Methods and apparatus to establish secure low energy wireless communications in a process control system are disclosed. An example field device includes a Bluetooth Low Energy (BLE) interface to receive a first initialization message from a remote device over an unpaired BLE connection. The first initialization message includes a plaintext message containing authentication content. The authentication content is generated based on a private authentication token available to the remote device using middleware. The field device also includes a BLE message analyzer to validate the plaintext message based on the authentication content using the authentication token stored by the field device.

A communication method according to an embodiment of the present disclosure includes establishing, by a second terminal, a connection with a first terminal through a first communication channel that uses a first protocol, receiving, by the second terminal, a first message including a public key of the first terminal through the first communication channel, storing, by the second terminal, the public key of the first terminal, performing, by the second terminal, a security authentication routine through an authentication unit communicatively connected to the second terminal, and transmitting to the first terminal, by the second terminal, a second message including a public key of the second terminal through the first communication channel on the basis of a determination that authentication has succeeded, and generating a first secret key.

Aspects of the disclosure provide various methods relating to enclaves. For instance, a method of authentication for an enclave entity with a second entity may include receiving, by one or more processors of a host computing device of the enclave entity, a request and an assertion of identity for the second entity, the assertion including identity information for the second identity; using an assertion verifier of the enclave entity to determine whether the assertion is valid; when the assertion is valid, extracting the identity information; authenticating the second entity using an access control list for the enclave entity to determine whether the identity information meets expectations of the access control list; when the identity information meets the expectations of the access control list, completing the request.

A method for secure key exchange. The method comprises receiving a request to certify a key from a communication partner at an interface between an access and tamper resistant circuit block and exposed circuitry. Within the access and tamper resistant circuit block, a first random private key is generated. A corresponding public key of the first random private key is derived, and a cryptographic digest of the public key and attributes associated with the first random private key is generated. The generated cryptographic digest is signed using a second random private key that has been designated for signing by one or more associated attributes. The public key and the signature are then sent to the communication partner via the interface.

A Bluetooth central apparatus encrypts a piece of verification data according to a secret-key system to generate a first encrypted verification parameter, and transmits the first encrypted verification parameter to a Bluetooth peripheral apparatus. The Bluetooth peripheral apparatus decrypts the first encrypted verification parameter according to the secret-key system to obtain a piece of decrypted verification data. The Bluetooth peripheral apparatus also encrypts the piece of decrypted verification data according to the secret-key system to generate a second encrypted verification parameter, and transmits the second encrypted verification parameter to the Bluetooth central apparatus. After that, the Bluetooth central apparatus decrypts the second encrypted verification parameter according to the secret-key system to obtain the piece of decrypted verification data, and verify whether the Bluetooth peripheral apparatus is valid according to the piece of verification data and the piece of decrypted verification data.

Techniques to protect a subscriber identity, by encrypting a subscription permanent identifier (SUPI) to form one-time use subscription concealed identifiers (SUCIs) using a set of one-time ephemeral asymmetric keys, generated by a user equipment (UE), and network provided keys are disclosed. Encryption of the SUPI to form the SUCIs can mitigate snooping by rogue network entities, such as fake base stations. The UE is restricted from providing the unencrypted SUPI over an unauthenticated connection to a network entity. In some instances, the UE uses a trusted symmetric fallback encryption key K.sub.FB or trusted asymmetric fallback public key PK.sub.FB to verify messages from an unauthenticated network entity and/or to encrypt the SUPI to form a fallback SUCI.sub.FB for communication of messages with the unauthenticated network entity.

A device may receive, from a client device, a request with a single packet authorization (SPA) packet that includes data identifying a universal client device identifier. The device may generate a shared key associated with the universal client device identifier, and may determine that the SPA packet matches a comparison message authentication code (MAC) generated based on the shared key. The device may provide, based on the SPA packet matching the comparison MAC, a MAC associated with the SPA packet to the client device to enable the client device to validate the device.

In one example, a home network associated with a user equipment obtains an authentication request to authenticate the user equipment to a serving network. The home network generates an authentication vector of a mobile security protocol. The authentication vector includes an indication that the user equipment is to be authenticated using a multi-factor authentication process. The home network provides the authentication vector to the serving network to prompt a response from the user equipment that is in accordance with the multi-factor authentication process. The home network authenticates the user equipment to the serving network based on the response.

The present application describes a method, system, and non-transitory computer-readable medium for generating new keys during a secure communication session. A key derivation function is operatively connected to both a counter and a memory. The key derivation function generates new key material from a first input and a second input in response to a signal provided by the counter. The key derivation function generates the new key material and outputs it to the memory.

This disclosure describes techniques for controlling group access to a collaboration technology. The techniques include generating a shared encryption key among authorized producers of content associated with a collaboration technology. The techniques include receiving, by the authorized producers and from authenticated consumers, requests to access the content. The requests may be received in a partitioned manner, such that individual producers are serving a particular subset of the authenticated consumers. In response to receiving the requests, the techniques include sending the shared encryption key from the individual producers to the corresponding subset of authenticated consumers. The techniques include using the shared encryption key to encrypt content by the authorized producers, which may then be decrypted by the authenticated consumers using the shared encryption key, achieving end-to-end encryption of event content.