Among other things, techniques are described for provisioning and authentication of devices in vehicles. In one aspect, a device in a vehicle establishes a communication session with a network server that manages provisioning of devices corresponding to an enterprise associated with the vehicle. The device receives instructions from the network server to generate cryptographic keys, and in response, generates a public and private key pair. The device sends, to the network server, a certificate signing request that includes the public key and an identifier of the device. In response, the device receives a digital security certificate for the device, and a security certificate of a signing certificate authority. The device authenticates the security certificate of the certificate authority using a known enterprise root certificate, and upon successful authentication, stores the device security certificate and the security certificate of the signing certificate authority.

A command to load or unload data at a storage location is received. In response to the command, a storage integration object associated with the storage location is identified. The storage integration object identifies a cloud identity object that corresponds to a cloud identity that is associated with a proxy identity object corresponding to a proxy identity granted permission to access the storage location. The data is loaded or unloaded at the storage location by assuming the proxy identity.

An access management system and method provisions credentials to access a resource, such as external web user accounts. Credentials are generated, encrypted and stored. To access the resource, encrypted credentials are decrypted, masked, and served to users, such that they are not visible to the user requiring access. The user is unaware of the credentials used to authenticate and unable to access the provisioned web resources outside set parameters.

Methods, apparatuses and system provide for technology that interleaves a plurality of verification commands with a plurality of copy commands in a command buffer, wherein each copy command includes a message authentication code (MAC) derived from a master session key, wherein one or more of the plurality of verification commands corresponds to a copy command in the plurality of copy commands, and wherein a verification command at an end of the command buffer corresponds to contents of the command buffer. The technology may also add a MAC generation command to the command buffer, wherein the MAC generation command references an address of a compute result.

Disclosed is a method for authenticating requestors and granting access to a permissioned blockchain network shared among enterprise entities. A decentralized registry of credentialed users, in which credentialed users guard their own access information by keeping a private key of a public-private keypair enables systems to avoid keeping information of a large number of users in large, vulnerable containers. A further method removes authenticated users seeking to be forgotten from the registry of users and deletes any personally identifiable information of the withdrawing users.

Techniques are disclosed relating to relating to a public key infrastructure (PKI). In one embodiment, an integrated circuit is disclosed that includes at least one processor and a secure circuit isolated from access by the processor except through a mailbox mechanism. The secure circuit is configured to generate a key pair having a public key and a private key, and to issue, to a certificate authority (CA), a certificate signing request (CSR) for a certificate corresponding to the key pair. In some embodiments, the secure circuit may be configured to receive, via the mailbox mechanism, a first request from an application executing on the processor to issue a certificate to the application. The secure circuit may also be configured to perform, in response to a second request, a cryptographic operation using a public key circuit included in the secure circuit.

Methods for secure communications using one-time pad encryption are provided. In one aspect, a method includes generating and sharing, via proximity inter-device communication, unique device codes on each of multiple devices to be paired or grouped together, intermixing the device codes to generate a one-time pad code, generating a random block of data based on the one-time pad code, persisting the one-time pad code and random block of data over each device, and encrypting/decrypting messages between the paired or grouped devices. Systems and machine-readable media are also provided.

There is provided a new IWF SMC procedure for establishing security association between an MTC UE (10) and an MTC-IWF (20). The MTC-IWF (20) sends to the UE (10) at least an algorithm identifier which instructs the UE (10) to select one of algorithms for deriving a root key (K_iwf). The UE (10) derives the root key (K_iwf) in accordance with the selected algorithm, and derives at least a subkey for checking the integrity of messages transferred between the UE (10) and the MTC-IWF (20) by using the derived root key (K_iwf). The UE (10) protects uplink messages transmitted to the MTC-IWF (20) with the derived subkey. The MTC-IWF (20) protects downlink messages transmitted to the UE (10) with the same subkey derived at a core network.

Methods and systems for tracking tainted connection agents, such as without a trusted central authority, are described herein. During a server outage, a client device may verify that a connection agent is untainted based on a public-key encryption or certificate-based system. If the connection agent is untainted, a server may sign a public key or certificate associated with the connection agent. The server may provide, to the client device, a lease, a public key associated with the server. The connection agent may sign data generated by the client device. The client device may verify a signature of the signed public key, such as based on the public key associated with the server. The client device may verify a signature of the signed data, such as based on the verified public key associated with the connection agent.

A command to load or unload data at a storage location is received. In response to the command, a storage integration object associated with the storage location is identified. The storage integration object identifies a cloud identity object that corresponds to a cloud identity that is associated with a proxy identity object corresponding to a proxy identity granted permission to access the storage location. The data is loaded or unloaded at the storage location by assuming the proxy identity.