A computing support system is configured to programmatically manage support access to a computing system via a support technician console across multiple levels of support access. The system receives a request to authenticate a user requesting support for the computing system, issues one or more authentication challenges to the user to authenticate the identity of the user, receives one or more corresponding authentication challenge responses from the user based on the authentication challenge, and verifies a level of authentication based on the authentication challenge response, the level of authentication being selected from multiple levels of authentication. The system also determines a level of support access to the computing system based on the verified level of authentication and the identity of the user and programmatically enforces limits on the support access to the computing system via the support technician console based on the determined level of support access.

A computing support system is configured to programmatically manage support access to a computing system via a support technician console across multiple levels of support access. The system receives a request to authenticate a user requesting support for the computing system, issues one or more authentication challenges to the user to authenticate the identity of the user, receives one or more corresponding authentication challenge responses from the user based on the authentication challenge, and verifies a level of authentication based on the authentication challenge response, the level of authentication being selected from multiple levels of authentication. The system also determines a level of support access to the computing system based on the verified level of authentication and the identity of the user and programmatically enforces limits on the support access to the computing system via the support technician console based on the determined level of support access.

In a general aspect, pseudorandom integers are generated for use in a cryptographic protocol. In some aspects, a first plurality of digits are obtained and converted to a second plurality of digits. The first plurality of digits (e.g., bits) represent an integer in a first number system (e.g., binary), and the second plurality of digits (e.g., trits) represent the integer in a second number system (e.g., trinary). A plurality of integers in the first number system are generated based on the second plurality of digits, and an array of integers is produced. Each integer in the array is less than a modulus, and the array includes the plurality of integers. The array of integers can be used in a lattice-based cryptographic protocol.

Techniques are provided for authenticating a user using shared secret updates. One method comprises, in response to a first authentication of a client using a given shared secret, updating, by the server, the given shared secret using information from the first authentication as part of a secret update protocol to generate an updated shared secret; and evaluating a second authentication using the updated shared secret. An anomaly may be detected when the client attempts the second authentication using a shared secret and the server determines that the shared secret was previously used for an authentication. The server may detect a breach of shared secrets of multiple users by monitoring a number of the detected anomalies across a user population and initiate a predefined recovery flow depending upon a number of impacted users.

Techniques for provisioning a key server to facilitate secure communications between a web server and a client by providing the client with a first data structure including information on how the web server may obtain a target symmetric key are presented. The techniques can include: provisioning the key server with a second data structure including information on how the key server may generate the first data structure; receiving a request on behalf of a web server for a third data structure comprising information on how the client may obtain the first data structure from the key server; and obtaining the third data structure, such that the third data structure is published in association with an identification of the web server, and such that the client uses the third data structure to obtain the first data structure and uses the first data structure to communicate with the web server.

Techniques for distributing a symmetric key using the Domain Name System (DNS) are presented. The techniques can include receiving, at a first key server and from a first computer, a request for first information sufficient for the first computer to obtain, and second information sufficient for a second computer to obtain, a symmetric key for securing at least one communication sent from the first computer to the second computer, and providing, by the first key server and to the first computer, the first information and the second information, such that the first computer secures at least one communication sent from the first computer to the second computer using at least the symmetric key for securing at least one communication sent from the first computer to the second computer.

This disclosure provides systems, methods, and apparatus, including computer programs encoded on computer storage media, for enhancing a device provisioning protocol (DPP) to support multiple configurators. In one aspect, a first configurator device can export a configurator key package. In one aspect, the configurator key package may be used for backup and restore of the configurator keys. The configurator key package may include a configurator private signing key and, optionally, a configurator public verification key. A second configurator device may obtain the configurator key package and also may obtain decryption information which can be used to decrypt the configurator key package. Thus, in another aspect, both the first configurator device and the second configurator device can use the same configurator keys with the device provisioning protocol to configure enrollees to a network.

A computing support system is configured to programmatically manage support access to a computing system via a support technician console across multiple levels of support access. The system receives a request to authenticate a user requesting support for the computing system, issues one or more authentication challenges to the user to authenticate the identity of the user, receives one or more corresponding authentication challenge responses from the user based on the authentication challenge, and verifies a level of authentication based on the authentication challenge response, the level of authentication being selected from multiple levels of authentication. The system also determines a level of support access to the computing system based on the verified level of authentication and the identity of the user and programmatically enforces limits on the support access to the computing system via the support technician console based on the determined level of support access.

A random number generating device includes an uncertain circuit which outputs uncertain data, and a cipher processing device. The cipher processing device encrypts input data using a cipher function of the cipher processing device, and generates a random number including higher uniformity than data outputted from said uncertain circuit using the cipher function of the cipher processing device and the data outputted from the uncertain circuit.

A security device (6) is provided for facilitating management of secret data items such as cryptographic keys which are used by a remote server (2) to authenticate operations of the server (2). The device (6) has a user interface (13), control logic (16) and a computer interface (11) for connecting the device (6) to a local user computer (5) for communication with the remote server (2) via a data communications network (3). The control logic is adapted to establish via the user computer (5) a mutually-authenticated connection for encrypted end-to-end communications between the device (6) and server (2). In a backup operation, the secret data items are received from the server (2) via this connection. The control logic interacts with the user via the user interface (13) to obtain user authorization to backup secret data items and, in response, stores the secret data items in memory (10). To restore secret data items to the server, the control logic interacts with the user via the user interface (13) to obtain user authorization to restore secret data items and, in response, sends the secret data items to the server (2) via said connection.