This application discloses a method for Internet key exchange protocol (IKE) authentication using a certificate. The method includes: A first device parses a certificate to obtain signature information in the certificate. The first device fills an AUTH payload field in an IKE identity authentication (AUTH) message based on the signature information in the certificate, where signature information indicated by the AUTH payload field matches the signature information in the certificate. The first device sends the IKE AUTH message to a second device. In the method for Internet key exchange protocol IKE authentication using a certificate provided in this application, the first device may automatically parse the signature information in the certificate, and fill the related field of the IKE AUTH message based on the signature information. Therefore, user configuration is simplified and product usability is improved.

User identities, password, etc. represent the barrier between a user's confidential data and any other third party seeking to access this data. As multiple software applications, web applications, web services, etc. embody this confidential data it is a tradeoff between easy recollection of said identities, passwords, etc. and data security. However, malware by intercepting user credentials provides third parties access to even complex passwords, user credentials, security keys etc. even where these are changed/updated regularly. Within the prior art substantial work has gone into addressing malware. However, in many instances the user is at or very near the computer with a software application executing a transaction requiring credentials/authorisation with a portable electronic device or another device. Accordingly, it would be beneficial to provide users with an out-of-band communications channel for exchanging credentials and/or keys etc.

A method and an apparatus for establishing secure communication. The method includes: a terminal device receives a first message from a first network element, where the first message includes an identifier of a second network element and first indication information, and the first indication information indicates a candidate authentication mechanism associated with the second network element. The terminal device establishes a communication connection with the second network element based on the candidate authentication mechanism. The terminal device may obtain an authentication mechanism of the dynamically configured second network element, to meet a requirement for establishing a secure communication connection through authentication in an MEC architecture.

A tracking device can use a permanent encryption key pair to encrypt a temporary private key that corresponds to a set of diversified temporary public keys. When a community mobile device subsequently detects the tracking device, the central tracking system provides a diversified temporary public key to the community mobile device. The community mobile device uses the diversified temporary public key to encrypt location data representative of a location of the community mobile device, and provides the encrypted location data to the central tracking system. When a user subsequently requests a location of the tracking device from the central tracking system, the central tracking system provides the encrypted temporary private key and the encrypted location data to a device of the user, and the device can decrypt the encrypted temporary private key using the permanent encryption key pair, and decrypt the encrypted location data using the decrypted temporary private key.

A method for side-channel attack mitigation in streaming encryption includes reading an input stream into a decryption process, extracting an encryption envelope having a wrapped key, a cipher text, and a first message authentication code (MAC) from the input stream, generating a second MAC using the wrapped key of the encryption envelope, and performing decryption of the cipher text in constant time by determining whether the encryption envelope is authentic by comparing the first MAC extracted from the encryption envelope and the second MAC generated using the wrapped key.

Technical problems and their solution are disclosed regarding the location of mobile devices requesting services near a site from a server. Embodiments adapt and/or configure the transmitting device near the site, the mobile device communicating with the transmitting device using a short haul wireless communications protocol to deliver a token based upon a key shared with the server but invisible to the mobile device. The server can determine the proximity of the mobile device to the site to control actuation of the requested service or disable the service request, and possibly flushing the service request from the server. Solutions are disclosed for traffic intersections involving one or more traffic lights, elevators in buildings, fire alarms in buildings and valet parking facilities.

An authentication method in a secure channel unused mode on a first terminal in which Fine Ranging (FiRa) applet drives according to an embodiment of the present disclosure includes generating a session basic information including a random value, transmitting the generated session basic information to a second terminal, generating session data including a session key from the generated session basic information using an authentication key pre-shared with the second terminal, and performing ultra-wide band (UWB) ranging with the second terminal using the generated session data.

The present invention disclose a key distribution method. The method includes obtaining, by a first key management system, a shared key of a first network element, where the shared key of the first network element is generated according to a key parameter obtained after the first network element performs authentication or a root key of the first network element; obtaining a service key, where the service key is used to perform encryption and/or integrity protection on communication data in a first service between the first network element and a second network element; performing encryption and/or integrity protection on the service key by using the shared key of the first network element, to generate a first security protection parameter; and sending the first security protection parameter to the first network element. According to present invention, data can be protected against an eavesdropping attack in a sending process.

A system allows the identification and protection of sensitive data in a multiple ways, which can be combined for different workflows, data situations or use cases. The system scans datasets to identify sensitive data or identifying datasets, and to enable the anonymisation of sensitive or identifying datasets by processing that data to produce a safe copy. Furthermore, the system prevents access to a raw dataset. The system enables privacy preserving aggregate queries and computations. The system uses differentially private algorithms to reduce or prevent the risk of identification or disclosure of sensitive information. The system scales to big data and is implemented in a way that supports parallel execution on a distributed compute cluster.

Systems and methods for automatic VPN establishment are provided.