FIELD OF THE INVENTION

[001] The present invention relates to communication systems. More particularly, the present invention relates to authentication of data using IPvX identifiers.

BACKGROUND OF THE INVENTION

[002] Mobile devices are considered as one of the weakest links in corporate security. Mobile phone security is particularly challenging because such devices are designed to connect in many different ways. Whether it is a text message, email, web browsing, Bluetooth or near-field communication (NFC) connectivity, each method of communication is a potential attack route. Phones are also often set to connect automatically and display quick preview images, data or text. This makes it possible to exploit a system without the recipient opening or 'clicking' anything. Device security can be compromised also during production, as happened in 2014 when a factory- installed "Trojan horse" was found on a smartphone, that enabled hackers to operate the phone remotely and, being embedded at the factory, could not be removed.

[003] While global cybercrime is intensifying, corporations and organizations grow increasingly more dependent on mobile technologies. The growing use of mobile organizational practices expands the vulnerabilities sought by hackers, who only need a narrow gap to succeed. Hackers use a diversified range of tactics, like posing as a legitimate cell tower or a Wi-Fi hotspot and intercepting or modifying communications, soliciting a careless user to install a mobile Remote Access Trojan (mRAT), thereby gaining complete control over smartphones from afar and accessing all of the on-device data, injecting a trusted Bluetooth credential via NFC, dialing the device and monitoring the surroundings, delivering operating system malware using fake certificates or malicious profiles, or transforming a private call into a conference call.

[004] The new wave of threats is turning enterprises into targets for cybercrime as well as into a conduit for attacks directed at their employees. Furthermore, IT teams struggle to ensure not only the protection of sensitive data but the resilience of mobile devices originally intended to contribute to business efficiency. The mobile security ecosystem fights cybercrime by addressing threats on the device, in the applications and in the network. It focuses on detecting threats and mitigating the risks involved. Though this strategy minimizes the impact on users and provides IT administrators with managerial flexibility, it fails to provide effective protection against salient cyber-attack vectors, as it does not reduce the size of the vulnerable surface, it focuses on device management within the boundaries of known weaknesses, it functions through the inherently unprotected processes of commercial mobile operating systems, and it is reactive by nature. Thus, mobile devices and the networks they connect to remain soft targets for cybercrime, which compels high- security organizations to apply a more holistic strategy. SUMMARY OF THE INVENTION

[005] The disclosed invention describes systems and methods for authenticating network devices and their legitimate users. Such systems and methods may be implemented and effectively used, among other purposes, for securing connected devices and networks from hacking and/or other attacks.

[006] There is thus provided, in accordance with some embodiments of the invention, a method of authenticating identity of a computing device, the method including determining, by a processor, a unique identifier of the computing device, wherein the unique identifier corresponds to at least one media access control (MAC) address of the computing device, determining, by the processor, an IPvX identifier for the computing device, wherein the IPvX identifier corresponds to the determined unique identifier of the computing device, and authenticating, by the processor, the determined IPvX identifier with data received from the computing device.

[007] In some embodiments, the method further includes storing the determined IPvX identifier as an initial key store. In some embodiments, the method further includes determining at least one MAC address of the computing device, and transmitting the at least one MAC address to a remote server.

[008] In some embodiments, the method further includes encrypting, by an encryption engine, at least one of a hardware identifier and a software identifier of the computing device, and modifying the MAC identifier based on the output of the encryption. In some embodiments, the method further includes determining an initial key store based on the at least one MAC address of the computing device.

[009] There is thus provided, in accordance with some embodiments of the invention, a method of authenticating identity of a computing device, the method including storing, in a memory, a unique network identifier of the computing device, determining, by a processor, a first identifier of the computing device, the first identifier being a function of the unique network identifier and data from at least one of a hardware component and a software component associated with the computing device, receiving, from the computing device, data associated with the unique network identifier, and receiving from the computing device the data from at least one of the hardware component and the software component associated with the computing device, determining, by the processor, a second identifier, the second identifier being a function of the unique network identifier and of the data from at least one of the hardware component and the software component associated with the computing device, comparing, by the processor, the first identifier to the second identifier, and issuing a signal of an authentication of the computing device if the comparing indicates that the first identifier matches the second identifier.

[010] In some embodiments, the unique network identifier includes at least one of a media access control (MAC) address and an IPvX identifier. In some embodiments, the method further includes calculating the IPvX identifier using the MAC address. In some embodiments, the first identifier is a function of the IPvX identifier and the data from at least one of the hardware component and the software component associated with the computing device.

[Oi l] In some embodiments, the first identifier is stored remotely from the computing device. In some embodiments, the method further includes performing remote server virtualization.

[012] There is thus provided, in accordance with some embodiments of the invention, a system for authenticating identity of a device including at least one processor, and a memory, wherein the memory is configured to store a unique network identifier of the computing device, and wherein the at least one processor is configured to calculate an IPvX identifier for the computing device using a media access control (MAC) address of the computing device, calculate a IPvX for the device using the IPvX identifier and a unique identifier of at least one of a hardware component and software component of the computing device, store in the memory the IPvX in association with the computing device, compare the stored modified IPvX identifier to data received from the computing device upon an authentication of the computing device, and issue a signal of an authentication of the computing device upon indication that the stored modified IPvX matches the data received from the computing device.

[013] In some embodiments, the system further includes a plurality of remote servers, and wherein the at least one processor is further configured to route a plurality of comparisons among the plurality of remote servers. In some embodiments, the at least one processor is further configured to scan at least one communication port of the computing device to detect more than a single MAC address. In some embodiments, at least one of the plurality of remote servers includes a memory configured to store at least one unique identifier of the computing device.

[014] In some embodiments, at least one of the plurality of remote servers is a virtual server. In some embodiments, the system may be installed in an access layer. In some embodiments, the system may be installed in a virtual private cloud. In some embodiments, the system further includes an encryption engine configured to encrypt at least one of a hardware identifier and a software identifier of the computing device and modify the IPvX identifier based on the output of the encryption. BRIEF DESCRIPTION OF THE DRAWINGS [015] The subject matter regarded as the invention is particularly pointed out and distinctly claimed in the concluding portion of the specification. The invention, however, both as to organization and method of operation, together with objects, features, and advantages thereof, may best be understood by reference to the following detailed description when read with the accompanying drawings in which:

[016] Fig. 1 is a schematic illustration of a communication system in accordance with an embodiment of the invention;

[017] Fig. 2 shows a flowchart for a method of indexing software and hardware identifiers and creating a key store for authentication, according to one embodiment of the present invention;

[018] Fig. 3 shows a flowchart of an authentication process, according to embodiments of the present invention;

[019] Fig. 4. shows a flowchart for registration of computing device with corresponding key stores, according to embodiments of the present invention;

[020] Fig. 5 shows a flowchart for adding and/or removing devices from the server, according to embodiments of the present invention;

[021] Fig. 6 shows the structure of an IPvX data packet, according to embodiments of the present invention;

[022] Fig. 7A shows a lookup table for an authentication process, according to embodiments of the present invention;

[023] Fig. 7B shows a lookup table for another authentication process, according to embodiments of the present invention;

[024] Fig. 8 shows an example for the indexing method in Fig. 7B, according to embodiments of the present invention;

[025] Fig. 9 shows a flowchart for an authentication method, according to embodiments of the present invention;

[026] Fig. 10 shows a flowchart for authentication confirmation, according to embodiments of the present invention;

[027] Fig. 11 shows a block diagram of a device identification management system (DIMS), according to embodiments of the present invention;

[028] Fig. 12 schematically illustrates the structure of virtual machine (VM) architecture, according to some embodiments;

[029] Fig. 13 schematically illustrates the structure of secure containers, according to embodiments of the present invention;

[030] Fig. 14 schematically illustrates the structure of Microsoft data center architecture, according to embodiments of the present invention; and [031] Fig. 15 schematically illustrates the structure of Cisco secure data center architecture, according to embodiments of the present invention.

[032] It will be appreciated that, for simplicity and clarity of illustration, elements shown in the figures have not necessarily been drawn to scale. For example, the dimensions of some of the elements may be exaggerated relative to other elements for clarity. Further, where considered appropriate, reference numerals may be repeated among the figures to indicate corresponding or analogous elements.

DETAILED DESCRIPTION OF THE PRESENT INVENTION

[033] In the following detailed description, numerous specific details are set forth in order to provide a thorough understanding of the invention. However, it will be understood by those skilled in the art that the invention may be practiced without these specific details. In other instances, well- known methods, procedures, and components modules, units and/or circuits have not been described in detail so as not to obscure the invention. Some features or elements described with respect to one embodiment may be combined with features or elements described with respect to other embodiments. For the sake of clarity, discussion of same or similar features or elements may not be repeated.

[034] Although embodiments of the invention are not limited in this regard, discussions utilizing terms such as, for example, "processing," "computing," "calculating," "determining," "establishing", "analyzing", "checking", or the like, may refer to operation(s) and/or process(es) of a computer, a computing platform, a computing system, or other electronic computing device, that manipulates and/or transforms data represented as physical (e.g. electronic) quantities within the computer's registers and/or memories into other data similarly represented as physical quantities within the computer's registers and/or memories or other information non-transitory storage medium that may store instructions to perform operations and/or processes. Although embodiments of the invention are not limited in this regard, the terms "plurality" and "a plurality" as used herein may include, for example, "multiple" or "two or more". The terms "plurality" or "a plurality" may be used throughout the specification to describe two or more components, devices, elements, units, parameters, or the like. Unless explicitly stated, the method embodiments described herein are not constrained to a particular order or sequence. Additionally, some of the described method embodiments or elements thereof can occur or be performed simultaneously, at the same point in time, or concurrently.

[035] Embodiments of the invention may include an article such as a computer or processor non- transitory readable medium, or a computer or processor non-transitory storage medium, such as for example a memory, a disk drive, or a USB flash memory, encoding, including or storing instructions, e.g., computer-executable instructions, which, when executed by a processor or controller, cause the processor to carry out methods disclosed herein.

[036] Reference is now made to Fig. 1, which schematically illustrates a communication system 100, according to some embodiments of the invention. Communication system 100 may include one or more first computing device 102 and second computing device 103 that are coupled to a network to transmit data such as packet data over a network 104 and/or other networks 106 (e.g., a cellular network). Network 104 may be a communication network such as a cellular network, a wireless network, a local area network, and/or a wide area network such as the Internet. Communication system 100 may include one or more server 108 such as application servers (physical and/or virtual servers) that may include one or more server processors 109. Such processor 109 may be, for example, a central processing unit processor (CPU), a chip or any suitable computing or computational device, where server processor 109 may be configured to carry out methods as disclosed herein by for example executing code or software. In some embodiments, one or more first computing device 102 and second computing device 103 may be directly connected to server 108.

[037] Embodiments of the invention may include machine-readable executable code contained in a non-transitory storage medium for a computing device, wherein the executable code, when executed by the computing device, causes the computing device to perform a method of the invention. In some embodiments, one or more of the functions performed by server processor 109 may be performed by more than one server processor, which may be housed remotely from one another.

[038] Communication system 100 may include one or more database 105 and/or information storage devices or memories 110, some or all of which may be in communication with network 106. Database 105 and/or memory 110 may be or may include, for example, a Random Access Memory (RAM), a read only memory (ROM), a Dynamic RAM (DRAM), a Synchronous DRAM (SD- RAM), a double data rate (DDR) memory chip, a Flash memory, a volatile memory, a non-volatile memory, a cache memory, a buffer, a short term memory unit, a long term memory unit, or other suitable memory units or storage units. Database 105 and/or memory 110 may be or may include a plurality of, possibly different memory units. In some embodiments, data storage or memories 110 may be housed remotely from one or more devices, and data may be stored in more than one memory 110.

[039] Data may be stored in and/or loaded from database 105 and/or memory 110 where it may be processed by processor 109. In some embodiments, some of the components shown in Fig. 1 may be omitted. For example, memory 110 may be a non-volatile memory having the storage capacity of database 105. Accordingly, although shown as a separate component, database 105 may be embedded or included in memory 110. [040] First computing device 102 may be or include a cellular telephone, smart phone, a personal computer, a desktop computer, a mobile computer, a laptop computer, a terminal, a workstation, a server computer, a Personal Digital Assistant (PDA) device, a tablet computer, a network device, network telephone, automobile, unmanned aerial vehicle (drone), autonomous surface, marine or aerial vehicle or other device that may communicate over for example wired and/or wireless networks.

[041] First computing device 102 may include one or more device processors 112, one or more memory 114 units, one or more sensors 120, such as physical sensors (accelerometers, motion sensors, etc.), an electronic display 116 and an input device 118. Input device 118 may be or may include a mouse, a keyboard, microphone, a touch screen or pad, fingerprint reader, credit card reader, image or voice recorder, or any suitable input device. It will be recognized that any suitable number of input devices may be operatively connected to computing device 102. First computing device 102 may include one or more output devices such as displays, speakers and/or any other suitable output devices. It will be recognized that any suitable number of output devices may be operatively connected to computing device 102. Any applicable input/output (I/O) devices may be connected to computing device 102.

[042] Device 102 may include or be connected to one or more hardware components such as for example a SIM card, a memory storing a MAC address, an identification sensor or other hardware components 117. Device 102 may also store, execute and run one or more software components 119 such as applications, programs or other executable collections of instructions. One or more of such hardware components 117 and software components 119 may include one or more unique sets of identifications data that may have been embedded in such components 117 or 119 by a manufacturer, or that may have been input into or associated with such component 117 or 119 by a user, vendor or some other person. Software components 119 may include executable code, e.g., an application, a program, a process, task or script. Such executable code may be executed by processor 112 possibly under control of an operating system. Where applicable, the executable code may carry out operations described herein in real-time. First computing device 102 and the executable code of a software component 119 may be configured to update, process and/or act upon information at the same rate the information, or a relevant event, are received. Software components 119 may include any code segment designed and/or configured to perform tasks (e.g., an operating system) involving coordination, scheduling, arbitration, supervising, controlling or otherwise managing operation of computing device 102, for example, scheduling execution of programs.

[043] It should be noted that as used hereinafter, and in addition to its regular meaning, the term ΊΡνΧ', may refer to Internet Protocol version 'X' (e.g., IPv6) as a version of the Internet Protocol (IP) as was developed by the Internet Engineering Task Force (IETF) to deal with the IPv4 address exhaustion. It should be noted that the destination address of the IPvX, unlike IPv6, has no limitation in bits, therefore the IPvX address created from the hardware and software markers, as specified herein, may be equal or greater than 128bit.

[044] It should be noted that the term Network Prefix (NP) in addition to its regular meaning, may refer to initial bits of an IPvX address that may be identical for all hosts in a network. The size of bits in an 'NP' may be separated with a ":::/". For example, the network prefix of "2001:db8:ff00:42:8329::/64 is 2001 :db8".

[045] It should be noted that the term 'markers' may, in addition to its regular meaning, refer to one or more of soft markers and hard markers, where soft markers may refer to software-related user identifiers, and hard markers may refer to hardware identifiers of one or more hardware components 117 associated with first computing device 102. Examples of soft markers may include biometric features of the user (e.g., finger prints, facial recognition, voice recognition, etc.) as may have been collected and stored in one or more memories in or associated with first computing device 102. Additional examples of soft markers may include cookies, usage patterns (e.g., browser fonts, frequently-used apps, languages, screen lock pattern, etc.), barcodes (e.g., QR or other visual unique identifiers), online payments service programs, protocols and identifiers (such as those that may be used in for example PayPal™ account, bank account, etc.), location indicators such as those as may be detected and delivered using a location detection device such as a GPS sensor.

[046] In some embodiments, hardware markers may include identifiers (that may be unique or not unique), such as a media access control (MAC) address, a type and model of first computing device 102, a network card, international mobile equipment identity (EVIEI), SIM number, credit card number or identifier, chassis ID of for example a car or other device, engine number, ECU, fuel card, or other identifier that may identify, authenticate or confirm an identity of first computing device 102 or a user of first computing device 102 to one or more other devices on the network. In some embodiments, one or more of such identifiers, hard markers and/or soft markers may be integrated with a MAC address and used as part of an IPvX identification process.

[047] It should be noted that the term 'Initial Key Store' (IKS) may refer to IPvX identifier by which first computing device 102 may be identified or derived in accordance with the IPvX protocol. In some embodiments, a first computing device 102 may be identified in a record of database 105 by, for example, "Initial Key Store" that may be derived in accordance with the IPvX protocol. Such record may be further associated with soft markers and/or hard markers that are connected to, installed on, or associated with the first computing device 102. Indication of all or some of Initial Key Store and indications of the hard markers and/or soft markers (as may be associated with the first computing device 102) may be stored in and/or associated with a record on database 105. In some embodiments, an Initial Key Store may be stored on database 105 upon a registration of first computing device 102 with the database 105 or with a program or application that may run or administer database 105.

[048] A device registration management system (DRMS) 100 may include software (e.g., executed by processor 112) to allow initial registration of first computing device 102 for an online service (e.g., bank account, payment service such as PayPal™, e-commerce account, electronic medical record, social network, etc.) in a network for identification purposes. The DRMS 100 may allow users (or subscribers) to log in to the service from registered computing devices. The DRMS 100 may include and/or may be associated with a management interface that allows adding or removing devices, and updating of device identifiers.

[049] Reference is now made to Fig. 2, which shows a flowchart for a method of indexing software and hardware identifiers of first computing device 102 and creating a key store for the authentication of first computing device 102, according to some embodiments of the invention. In block 200, a MAC address, and/or in some embodiments other unique network identifier, of first computing device 102 may be transmitted from first computing device 102 to for example a server processor 109 (e.g., as shown in Fig. 1). In some embodiments, the MAC address may be considered as a unique network identifier.

[050] In block 202, the server processor may calculate a unique identifier (e.g., IPvX) of the transmitted MAC server (or number) in accordance with the known IPvX protocol. In block 204, the server processor may store the calculated unique identifier as an Initial Key Store in a record of database 105. In block 206, one or more hard markers and/or soft markers (that may be installed in, running on and/or otherwise associated with device 102) may be transmitted to for example server processor 109 or database 105.

[051] In block 208, one or more of such hard markers and/or soft markers may be stored in or indexed in database 105 in one or more records associated with the IPvX identifier calculated for the MAC of first computing device 102. In block 210 a new network prefix (NP) may be calculated and associated with the record, such as the record on database 105 that is associated with first computing device 102. In block 212, a new key store may be calculated that may include or be derived from one or more of the Initial Key Store and one or more of the hard markers and soft markers that may have been associated with first computing device 102. It should be noted that such new key store may, in some embodiments, be referred to as "IPvX", although other names or designations may be used.

[052] Reference is now made to Fig. 3, which shows a flowchart of an authentication process, according to some embodiments of the invention. In block 300 a device may be logged into or otherwise connect with a system such as for example system 100 (e.g. as shown in Fig. 1). In block 302, a processor may request and receive from first computing device 102 one or more identifiers, such as for example a MAC address, from which may be derived an IPvX address, and one or more hard markers and one or more soft markers or other identifiers of components installed in or running on first computing device 102 (e.g., as shown in Fig. 1).

[053] In block 304, a server processor 109 may derive from the retrieved MAC address (or other identifier), an IPvX identifier using for example a standard IPvX protocol (e.g., IPv6). In block 306, the server processor may retrieve from database 105 the Initial Key Store that is associated with the MAC address. In block 308, the server processor may use one or more of the retrieved hard markers and/or soft markers, to calculate or derive an IPvX identifier. In block 310, the server processor may compare the IPvX identifier that was derived from the retrieved data, with the IPvX identifier that was stored on database 105.

[054] In blocks 312 and 314 the calculated IPvX identifier may be confirmed as present on database 105. In blocks 316 and 318, further hard markers and/or soft markers may be identified from first computing device 102 and used to derive an IPvX identifier that may be present in database 105 and associated with first computing device 102. In block 320, if no positive comparison is made, first computing device 102 may be logged out from a program or application, if for example its identification could not be confirmed and/or authenticated.

[055] In block 322, the first computing device 102 may be queried for a presence of more than one MAC address. In block 324, a program may log out the first computing device 102 if more than one MAC address or an external MAC address is detected.

[056] In some embodiments, one or more of the functions as is shown to be executed in the flowchart of Fig. 3 may be included in a module that may be referred to as device identification management system (DIMS). In some embodiments, one or more of the blocks of Fig. 3 with execution of the functions comparing the calculated IPvX identifier as was derived from data retrieved from device 102, to the IPvX identifier that may be stored in database 105, may be performed by a module that may be referred to as a comparison process manager (CPM). In some embodiments, other names may also be used.

[057] Reference is now made to Fig. 4, which shows a flowchart for registration of computing device with corresponding key stores, according to some embodiments of the invention. The initial registration of device 400 may result in creation of an initial key store (IKS) if it is the first or only device, and n'th key store (KS(n)) if it is the n'th device registered for that particular service. Each device may have a unique IKS, so for any account, there may be a plurality of IKSs. In order to add a new device 400 to an online secured service as a master device, computing device 400 may need to login to the service. The DRMS may check 408 whether other computing devices 400 were defined as a master device and whether a local application is installed on computing device 400. If not, installing a local application on computing device 400 may be performed (Option 1, 406), or the system may require access to specific computing device 400 soft and hard markers (Option 2, 404). Then the DRMS may call for the device soft and hard markers through the local application installed on computing device 400, and may generate the unique IPvX 410 of this particular computing device 400. This IPvX may make the IKS 412 of the master device, and this IKS may be sent to the database 414.

[058] According to some embodiments, one of the devices used for accessing the online service may be defined in the DRMS as a master. The addition and/or removal of computing devices 102 may be performed through the master device. In some embodiments, defining a new master device may require user authentication by other techniques (e.g., security questions, calling a service rep, etc.).

[059] Reference is now made to Fig. 5, which shows a flowchart for adding and/or removing devices 102 from the DRMS, according to some embodiments of the invention. In order to add a new computing device 500 to an online secured service, computing device 500 may need to login to the service, in parallel the master device 504 may need to login to the service as well.

[060] The DRMS may check 508 whether a local application is installed on computing device 500. If not, a local application on device 500 may be installed (Option 1, 512), or the system may require access to specific computing device 500 soft and hard markers (Option 2, 510). In some embodiments, the DRMS may call for the computing device soft and hard markers through the local application installed on computing device 500, and may generate the unique IPvX 514 of this particular computing device 500. In some embodiments, the DRMS may send an approval request 516 to the mater device. If request 516 is approved by the master device then IKS (of device 500) may be sent to the database 518. If request 516 is not approved by the master device then login of device 500 to the online service may be denied.

[061] Reference is now made to Fig. 6, which shows the structure of an IPvX data packet 600, according to some embodiments of the invention. It should be noted that the term IPvX may refer to a memory packet 600 that may include a table or other collection of data associating at least one IPvX header with identification data stored in one or more software component 119 and/or hardware component 117 that may be installed in, running on or otherwise associated with a particular computing device 102. In some embodiments, IKS 601 of device 102 according to the IPvX protocol may include N number of bits, and no less than 128bits. As a result, the corresponding IPvX destination address 602 may include at least 128bits.

[062] Reference is now made to Fig. 7A, which shows an authentication process, according to some embodiments of the invention. In a first process the MAC Address 702, calculated IKS (e.g., for IPv6) 704, with software markers (Sl ...Sn) 710, and hardware markers (Hl ...Hn) 708 of computing device 102 may be stored in a lookup table 700 upon initial registration (by for example the DRMS). Upon detection of a user using computing device 102 to access a protected service, an authentication process may be initiated. The authentication process managed by the CPM may compare the MAC address 702 and a randomly or otherwise selected group of software and/or hardware markers of computing device 102 to the MAC address and software and or hardware markers in the lookup table.

[063] Reference is now made to Fig. 7B, which shows another possible authentication process, according to some embodiments of the invention. In another example of a process, the MAC address 722, IKS (e.g., calculated for IPv6) 724, modified network prefix 'A' 728, modified network prefix 'B' 726, software markers (Sl ...Sn) 738, and hardware markers (Hl ...Hn) 740 of computing device 102 may bestored in a lookup table 720 upon initial registration (by for example DRMS). Network prefix 'A' 732 may refer to the first part of the IPvX network prefix 730 that was mathematically manipulated to include also a representation of the hardware markers 740 stored in the database 105. Network prefix 'B' 734 refers to the second part of the IPvX network prefix 730 that was mathematically manipulated (e.g., encrypted) to include also a representation of the software markers 738 stored in the database 105. In some embodiments, the mathematical manipulation may be any series of mathematical operations on the numerical representation of the hardware and software markers, 738 and 740, stored in the database 105.

[064] Reference is now made to Fig. 8, which shows an example for the indexing method in Fig. 7B, according to some embodiments of the invention. A mathematical manipulation 810 may be performed by an encryption engine, which may be part of DIMS 1102 on hardware markers (HI ...Hn) 802 and software markers (SI ...Sn) 804 of computing device 102.

[065] For instance, the EVIEI (HI) of device 102, where its value in this example is 5325688777, may be encrypted by the encryption engine that applies in this example a mathematical manipulation of summing up the IMEI digits, where the product of this mathematical manipulation in this example may be '58'. Now in this example '58' becomes network prefix 'Α'. Further in this example, SI is a software marker 814 that may refer for instance to biometric identifier of the user (e.g. finger prints). The encryption engine in DIMS 1102 may apply manipulation on SI, thereby producing a numerical output, for instance '87'. In this example network prefix "2001 :DB8" may become after the encryption "58001 :B887", and the modified IPvX in this case may be "58001 :B887:0:0:211 :22FFF:fe33:4455".

[066] It should be noted that the modified IPvX is hereinafter referred to as IPvX. When a user uses computing device 102 to access a protected service, an authentication process may be initiated. The authentication process managed by the CPM may compare the IPvX that is stored in the database with the IPvX that is calculated for example in real-time from the software markers (Sl ...Sn), and hardware markers (HI ...Hn) of computing device 102. The calculation of the IPvX may apply the same mathematical manipulation (e.g., encryption) on the software markers (SI ...Sn), and hardware markers (HI ...Hn) of computing device 102.

[067] Reference is now made to Fig. 9, which shows a flowchart for an authentication method, according to some embodiments of the invention. In some embodiments, a unique network identifier of the computing device may be stored 910 in a memory. A first identifier of the computing device may be determined 920 by the processor, the first identifier being a function of the unique network identifier and data from at least one of a hardware component and a software component associated with the device.

[068] Data associated with the unique network identifier may be received 930 from the computing device, and receiving from the computing device the data from at least one of the hardware component and the software component associated with the device. A second identifier may be determined 940 by the processor, the second identifier being a function of the unique network identifier and of the data from at least one of the hardware component and the software component associated with the computing device. In some embodiments, the first identifier may be compared 950 by the processor to the second identifier.

[069] Reference is now made to Fig. 10, which shows a flowchart for authentication confirmation, according to some embodiments of the invention. If the resulting Key Store 1002 of IPvX 1006 (e.g., IPv6) matches the key store of the IPvX in the database 1004 then user and device authentication may be confirmed and/or validated.

[070] According to some embodiments, the authentication process, for example, as illustrated in Fig. 7A and/or Fig 7B, may occur at a predetermined frequency. This frequency, amount and combination of software markers (Sl ...Sn), and hardware markers (Hl ...Hn) of computing device 102 may determine the level of security of a network or an online service. The authentication process, which may be managed by the CPM may be performed simultaneously on multiple servers and/or virtual servers (e.g., with cloud computing), and/or CPUs in order to optimize the processing time. It should be noted that out of 'N' authentication processes of computing device 102, process T (while i = 1... N) may be performed on server 'j' (while j = 1... m). In some embodiments, at least some parts of the authentication process may be performed on different servers. For example, calculating network prefix 'A' on one serve, while calculating network prefix 'B' on another server, and comparing the IPvX of computing device 102 of process (while i = 1... N) with the IPvX that is stored in the database.

[071] Reference is now made to Fig. 11, which shows a block diagram of a device identification management system (DIMS), according to some embodiments of the invention. The DIMS 1112 may include for example one or more of the following components: DRMS 1102, IPvX calculator and encryption engine 1104, database 1106, and/or CPM 1108. In some embodiments, upon initial registration of computing device 102 the IKS may be calculated from or derived as a function of the MAC and then stored in database 105.

[072] It should be noted that an IPvX calculation may be required more than once (at initial registration) to verify user identity. A database may include hardware and software markers associated with computing device 102. Markers may be stored to allow efficient authentication process by the CPM such as through the following indexing processes for storing and retrieving hardware and/or software markers in the database. Other processes may also be possible.

[073] It should be noted that Figs. 12-15 illustrate the implementation of authentication, according to some embodiments of the invention, within a number of common architectures, so that with minimum changes network systems may benefit from adding multiple-layer security to protect the servers, and the software applications from unauthorized login.

[074] Reference is now made to Fig. 12, which schematically illustrates the structure of virtual machine architecture, according to some embodiments of the invention. The virtual machine (VM) or the DIMS may be installed on three layers: the DIMS 1220 may be installed on the server 1224 before server virtu alization with the Hyper- Visor 1218 to protect the server layer, the DIMS 1216 may be installed on the Hyper-V 1218 to protect guest operating system (OS) 1214, and the DIMS 1212 may be installed on guest OS 1214 to protect selected applications 1208 and related data and/or libraries 1210.

[075] Reference is now made to Fig. 13, which schematically illustrates the structure of secure containers, according to some embodiments of the invention. In some embodiments, a container may be an alternative architecture to VM. In this example the DIMS may be installed on two layers: the DIMS 1314 may be installed on the server operating system 1316 before the docker 1308 to protect the server layer 1302, and/or the DIMS 1310 may be installed on top of the docker 1308 to protect selected applications 1306 and related data libraries 1312.

[076] Reference is now made to Fig. 14, which schematically illustrates the structure of Microsoft data center architecture, according to some embodiments of the invention. The DIMS may be installed on three layers: in the router system 1406 in order to provide better protection, installed directly in the access layer 1404, and/or installed under load balance with NLB or as part of the hardware cluster 1402 for maximum protection of data.

[077] Reference is now made to Fig. 15, which schematically illustrates the structure of Cisco secure data center architecture, according to some embodiments of the invention. The DIMS may be installed on four layers: the first layer may be under the data center core 1502, installed before the VDC in the Nexus 1504, the layer installed in a virtual private cloud VPC's 1506; and/or the layer may be installed as the last layer in the VSS directly 1508. [078] According to some embodiments, the CPM may be a software module that may control a comparison process of key stores of a computing device with an IKS of the computing device. At one or more instances, multiple comparison processes may be performed for different services on the computing device and for different users that have different end-devices. The CPM may enable routing of comparison processes and IPvX calculations between multiple servers to optimize the processing time.

[079] In some embodiments, such routing may proceed on one of more of the following processes. Calculation of IPvX may proceed on a server that may be separate from the server that compares a KS(n) with an IKS(n). The calculation of IPvX and the comparison process may be done at different times on a same server. In some embodiments, various servers may be utilized for calculation and comparison to ensure that a frequency requirement of comparisons is met. Comparison of KS(n) with IKS(n) may be done on more than one server at a given time. For example, soft markers may be compared on a first server while hard markers may be compared on a different server.

[080] In some embodiments, one or all of the processes executed by the DIMS and/or the CPM may be executed on one, some or all of the packets that are delivered from computing device 102 over network 106 (e.g., as shown in Fig. 1) and retrieved by a processor associated with an embodiment of the invention. Such comparison may be part of or included in a process of authentication of an identity of computing device 102 from data included in or derived from packets delivered by such computing device 102. A frequency of authentication may be determined by and/or inputted by a user and/or administrator into for example a DIMS module. Such frequency may reflect of level or frequency or authentication strictness implemented data received from computing device 102. In some embodiments, a number, or specific nature of the hard markers and soft markers that are retrieved from computing device 102 and subject to the calculation of the IPvX identifier may also be determined by an administrator or by some other user. For example, an authentication of packets from a device may be performed on every packet received from the device, on a periodic basis, on a random basis or with some other frequency. Hard markers may be retrieved only from for example a memory included in computing device 102 or from all or some of a memory, SIM card, IMEI card and/or other hardware installed in or on computing device 102. Soft markers may be retrieved from some or all of biometric data, passwords, program versions or other software in and/or on computing device 102.

[081] In some embodiments, an application or program on computing device 102 may push or deliver one or more hard markers and soft markers to processor, or processor may call for and/or pull one more or more of such hard markers or soft markers from computing device 102 on a periodic or other basis. [082] In some embodiments, an indication of authentication or confirmation of an identity and authorization of computing device 102 may be delivered or included in a signal to one or more other applications or services (such as for example, payment or transaction services, security services or other programs or stores of data that may be accessed).

[083] In some embodiments a user may register one or more computing devices 102 in a device registration management system (DRMS) or module. For example, a user may register his cellphone device 102 and a laptop or desktop device 102 with the DRMS and may associate the two devices with his user information. A registration of a device 102 may create an initial key store (IKS) for such computing device using for example a MAC address of such device, and may associate one or more soft markers and/or hard markers with the registered device to develop identifiers in a record of database 105. One of registered computing devices 102 for the user may serve as a master device 102, so that changes to the record on data base 105, and/or adding of other computing devices 102 that may be associated with such computing device 102 may be authorized only if made by way of such device 102. Such addition of other computing devices 102 may require a separate process such as for example calling a sales representative or other manual authentication procedures.

[084] According to some embodiments, communication system 100 may allow anti-hacking protection of computing devices and/or networks, wherein a hacking attempt may be blocked if authentication fails (e.g., blocking the attack vector of the hacking attempt).

[085] Unless explicitly stated, the method embodiments described herein are not constrained to a particular order in time or chronological sequence. Additionally, some of the described method elements may be skipped, or they may be repeated, during a sequence of operations of a method.

[086] Various embodiments have been presented. Each of these embodiments may of course include features from other embodiments presented, and embodiments not specifically described may include various features described herein.