Various embodiments relate to a method performed by a processor of a computing system. An example method includes matching a possession object identifier with a stored user secret, generating a decryption key using the stored user secret as an input to a password authenticated key exchange protocol, decrypting an encrypted authentication data message using the decryption key, extracting a user secret from the biometric sample, authenticating the user by matching the extracted user secret with the stored user secret, and authenticating an identity of the user by matching the biometric sample with a biometric reference template associated with the possession object identifier.

Technologies for secure key provisioning include a computing device having a processor with secure enclave support and a manageability controller. The manageability controller receives a secret key from a network source via a network interface that is isolated from untrusted software of the computing device. The manageability controller authenticates a secure enclave of the computing device and, if successful, securely provisions a session key derived from the secret key to the secure enclave. The manageability controller may provision additional session keys after expiration of the session key. The manageability controller may monitor for revocation of the secret key by the network source. If revoked, the manageability controller does not provision additional session keys to the secure enclave. The manageability controller may also provision the session key to a sensor device protected by the secret key, which is pre-provisioned to the sensor device. Other embodiments are described and claimed.

A method includes linking a first application with a first Transport Layer Security (TLS) library, linking a second application with a second TLS library, obtaining a sequence of cryptographic keys by a first agent, the sequence of cryptographic keys based on an agent key and provided from the first agent to the first TLS library, obtaining the sequence of cryptographic keys by a second agent, the sequence of cryptographic keys based on the agent key and provided from the second agent to the second TLS library, establishing communication between the first TLS library and the first agent to create a first trusted relationship, establishing communication between the second TLS library and the second agent to create a second trusted relationship, and establishing a third trusted relationship between the first agent and the second agent.

A network node operates a Session Management Function (SMF) in a control plane of a core network of a wireless network. The network node authenticates a User Equipment (UE) with an Extensible Authentication Protocol (EAP) server in a secondary authentication process that uses the SMF as an EAP authenticator. The EAP server is outside of the core network and the UE is separately authenticated with a further network node in the control plane of the core network via a primary authentication process. Authenticating the UE in the secondary authentication process comprises exchanging EAP messages between the SMF and the UE and between the SMF and the EAP server. The SMF authorizes a data session between the UE and the external network through a user plane of the core network based on the UE having successfully authenticated via both the primary authentication process and the secondary authentication process.

A system may be configured to perform secure low-latency and low-throughput support of REST APIs in IoT devices. In some aspects, the system may establish a first encrypted communication channel with an application of a management device, receive a certificate signing request including a public key of the application via the private channel, sign the public key of the application using read-only birth secret information to generate first signed certificate, and transmit the first signed certificate vis the private channel. Further, the system may receive an authentication request including a second signed certificate via a second encrypted communication channel, determine that the second signed certificate matches the first signed certificate via the read-only birth secret information, and transmit an application credential to the application via the second encrypted communication channel.

A method for pairing a key fob with a control unit is provided. The key fob executes an ID authenticated key agreement protocol with a pairing device based on a key fob identification to authenticate one another and to generate a first encryption key. The pairing device encrypts a control unit identification using the first encryption key. The key fob receives the encrypted control unit identification transmitted from the pairing device. The key fob then executes an ID authenticated key agreement protocol with the control unit based on the control unit identification to authenticate one another and to generate a second encryption key. The key fob then receives an operational key transmitted from the control unit that is encrypted with the second encryption key.

A random number generating unit generates random numbers s.sub.1, s.sub.2, s′.sub.1, and s′.sub.2. A public keys randomizing unit generates first randomized public keys information obtained by randomizing public keys using the random number s.sub.1 and second randomized public keys information obtained by randomizing the public keys using the random number s.sub.2. A proxy calculation unit calculates a first commission result by using a secret key and calculates a second commission result by using the secret key. A verification unit calculates a first verification value by using the random number s.sub.2, calculates a second verification value by using the random number s.sub.1, and verifies whether or not the first verification value and the second verification value coincide with each other. A common key calculation unit calculates a common key by using the random numbers s′.sub.1 and s′.sub.2 if the first verification value and the second verification value coincide with each other.

A computer security lock having separate key pairs includes an encryption board inserted between a main board and a hard disk, and an encryption board being inserted into the encryption board to perform a real-time authentication process. The electronic key and the encryption board performs the real-time authentication process and hardware anti-copy self-testing process, and encrypt the data communicated between the encryption board and the electronic key. After passing the authentication process and the hardware anti-copy self-testing process, the electronic key combines an internally stored key list with the key list on the encryption board, and selects a user key to encrypt/decrypt the data on the disk according to the partition of the hard disk where the encrypted data is written to. The computer security lock can assure the safety of the data, and the hardware is prevented from being copied.

The present disclosure relates to mutual authentication methods and apparatuses. In one example method, a digital reflection (DR) sends a first message to a terminal device, where the first message includes a first DR public key that is a public key of the DR signed by using a private key of a home network. The DR encrypts a first random number by using a second terminal device public key. The DR sends a second message to the terminal device, where the second message includes the first random number encrypted by using the second terminal device public key. The DR receives a second response message sent by the terminal device, where the second response message includes an encrypted first random number encrypted by using a second DR public key. The DR decrypts the encrypted first random number by using a private key of the DR to obtain the first random number.

Methods and apparatus to authenticate and differentiate virtually identical resources using session chaining are disclosed. In response to a session request from at least one of a management device or a resource, example methods and apparatus locate a session chain stack associated with an identifier of the at least one of the management device or the resource, and determine whether a first nonce at a top of the session chain stack associated with the identifier of the at least one of the management device or the resource is equal to a second nonce associated with the session request from the at least one of the management device or the resource. Upon determining that the nonce at the top of the session chain stack associated with the identifier of the at least one of the management device or the resource is equal to the second nonce, example methods and apparatus initiate a session between the management device and the resource, and re-negotiate the second nonce between the management device and the resource to generate a third nonce.