A method for updating a sensor system, the method including: performing at an update server side the steps of: retrieving a pre-shared sensor key associated with the sensor system, calculating a server signature based on update data and the retrieved sensor key, and transmitting the update data and the calculated server signature to the sensor system; and performing at the sensor system the steps of: receiving the update data and the calculated server signature, retrieving the pre-shared sensor key stored in a register, calculating a sensor system signature based on the update data and the pre-shared sensor key, comparing the sensor system signature with the server signature and processing the update data if the sensor system signature and the server signature are identical.

A method for updating a sensor system, the method including: performing at an update server side the steps of: retrieving a pre-shared sensor key associated with the sensor system, calculating a server signature based on update data and the retrieved sensor key, and transmitting the update data and the calculated server signature to the sensor system; and performing at the sensor system the steps of: receiving the update data and the calculated server signature, retrieving the pre-shared sensor key stored in a register, calculating a sensor system signature based on the update data and the pre-shared sensor key, comparing the sensor system signature with the server signature and processing the update data if the sensor system signature and the server signature are identical.

A method for secure access control to a data storage system for a host apparatus by means of an access control device, the method comprising: as part of a first mode of operation of the access control device, receiving user data from the host apparatus and transmitting it in unmodified or modified form to the data storage system for local storage; exchanging a first cryptographic secret with a computer system to enable encryption of data by the access control device in dependence on the first cryptographic secret; receiving a data read request for at least a portion of the user data stored in the data storage system; in response to the data read request, transitioning the access control device to a second mode of operation in which the access control device is configured to perform read access but not write or delete access to the data storage system; and in the second operating mode, retrieving user data requested according to the data read request from the data storage system, encrypting them using the first cryptographic secret (K) or a key derived therefrom according to a key generation rule and transmitting the user data encrypted in this way to a predetermined user data recipient; wherein the user data is processed as part of the method in such a way that the encrypted user data transmitted as part of the second operating mode represents information which can be extracted from it for the user data recipient and which represents an identity of the access control device and/or of the data storage system or allows a clear conclusion to be drawn therefrom.

Example methods and systems disclosed herein facilitate the introduction and use of client-specified object encryption within a computing environment using remote third-party storage systems, where data objects stored on the remote third-party storage systems were previously either stored in unencrypted form or encrypted with a single key tied to an account that owns the data. In some embodiments, the encryption is introduced into the system in gradual stages, so as to minimize or entirely eliminate data availability downtime. In some embodiments, the introduction of client-specified object encryption involves registration of a user function on the third-party storage system, where the user function handles object decryption in response to requests of content consumers for data objects stored by the third-party storage system.

Example methods and systems disclosed herein facilitate the introduction and use of client-specified object encryption within a computing environment using remote third-party storage systems, where data objects stored on the remote third-party storage systems were previously either stored in unencrypted form or encrypted with a single key tied to an account that owns the data. In some embodiments, the encryption is introduced into the system in gradual stages, so as to minimize or entirely eliminate data availability downtime. In some embodiments, the introduction of client-specified object encryption involves registration of a user function on the third-party storage system, where the user function handles object decryption in response to requests of content consumers for data objects stored by the third-party storage system.

Methods, systems and computer program products for improving performance of a cryptographic algorithm are described. First, data to be encrypted/decrypted is provided as input to the system. A primary key, or multiple keys (in case of asymmetric cryptography), is generated for the encryption/decryption process. The primary key consists of metadata as well as key blocks containing secondary keys. The metadata contains information explaining how the data will be handled from algorithmic structure to the base cryptographic scheme to be used. Further, the data is split and processed via relevant portions of the key blocks. Finally, the completed encrypted/decrypted data segments are combined in order to complete the process. The used process ensures higher performance as well as higher algorithmic entropy than comparable methods in literature or on the market.

Methods, systems and computer program products for improving performance of a cryptographic algorithm are described. First, data to be encrypted/decrypted is provided as input to the system. A primary key, or multiple keys (in case of asymmetric cryptography), is generated for the encryption/decryption process. The primary key consists of metadata as well as key blocks containing secondary keys. The metadata contains information explaining how the data will be handled from algorithmic structure to the base cryptographic scheme to be used. Further, the data is split and processed via relevant portions of the key blocks. Finally, the completed encrypted/decrypted data segments are combined in order to complete the process. The used process ensures higher performance as well as higher algorithmic entropy than comparable methods in literature or on the market.

Establishing secure communications by sending a server certificate message, the certificate message including a first certificate associated with a first encryption algorithm and a second certificate associated with a second encryption algorithm, the first certificate and second certificate bound to each other, signing a first message associated with client-server communications using a first private key, the first private key associated with the first certificate, signing a second message associated with the client-server communications using a second private key, the second private key associated with the second certificate, the second message including the signed first message, and sending a server certificate verify message, the server certificate verify message comprising the signed first message and the signed second message.

Establishing secure communications by sending a server certificate message, the certificate message including a first certificate associated with a first encryption algorithm and a second certificate associated with a second encryption algorithm, the first certificate and second certificate bound to each other, signing a first message associated with client-server communications using a first private key, the first private key associated with the first certificate, signing a second message associated with the client-server communications using a second private key, the second private key associated with the second certificate, the second message including the signed first message, and sending a server certificate verify message, the server certificate verify message comprising the signed first message and the signed second message.

Techniques described herein relate to systems and methods of data storage, and more particularly to providing layering of file system functionality on an object interface. In certain embodiments, file system functionality may be layered on cloud object interfaces to provide cloud-based storage while allowing for functionality expected from a legacy applications. For instance, POSIX interfaces and semantics may be layered on cloud-based storage, while providing access to data in a manner consistent with file-based access with data organization in name hierarchies. Various embodiments also may provide for memory mapping of data so that memory map changes are reflected in persistent storage while ensuring consistency between memory map changes and writes. For example, by transforming a ZFS file system disk-based storage into ZFS cloud-based storage, the ZFS file system gains the elastic nature of cloud storage.