A method of separating identity IPs for identification of applications from the locator IPs for identifying the route is provided. A virtual service layer (VSL) protocol stack uses the IP addresses assigned by network administrators to the application endpoints to support the TCP/IP stack as the identity IP addresses that are not published to the underlay network for routing. On the other hand, the VSL stack uses the IP addresses assigned by the underlay network to the VSL enabled endpoints and VSL enabled routers as the locator IP addresses for routing packets. The VSL stack formats application flow packets with identity headers as identity packet and encapsulates identity packet with the locator header to route the packet. The separation of the identity and locator identifications are used to eliminate the network middleboxes and provide firewall, load balancing, connectivity, SD-WAN, and WAN-optimization, as a part of the communication protocol.

Each tenant of a secure web gateway (SWG) is issued a secret key. A user accesses a unique secret key derived from the tenant's secret key and loads the secret key into an application which generates time-based one time passwords (TOTPs). When the SWG receives a connection request from a client and cannot decrypt the network traffic, the SWG challenges the client request and indicates an authentication scheme to be used. The client obtains user credentials, constructs a response to the challenge based on the authentication scheme, and issues a connection request to the SWG which indicates the response. The SWG determines an expected response based on a locally generated TOTP and the secret key of the corresponding tenant. If the expected response matches the provided response, the SWG authenticates the user, allows the connection request, and whitelists the client for a period longer than the lifetime of the TOTP.

Embodiments of this application provide a security authentication method and a related apparatus, applied to the field of short-range communication, and in particular, to cockpit domain communication. The method includes: A first node receives a first association request message from a second node, where the first association request message includes a first fresh parameter; and the first node obtains a first pre-shared key PSK, where the first PSK corresponds to an identity of the second node, the first PSK is a PSK generated based on a second fresh parameter from the second node and a third fresh parameter from the first node, and the first PSK is used to verify the identity of the second node. According to the embodiments of this application, communication security can be improved.

Existing systems enable secure storage of encryption keys in the form of digital wallets, however, since the keys are preconfigured, they can be prone to malicious attacks. The embodiments herein provide a method and system for randomizing distribution of cryptographic keys across multiple secure key storage devices. The system generates random storage identities (RSIDs) for secure key storage devices by selecting a random storage device from a device portfolio, assigns the RSIDs randomly to create crypto addresses based on random access and partition the devices by deriving crypto addresses. Further, the system generates a user hash function and maps the user hash function to find an associated RSID hash function. The system identifies a device ID, a partition ID and a business date from a device mapper associated with the RSIDs to regenerate new RSIDs and recommends the regenerated new RSIDs randomly to each of the plurality of devices.

Systems and methods for the generation and use of session keys supporting secure communications between a client and server device are disclosed. The client hashes each of a series of passwords a first number of times. The hashed passwords are sent to a server. The server applies the hashed password to an array of PUF devices, and receives an initial response bitstream which is stored. The client later hashes each of the series of passwords a second number of times, which is less than the first number, and these are sent to the server. The server continues to hash the second message digest, generate PUF responses, and compare the result to the initially stored responses. For each password, the number of hashes necessary to achieve a match is a partial session key. Latency is improved by an array of separately addressable PUFs, each producing a partial session key.

Disclosed herein are various embodiments an SQL extension to key transfer system with authenticity, confidentiality, and integrity. An embodiment operates by generating a key pair including both a target public key and a target private key. The target public key is provided to a source database server, wherein the source database server includes a source secret for unencrypting encrypted data accessible to the target database server. A source public key generated by the source database server and a digital signature signed with a source private key generated by is received from the source database server including an encrypted version of the source secret. The digital signature is verified as being valid. The encrypted version of the source secret is unencrypted using the target private key and the source secret is used to access the encrypted data.

Devices, methods, and systems that thwart deepfake modification of media, and/or verify the identity of a person and that their communications have not been altered, among other applications. A device is configured to use sensors to record a corroborating data set (CDS) pertaining to the user in near real time. The CDS is encrypted or signed by a user's private key to create a cryptographic verification code (CVC). The CVC may be displayed, emitted, or otherwise distributed by the totem device. Alternatively, the CVC may be superimposed or embedded as metadata in media produced by the device. The CVC cannot be modified with deepfake techniques while image and video data may be modified with deepfake techniques. Analysis of media containing a CVC can confirm whether the CVC is authentic, and whether the CDS contained within is consistent with the depiction of the user in the media.

Embodiments of the present application provide a network access authentication method, apparatus, and system. The network access authentication method mainly comprises: obtaining a user name by a network access management client through encryption using a device ID of a terminal device, and obtaining a dynamic password through encryption using the device ID and a time value within a time step, so that the terminal device performs network access authentication using the user name and the dynamic password. The device ID is uniquely assigned by an authentication server to the terminal device, and thus functions to identify the identity of the terminal device, so that network access authentication can be independent of digital certificates, thereby solving the problem that the terminal device cannot accomplish network access authentication for unsupported use of or unavailability of a digital certificate, while meeting network access security requirements.

Disclosed are various embodiments for authenticating a user using non-fungible tokens (NFTs). A trusted token issuer verifies a user's identity according to identifying credentials (e.g., government issued identification, passport, driver's license, etc.) presented by the user and creates a non-fungible token in response to verifying the credentials. The non-fungible token is associated with a user identifier and can be used by an access provider to authenticate a user requesting access to restricted content provided by the access provider. For example, when a client device associated with the user requests access from an access provider to an access-restricted website or other type of access-restricted area (e.g., building, concert venue, network, etc.), the access provider (e.g., website server, building computing device, venue system, etc.) uses the properties of the non-fungible token to verify one's identity and permit access upon verification.

Signature-based authentication is a core cryptographic primitive essential for most secure networking protocols. A new signature scheme, MSS, allows a client to efficiently authenticate herself to a server. The new scheme is modeled in an offline/online model where client online time is premium. The offline component derives basis signatures that are then composed based on the data being signed to provide signatures efficiently and securely during run-time. MSS requires the server to maintain state and is suitable for applications where a device has long-term associations with the server. MSS allows direct comparison to hash chains-based authentication schemes used in similar settings, and is relevant to resource-constrained devices, e.g., IoT. MSS instantiations are derived for two cryptographic families, assuming the hardness of RSA and decisional Diffie-Hellman (DDH) respectively. Then used is the new scheme to design an efficient time-based one-time password (TOTP) protocol.