A computer implemented method for managing a connection between a device and a server resource, the method comprising: establishing the connection between the device and a first server of the server resource; registering a connection identifier relating to the connection between the device and the first server in a first database entry of a database arrangement; pre-computing, at the first server, an encrypted alert for the device, the alert being provided with a pre-defined future communication sequence number; and transmitting the alert from the first server to the database arrangement for storage in association with the first database entry of the database arrangement.

Methods and systems described herein authenticate a user and help secure transaction. A display screen presents images that are difficult for malware to recognize but a person can recognize. In at least one embodiment, a person communicates transaction information using visual images received from the service provider system. In at least one embodiment, a user selects a sequence of visual images as a means of authenticating the user and logging into a financial account or other corporate account. In some embodiments, methods and systems are provided for determining whether to grant access, by generating and displaying visual images on a screen that the user can recognize, and select. In an embodiment, a user presses his or her finger or fingers on a display screen to select images as a method for authenticating and protecting communication from malware. In an embodiment, non-determinism in hardware helps unpredictably vary the image selected, the image location, generate noise in the image, or change the shape or texture of the image. In some embodiments, visual image authentication helps Alice and Bob detect if Eve has launched a man-in-the-middle attack on their key exchange.

The present disclosure relates generally to authentication of voice communications. Methods performed by a user device for mutually authenticated communications can include creating a first communication channel with a backend, creating a secure session across a second communication channel with the backend, receiving a first identification message from the backend via the second communication channel, receiving a second identification message from the backend via the first communication channel, sending an attestation that the second identification message matches the first identification message to the backend via the second communication channel, receiving a second step authorization instruction from the backend via the second communication channel, assessing the identity of the user, and delivering an authorization response to the backend via the second communication based of the assessed identity of the user.

Described are implementations that analyze the unencrypted messages of a cryptographic protocol handshake between two devices and/or the receipt or absence of encrypted messages of the handshake to detect security vulnerabilities of one or both of those devices. For example, the unencrypted messages of a TLS handshake between a client device and a server may be analyzed to determine security vulnerabilities of the client device. Because the disclosed implementations utilize the unencrypted messages of a handshake and/or detection of the receipt or absence of encrypted messages of the handshake, involvement in the handshake or decryption of encrypted messages of the handshake is not necessary. The requirement is that the disclosed implementations are able to observe the messages of a handshake that are used to establish a secure communication between the devices.

A system and method for training a decision tree are disclosed. A method includes publishing, by a first party, a first set of nominated cut-off values at a current node of a decision tree to be trained, computing a first respective impurity value for the first set of nominated cut-off values at the current node, creating first respective n shares of the first respective impurity value, transmitting, from the first party and so a second party, one of the first respective n shares of the first respective impurity value, receiving from the second party one of a second respective n shares of the second respective impurity value, adding a group of impurity values to yield a combined impurity value based on the one of the first respective n shares and the one of the second respective n shares and determining, based on the combined impurity value, a best threshold.

A network interface controller includes processing circuitry configured to pair with a local root of trust of a host device connected to the network interface controller and provide a key to an encryption device of the host device that enables the encryption device to encrypt data of one or more host device applications using the key. The encrypted data are stored in host device memory. The processing circuitry is configured to share the key with a remote endpoint and forward the encrypted data from the host device memory to the remote endpoint.

A first server receives a set of cryptographic parameters from a second server. The set of cryptographic parameters is received from the second server as part of a secure session establishment between a client device and the second server. The first server accesses a private key that is not stored on the second server. The first server signs the set of cryptographic parameters using the private key. The first server transmits the signed set of cryptographic parameters to the second server. The first server receives, from the second server, a request to generate a premaster secret using a value generated by the second server that is included in the request and generates the premaster secret. The first server transmits the premaster secret to the second server for use in the secure session establishment between the client device and the second server.

A method for identifier management for user devices operating in an inactive mode includes receiving a first uplink transmission including a user device identifier associated with a user device, transmitting a first downlink transmission including an indication of an ephemeral identifier assigned to the user device, transmitting a second downlink transmission including data associated with the ephemeral identifier, and discarding the ephemeral identifier.

Embodiments are direct to monitoring communication between computers may be using network monitoring computers (NMCs). Network packets that are communicated between the computers may be captured and stored in a data store. If the NMCs identify a secure communication session established between two computers, the NMCs may obtain key information that corresponds to the secure communication session that includes a session key that may be provided by a key provider. Correlation information associated with the secure communication session may be captured by the NMCs. The correlation information may include tuple information associated with the secure communication session. And, the key information and the correlation information may be stored in a key escrow. The key information may be indexed in the key escrow using the correlation information.

Systems and methods are provided for implementing a centralized configurator server/service in the cloud that can take the place of conventional mobile devices used for provisioning IoT devices or WiFi clients in a network. In order to provision the IoT devices or WiFi clients, a mobile device or access point (AP) may be used to relay Device Provisioning Protocol (DPP) messages and/or information between the centralized configurator server/service and the IoT devices or WiFi clients.