A data diode provides a flexible device for collecting data from a data source and transmitting the data to a data destination using one-way data transmission across a main channel. On-board processing elements allow the data diode to identify automatically the type of connectivity provided to the data diode and configure the data diode to handle the identified type of connectivity. Either or both of the inbound and outbound side of the data diode may comprise one or both of wired and wireless communication interfaces. A secure reverse channel, separate from the main channel, allows carefully predetermined communications from the data destination to the data source.

An example operation includes one or more of receiving, via a first communication channel between a sending device and a recipient device, a first partial encryption key from the receiving device, receiving, via a second communication channel between the sending device and the recipient device, a second partial encryption key from the receiving device, wherein the second communication channel comprises a different communication medium than the first communication channel, generating a transport key based on the first partial encryption key and the second partial encryption key received via the first and second channels, and encrypting data based on the generated transport key and transmitting the encrypted data to the receiving device.

A computer implemented method and system is described which uses blockchain technology as a storage system for data acquired from a digital twin. The blockchain can be used to generate an immutable transaction history of data produced by the digital twin. In the case of an error, failure, incident, or accident, parties of interest can then access and analyse an immutable set of data. The blockchain network can also execute a digital smart contract based on the data received from a digital twin. The invention may be used in conjunction with the Bitcoin blockchain or another blockchain protocol.

Technologies for secure key provisioning include a computing device having a processor with secure enclave support and a manageability controller. The manageability controller receives a secret key from a network source via a network interface that is isolated from untrusted software of the computing device. The manageability controller authenticates a secure enclave of the computing device and, if successful, securely provisions a session key derived from the secret key to the secure enclave. The manageability controller may provision additional session keys after expiration of the session key. The manageability controller may monitor for revocation of the secret key by the network source. If revoked, the manageability controller does not provision additional session keys to the secure enclave. The manageability controller may also provision the session key to a sensor device protected by the secret key, which is pre-provisioned to the sensor device. Other embodiments are described and claimed.

A communication device may receive a specific signal from a first external device; display a first instruction screen; in a case where it is instructed that the target process is to be executed in a situation where the first instruction screen is displayed, send a public key to the first external device, wherein in a case where it is not instructed that the target process is to be executed in the situation where the first instruction screen is displayed, the public key is not sent; after the public key has been sent to the first external device, receive an authentication request from the first external device; send an authentication response to the first external device; receive connection information from the first external device; and establish, by using the connection information, a wireless connection between the communication device and a second external device.

Example embodiments of systems and methods for application verification are provided. An application may generate a cryptographic key, and encrypt the cryptographic key with a predefined public key. A server, in data communication with the application, may include a predefined private key. The application may transmit the cryptographic key to the server. The server may receive, from the application, the cryptographic key; decrypt the cryptographic key using the predefined private key; encrypt an authorization token using the decrypted key; and transmit, to the client application, the authorization token via an out-of-band channel. The application may receive, from the server, the authorization token via the out-of-band channel; and decrypt the authorization token to obtain access to one or more services associated with the server.

Aspects of the invention include initializing a local key manager (LKM) on a node of a computing environment. The node includes a plurality of channels. The LKM is configured to provide a secure data transfer between the node and an other node of the computing environment. A connection is established, by the LKM, between the LKM and an external key manager (EKM) that stores a shared key for the node and the other node. In response to establishing the connection, the LKM registers security capabilities of the plurality of channels. The security capabilities are used by the LKM to provide the secure data transfer between the node and the other node.

The system can be for the management of access authorization using an immutable ledger comprising and can include a server having a computer readable medium in communications with an immutable ledger. A set of computer readable instructions can be included in the server and can be configured for: receiving a set of data, encrypting the set of data with a data-encryption-key and storing the encrypted data on the immutable ledger, creating a key tree having a node associated with a user, creating a key-encryption-key associated with the node and the user, and, distributing the key-encryption-key to the user wherein the key-encryption-key is configured to decrypt the data-encryption-key thereby providing access to the data for the user.

Systems and methods are provided for provisioning identity credentials based on interactions with verifying or trusted users. One exemplary computer-implemented method includes receiving a request for a digital identity from a user, where the request includes identifying information for the user and a verified user identifier, and transmitting, to a verified user associated with the verified user identifier, an attestation request for the user. The method also includes receiving, from the verified user, an attestation in response to the attestation request with regard to at least some of the identifying information for the user, generating a digital identity for the user based on a number of attestations of the identifying information for the user, and sharing a digital identity notice with the user including an identifier for the user, whereby the user is permitted to share the digital identity with a relying party via the identifier.

A system may be configured to perform secure low-latency and low-throughput support of REST APIs in IoT devices. In some aspects, the system may establish a first encrypted communication channel with an application of a management device, receive a certificate signing request including a public key of the application via the private channel, sign the public key of the application using read-only birth secret information to generate first signed certificate, and transmit the first signed certificate vis the private channel. Further, the system may receive an authentication request including a second signed certificate via a second encrypted communication channel, determine that the second signed certificate matches the first signed certificate via the read-only birth secret information, and transmit an application credential to the application via the second encrypted communication channel.