Conventionally, biometric template protection has been achieved to improve matching performance with high levels of security by use of deep convolution neural network models. However, such attempts have prominent security limitations mapping information of images to binary codes is stored in an unprotected form. Given this model and access to the stolen protected templates, the adversary can exploit the False Accept Rate (FAR) of the system. Secondly, once the server system is compromised all the users need to be re-enrolled again. Unlike conventional systems and approaches, present disclosure provides systems and methods that implement encrypted deep neural network(s) for biometric template protection for enrollment and verification wherein the encrypted deep neural network(s) is utilized for mapping feature vectors to a randomly generated binary code and a deep neural network model learnt is encrypted thus achieving security and privacy for data protection.

A method for replacing an existing key derivation key in a utility meter arranged in a meter communication infrastructure in a secure way. The method provide a secure mechanism for exchange of symmetric keys without the need for transferring keys across the meter communication infrastructure. From the head-end system to the utility meter is transmitted a command data message comprising a request for replacing the existing key derivation key with the new key derivation key, the key-generation information and a activation key or an authentication code calculated based on the activation key. The utility meter receiving the command data message is arranged to derive the new key derivation key based on a copy of a disaster recovery key stored in the utility meter and on the key-generation information comprised in the received command data message. Further, the utility meter is arranged for deriving a activation key from the new key derivation key. The activation key is used for verifying the command data message. If the command data message is verified the existing key derivation key is replaced by a new key derivation key.

A method for validating a field device is disclosed. The field device includes a plurality of hardware and software modules and is provided with a first cryptographic signature on the manufacturer side. The first cryptographic signature identifies the device manufacturer or the original delivery state of the field device. The origin and integrity of the field device is validated on the customer side using the first cryptographic signature. Once the field device is adapted to a defined machinery, the field device is provided with a second cryptographic signature on the customer side. The second cryptographic signature identifies the adaptations of the field device made on the customer side as a machinery-specific desired state of the field device. At least one validation of the field device is carried out on the customer side using the second cryptographic signature during the period of installation of the field device in the defined machinery.

Various embodiments are directed to securely generating and managing passwords using a near-field communication (NFC) enabled contactless smart card. For example, a secure password may be generated by generating a random number via a random number generator of the contactless smart card and converting the random number to one or more human-readable characters. In another example, a secure cryptographic hash function of the contactless smart card may generate a hash output value, which may be converted to one or more human-readable characters. The human-readable characters may be used as the secure password or it may be transformed to add more layers of security and complexity.

An example operation may include one or more of storing one or more public keys of one or more policy services, receiving, via a signing service, a blockchain transaction that has content that has been verified by a policy service and includes a signature created by a private key of the policy service, verifying, via a hardware security module (HSM), the signature of the policy service based on a public key of the policy service from among the one or more public keys, and in response to a verification of the signature of the policy service, signing, via the HSM, the blockchain transaction using a wallet key of a user of the blockchain transaction.

The present invention provides a method for authenticating an end-user account associated with at least one cryptographic key stored in the form of a PKA object within a HSM, wherein the method comprises the following steps: creating a PKA object comprising authentication data, PKA-based user object, this authentication data at least comprising the log-in credentials of the end-user account, receiving, by the HSM, log-in credentials of the end-user account for retrieving and instantiating the PKA-based user object at session level, and authenticating, by the HSM, the PKA-based user object using a PKCS #11.

Multiple systems, methods, and computer program product embodiments for password-less authentication using key agreement and multi-party computation (MPC). In one or more embodiments, following an authentication request received by a host computing device, the host computing device and a user computing device generate a shared key using a key agreement algorithm. Then, the host computing device generates a challenge that is encrypted using the shared key and transmitted to the user computing device. The user computing device decrypts the challenge after regenerating the shared key and sends the decrypted result to the host computing device as the challenge response. The authentication request is granted by the host computing device if the challenge and the challenge response match. New keys and a new challenge are generated for each authentication request. This process relies on public key cryptography eliminating the needs for passwords.

A secure element (SE) for processing a digital key includes a communication interface for communicating with a host, a memory for storing programs and data for processing the digital key, and a processor for executing the programs stored in the memory to receive a digital key processing request from a target device, determine whether a service is providable to the target device, by using a service-provider-specific service performance manager, process the digital key by using a digital key manager based on digital key processing information stored in the memory, upon determining that a service is providable to the target device, issue a digital key processing certificate by using the service-provider-specific service performance manager based on authentication information stored in the memory, and transmit the digital key processing certificate to at least one of a service provider and the target device.

A hardware security accelerator includes a configurable parser that is configured to receive a packet and to extract from the packet headers associated with a set of protocols. The security accelerator also includes a packet type detection unit to determine a type of the packet in response to the set of protocols and to generate a packet type identifier indicative of the type of the packet. A configurable security unit includes a configuration unit and a configurable security engine. The configuration unit configures the configurable security engine according to the type of the packet and to content of at least one of the headers extracted from the packet. The configurable security engine performs security processing of the packet to provide at least one security result.

An approach is provided for distributing a root key to a hardware security module (HSM) of an HSM cluster. A signed first command is transmitted to a source HSM to create a master key. A fingerprint of the master key is received in a response signed by the source HSM using a module signing key hardcoded into the source HSM at manufacturing time. A second command is transmitted to a first HSM to generate an importer key pair. A request is transmitted to the source HSM to create and export a wrapped master key. The master key wrapped with a transport key is received. The wrapped master key is transmitted to the first HSM. The master key is activated in the first HSM.