Systems, devices, and methods are discussed for providing ZTNA control across multiple related, but independently provisioned networks.

Techniques for enabling the creation of a digital asset representation of physical goods (e.g., luxury items) produced in limited quantities or heirloom-goods associated with restricted ownership rules. Anti-counterfeiting mechanisms are proposed for both classes of goods. The provenance of both classes of goods is traced using cryptography and decentralized ledger technology. For example, mechanisms to restrict ownership of heirloom-goods are proposed based on the combination of the DNA biological fingerprint of the patron who originated the goods and smart contract technology. The goods can be represented as digital tokens on the blockchain, binding manufacturing evidence to the token. For heirloom-goods that have restricted ownership rules, persons seeking to acquire the good via the digital token and smart contract are required to prove that they satisfy the entitlement rules based on a biological relationship to the patron.

An autonomous distributed wise area network (AD-WAN) includes several nodes, where each node connects a local area network to an open wide area network, and provides tunnels over the open wide area network to other nodes in the AD-WAN so that computing resources behind each node can communicate as if they were located on a common intranet. Each node has a blockchain wallet and receives updates to a private permissioned blockchain ledger for that AD-WAN. The updates are provided by a control node. Set up, and subsequent change to the AD-WAN are commenced via a customer portal which provides order information to the control node, where the control node processes the order information and generates a blockchain update that informs the affected nodes in the AD-WAN as to what changes are to be made. As a result, the blockchain provides both control plane and order management operation of the AD-WAN.

The disclosed technology teaches confirming delegation of authorization from an authorization server (AS) by a client to a service, including an AS issuing an OAuth2 access token in the form of a Macaroon (MAT), optionally with caveats, including a root signature, and providing the MAT to a client. Included is the client modifying the OA2 access token by appending caveats that narrow authorization, and by applying a message authentication code (MAC) chaining algorithm to generate an updated signature to include in the resulting MAT with caveats (MATwC), the client delegating authorization to a service by forwarding the MATwC to the service and the service using the MATwC to access a resource server (RS), the RS passing the MATwC to the AS, and the AS determining authenticity of the MATwC as a bearer token and evaluating scope of authorization from the MAT as narrowed by the caveats, and reporting results.

A routing plane includes an authentication packaging system that receives client authentication information, as part of a request from a requesting client that is to be routed to a target service. The authentication packaging system combines the authentication information with assertion information indicative of an assertion as to the identity of the routing plane, using an entropy, such as a signing key. The authentication package is attached to the request and is sent to the target service. The target service validates the authentication package based on the entropy and authenticates the routing plane based on the assertion information and performs authentication processing based on the authentication information.

Apparatus, systems and methods for agile network isolation through use of packet level non-repudiation (PLNR) are provided. Using a fast cryptography to verify that incoming packets are undeniably being received from the identified source, real-time attack notifications can be independently verified and shared among the network devices to remove compromised nodes from the network. The ability to collaborate among nodes without trust may be achieved via PLNR, to share attack notifications in real-time may be achieved via Telling Attack Layer (TATL), and to establish the identity of an attack in a permanent and binding way may be achieved via DISCOvery (DISCO).

Techniques are described for managing a network through use of a security device that includes, or has access to, a blockchain node. The security device may manage a network of Internet-of-Things (IoT) devices in a home or other environment. The security device may act as an intermediary to manage secure, trusted communications between the IoT device(s) and external service(s). The security device may also provide network security features such as a network firewall. In some implementations, the security device may run a blockchain node, and the blockchain could be used to establish a verifiable home identity. The security device may interact with external resources and/or services, such as utility services, e-commerce services, and so forth, through this secure mechanism.

A file is created in which digital data and a certificate are integrated and content authentication for the digital data and the certificate are performed simultaneously. A data authentication device (1) is provided with: an original data receiving means which is communicably connected to a user terminal (2) and a timestamp provision device (3), and receives original data to be authenticated from the user terminal (2); an intermediate file creation means which creates an authentication file corresponding to the original data, and attaches the actual original data to the authentication file to create an intermediate file; a timestamp request means which transmits the intermediate file to the timestamp provision device (3); a date/time security information acquisition means which receives from the timestamp provision device (3) date/time security information containing date/time information and a hash value for the intermediate file; an authenticated file creation means which embeds the received date/time security information in the intermediate file and creates an authenticated file; and an authenticated file transmission means which transmits the authenticated file to the user terminal (2)

Encryption keys for an enterprise are stored at a perimeter device such as a gateway, and rules are applied at the network perimeter to control whether and how these keys are used for cryptographic processing of communications passing through the perimeter device. The encrypted status of communications, e.g. whether and how files are encrypted with the encryption keys, may also be used to assist in selecting appropriate security handling and routing of the communications.

It is provided an information sharing system, comprising a server, and an in-vehicle system. The server includes: a first storage part; a first key generation part configured to generate a first private key and a first public key, if keys can be exchanged with the in-vehicle system; and a signature generation part configured to generate a signature value of the first public key using a server private key. The in-vehicle system includes: a second storage part configured to store a public key certificate including a server public key; a signature verification part configured to verify the first public key and a signature value received from the server, using a public key certificate; and a second key generation part configured to generate a second private key and a second public key, if a combination of the first public key and the signature value is correct as a result of the verification.