The disclosed technology teaches confirming proper deployment of sensors, with an authorization server (AS) issuing to a first client a Macaroon access token (MAT), optionally with caveats, including a root signature, and providing the MAT to a client. The client modifies the MAT to produce multiple instances by appending caveats that add a deployment location to each of the instances, and applies a message authentication code (MAC) chaining algorithm to generate updated signatures to include in the instances of a MAT with caveats (MATwC). The first client forwards the multiple instances of the MATwC to respective sensor instances, and a second client receives, from the sensor instances, sensed data and location indicative data, accompanied by respective MATwC instances. The second client verifies that the location indicative data is consistent with the deployment location caveat in the respective MATwC and utilizes instances of the sensed data that are verified as consistent.

The disclosed technology teaches confirming delegation of authorization from an authorization server (AS) by a client to a service, including an AS issuing an OAuth2 access token in the form of a Macaroon (MAT), optionally with caveats, including a root signature, and providing the MAT to a client. Included is the client modifying the OA2 access token by appending caveats that narrow authorization, and by applying a message authentication code (MAC) chaining algorithm to generate an updated signature to include in the resulting MAT with caveats (MATwC), the client delegating authorization to a service by forwarding the MATwC to the service and the service using the MATwC to access a resource server (RS), the RS passing the MATwC to the AS, and the AS determining authenticity of the MATwC as a bearer token and evaluating scope of authorization from the MAT as narrowed by the caveats, and reporting results.

A client node (CN) requests content from an access node (AN). Rule set ACR_CN is provided to CN and AN and ACR_AN is used by AN. A request sent by CN in violation of ACR_CN may be blocked and cause AN to block subsequent requests from CN that would be allowed per ACR_CN. A request blocked according to ACR_AN but not ACR_CN is blocked but subsequent requests may still be allowed according to ACR_CN and ACR_AN. Authenticated distribution of the ACR_CN and ACR_AN may be performed in cooperation with a controller using authenticated tokens (AT).

There is a provided a digital identity network interface system that may include a communications module and a processor. The processor may be configured to receive a signal representing a digital identity request, the digital identity request defining one or more scopes associated with the request, at least one of the scopes identifying a data type associated with the request, generate a query based on the scopes by translating at least one of the scopes into a query having a query format associated with a digital identity network, the digital identity network storing data associated with a plurality of users, send a signal representing the query to the digital identity network, send a link to an authorization device, after successful authentication, obtain data associated with the digital identity request from the digital identity network, and release at least some of the data.

Disclosed are various examples for securing the transmission of files to and from a client device. In some examples, an initialization token is identified for a file that includes a number of portions. An algorithm is iteratively applied to the initialization token to determine that no repeated output occurs over a number of iterations corresponding to the number of file portions. Initialization data is transmitted from a client device to a management service that manages access to the file. The initialization token is included in the initialization data if no repeated output occurs when the algorithm is iteratively applied over the number of iterations.

Embodiments are disclosed that allow encrypted data to be sent between a Bluetooth enabled device and a virtual device associated with a corresponding physical device. In particular, a Bluetooth implementation on the physical device may include one or more raw interfaces to facilitate endpoint to endpoint secure Bluetooth cryptography. Using these raw interfaces, an encrypted Bluetooth channel may be established directly between the virtual device and the Bluetooth enabled device using the radio of the physical device, where data may be encrypted and decrypted at an endpoint of the Bluetooth communication channel (such as at the virtual device or the Bluetooth enabled device) and passed through a Bluetooth implementation on the physical device without any additional encryption or decryption being performed on that data.

A routing plane includes an authentication packaging system that receives client authentication information, as part of a request from a requesting client that is to be routed to a target service. The authentication packaging system combines the authentication information with assertion information indicative of an assertion as to the identity of the routing plane, using an entropy, such as a signing key. The authentication package is attached to the request and is sent to the target service. The target service validates the authentication package based on the entropy and authenticates the routing plane based on the assertion information and performs authentication processing based on the authentication information.

A permissions management system is disclosed for enabling a user to securely authorize a third-party system to access user account data and initiate transactions related to a user account, without disclosing to the third-party system account credentials. The system enables the user to also securely de-authorize the third-party system. For example, records may be automatically generated that securely store account information, including one or more permissions related to the account and/or the third-party. A token associated with a record may be shared with the third-party system, but neither the record itself, nor the user account credentials, may be shared with the third-party. Accordingly, the third-party may request user account data and/or initiate transactions by providing the token, but does not itself know, e.g., the user account credentials. Further, the user may set various permissions related to the token, and may also revoke the token (e.g., de-authorize the third-party), thus providing increased security to the user's account.

Self-replicating management services for distributed computing architectures are provided herein. An example method includes providing one or more nodes providing services; and maintaining a quorum of a plurality of management servers by: providing a distributed coordination service for the one or more nodes on each of the plurality of management servers; managing, via a director, requests for data on the distributed coordination service from the one or more nodes; promoting at least one of the one or more nodes to being one of the plurality of management servers; and maintaining secure tunnels between the plurality of management servers and the one or more nodes.

Techniques for sorting encrypted data within a software as a service (SaaS) environment. Data is encrypted on a per symbol basis with a symbol based encryption module. Sort and search functionality preserving encryption that allows other modules to sort tokens and to search for tokens is provided. Encrypted tokens that have been encrypted by the symbol based encryption module are stored in a database. Access to the encrypted tokens is provided through the SaaS environment.