitable for operating over G.711/PCMu, AMR and SPEEX™ codecs, and suitable for operating over mobile, PSTN, and VOIP networks. The method can include providing a modem that is codec agnostic and suitable for executing a TLS-based authentication protocol. The method can include using frequency-shift modulation within a frequency range of 300-3400 Hz.

A method for operating a first vehicle-side terminal is provided, wherein the first vehicle-side terminal determines at least one symmetric group key that is assigned to the group of terminals, encrypts the at least one symmetric group key with a public asymmetric individual key that is assigned to a second vehicle-side terminal or with a symmetric pair key that is assigned to the second vehicle-side terminal, transmits the encrypted symmetric group key in the direction of the second vehicle-side terminal, receives an encrypted message from the second vehicle-side terminal, and decrypts the encrypted message depending on the symmetric group key.

A data management method comprises a first processing node that obtains a secure storage key based on a first external keying material corresponding to the first processing node, encrypts data corresponding to an application program in the first processing node, and sends encrypted data to a second processing node. The second processing node obtains a secure storage key based on a second external keying material corresponding to the second processing node, and decrypts the encrypted data that corresponds to the application program and that is sent by the first processing node. The second external keying material is the same as the first external keying material, whereby the second processing node and the first processing node may obtain a same secure storage key, and the second processing node may successfully decrypt the encrypted data that corresponds to the application program and that is sent by the first processing node.

According to one embodiment, a system establishes a secure connection between a host system and a data processing (DP) accelerator over a bus, the secure connection including one or more data channels. The system transmits a first instruction from the host system to the DP accelerator over a command channel, the first instruction requesting the DP accelerator to perform a data preparation operation. The system receives a first request to read a first data from a first memory location of the host system from the DP accelerator over one data channel. In response to the request, the system transmits the first data to the DP accelerator over the data channel, where the first data is utilized for a computation or a configuration operation. The system transmits a second instruction from the host system to the DP accelerator over the command channel to perform the computation or the configuration operation.

A system and method of provisioning personalization data of a second type to a device having personalization data of a first type, the device having a global root key GK_0, and a secure processing environment having unique information is disclosed. In one embodiment, the method comprises accepting a provisioning request from the device, the provisioning request comprising the unique information and an identifier of a second type of provisioning data requested, converting the personalization data from the first type to the second type, and transmitting the converted personalization data to the device.

Embodiments provide methods, and systems for cryptographic keys exchange where the method can include receiving, by a server system, a client public key being part of a client asymmetric key pair from a client device; sending, by the server system, a server public key being part of a server asymmetric key pair to the client device; generating, by the server system, a random value master key and sending the random value master key encrypted using the client public key to the client device; and generating, by the server system, an initial unique session key and sending the initial unique session key encrypted under the random value master key to the client device. A unique session key from the set of the unique session keys is used by the client device to encrypt a session data for transmission to the server system per session.

Some embodiments of the present specification provide a method and an apparatus for establishing a trusted channel between a user and a trusted computing cluster. According to the method, when a user wants to establish a trusted channel with a trusted computing cluster, the user only negotiates a session key with any first trusted computing unit in the cluster to establish the trusted channel. Then, the first trusted computing unit encrypts the session key using a cluster key common to the trusted computing cluster to which the first trusted computing unit belongs, and sends the encrypted session key to a cluster manager. The cluster manager transmits the encrypted session key in the trusted computing cluster, so that other trusted computing units in the cluster obtain the session key and join the trusted channel. Thus, the user establishes a trusted channel with the entire trusted computing cluster.

Techniques are disclosed for encrypting internet-of-things (IoT) data of an IoT network only once at its inception until its final consumption without intervening encryption/decryption stages/cycles. The present encrypt-decrypt-once design thus eliminates potential exposure of the IoT data in its plaintext form of a traditional approach employing intervening encryption/decryption cycles. The present design is also efficient and reduces the burden on IoT resources by eliminating the need for encrypting and decrypting the data multiple times. To accomplish these objectives, a number of schemes for device enrollment, authentication, key distribution, key derivation, encryption and encoding are disclosed. A preferred key distribution scheme employs key distribution certificates or KD-certs for distributing key material to the edge devices. KD-certs may be group KD-certs that are shared across a group of edge devices.