Disclosed is a computer-implemented method for establishing a secure connection between two electronic computing devices which are located in a network environment, the two electronic computing devices being a first computing device offering the connection and a second computing device designated to accept the connection, the method comprising executing, by at least one processor of at least one computer, a connection-establishing application for exchanging an information packet between the first computing device and the second computing device comprising a secret usable for establishing the connection, and evaluating a response from the second computing device for establishing the secure connection.

Among other things, techniques are described for provisioning and authentication of devices in vehicles. In one aspect, a device in a vehicle establishes a communication session with a network server that manages provisioning of devices corresponding to an enterprise associated with the vehicle. The device receives instructions from the network server to generate cryptographic keys, and in response, generates a public and private key pair. The device sends, to the network server, a certificate signing request that includes the public key and an identifier of the device. In response, the device receives a digital security certificate for the device, and a security certificate of a signing certificate authority. The device authenticates the security certificate of the certificate authority using a known enterprise root certificate, and upon successful authentication, stores the device security certificate and the security certificate of the signing certificate authority.

Methods and systems for tracking tainted connection agents, such as without a trusted central authority, are described herein. During a server outage, a client device may verify that a connection agent is untainted based on a public-key encryption or certificate-based system. If the connection agent is untainted, a server may sign a public key or certificate associated with the connection agent. The server may provide, to the client device, a lease, a public key associated with the server. The connection agent may sign data generated by the client device. The client device may verify a signature of the signed public key, such as based on the public key associated with the server. The client device may verify a signature of the signed data, such as based on the verified public key associated with the connection agent.

A command to load or unload data at a storage location is received. In response to the command, a storage integration object associated with the storage location is identified. The storage integration object identifies a cloud identity object that corresponds to a cloud identity that is associated with a proxy identity object corresponding to a proxy identity granted permission to access the storage location. The data is loaded or unloaded at the storage location by assuming the proxy identity.

A method of maintaining a secure relationship between a client device and a server is described. The client device receives a first challenge from the server and determines and provides a first response to the first challenge. A cookie is established associated with the secure relationship. This cookie is shared between the client and the server. To establish the secure relationship in a later interaction, the client provides the cookie to the server. The server then provides both the first challenge and a second challenge, to which the client determines a first response and a second response. The client then provides a composite response from which the first response and the second response are derivable by the server, allowing the server to be assured that the secure relationship exists. Each challenge uses a challenge function adapted to provide a fingerprint of the client device. Methods at both client and server, and suitably configured client and server, are also described.

A command to load or unload data at a storage location is received. In response to the command, a storage integration object associated with the storage location is identified. The storage integration object identifies a cloud identity object that corresponds to a cloud identity that is associated with a proxy identity object corresponding to a proxy identity granted permission to access the storage location. The data is loaded or unloaded at the storage location by assuming the proxy identity.

A process running on client devices intercepts requests destined for an identity provider (“IdP”) system and injects a digital signature corresponding to a user associated with the request. In order to reduce or eliminate the burden on providers of the applications or other resources used by the users, the organization providing the IdP system may also provide components that run locally on the client devices of users and integrate with the users' applications. For example, in one embodiment code of the IdP system is run within a container of an application to handle communication with the IdP system. Additionally, code of the IdP system is run as a local process that handles request interception and digital signature injection. For client devices not supporting the use of the local process, a separate verifier application of the IdP can be run locally and allow interactively performing authentication via a user interface.

A secure communication system is disclosed for communication between first and second party devices. An input interface is provided for receiving from an external host a unique host factor in addition to a user input interface for receiving from a user a unique PIN for a user and a selection input for selecting one of the plurality of stored entropy stores as a user selected entropy store A first private key generator is operable for generating a private key using a key generation algorithm requiring the selected entropy store, the host factor and the unique user PIN. The second party device includes a second storage device for storing a plurality of entropy stores. An input interface is provided for receiving the same unique host factor as received by the first party device. A communication interface facilitates communication with the first party device to receive from the first party device a user PIN and an indication of the user selected entropy store. A second private key generator is operable for generating a private key using the predetermined key generation algorithm with the received user PIN, the received host factor, and an extracted entropy store corresponding to user selected entropy store, wherein the private key generated by both the first and second private key generators are identical. The session is initiated to cause the generation of the identical private keys at both of the first and second private key generators and allow secure communication between the first and second devices. The private key at least one of the first and second devices is deleted at the end of the session.

A method for using a self-signed digital certificate for establishing a secure connection between an Extensible Provisioning Protocol (EPP) client and a server on a communications network, including: receiving a communicated self-signed certificate from the EPP client; obtaining a unique identifier of the EPP client, the unique identifier associated with a domain name stored in a Domain Name System (DNS); using the unique identifier to access a designated DNS record in a DNS zone of the DNS associated with the domain name; retrieving the copy of the digital certificate from the designated DNS record, the copy of the digital certificate containing a public key of the EPP client bound to the domain name; authenticating the copy of the digital certificate with the communicated self-signed certificate; and receiving a generated session key from the EPP client to establish the secure connection over the communications network with the EPP client.

Methods and apparatus to enable a distinction between “new” and “used” digital content and to enable a market in used digital content files between mobile phone terminals and an electronic store, securely, by means of a wireless telephony network and a server complex to handle contents right management, transaction reporting, inventory, content delivery, payment, and billing. A server receives a signal generated by a wireless user device that was sent over a wireless telephony network. The signal indicates an election for returning at least one previously purchased digital content item. The server deletes user rights for the at least one digital content item identified by the received signal and sends information to the user device that generated the signal. Access to the associated digital content item at the user device is removed according to the sent information.