An improved method and system for digital rights management is described.

An approach is disclosed for registering and authenticating Internet of things (IoT) devices. In one embodiment, an installation device receives, from an IoT device, an identifier (ID) and a hash of a public key, where the IoT device itself generates the ID, the public key, and a private key. To register the IoT device, a blockchain wallet in the installation devices generates a blockchain transaction which adds the received ID and hash of the public key as a name and value pair in a name/value storage (NVS). The hash of the public key may then be retrieved from the NVS and used in authentication of the IoT device to other IoT devices or servers, among other things.

An apparatus including a processor and a memory, where the processor and the memory are configured to provide a secure execution environment and the memory stores a hardware unique key and a class key. The processor is configured to recover, in the secure execution environment, a certificate signing key based on the class key, where the certificate signing key is associated with a certificate authority. The processor is further configured to derive a device key pair based on the hardware unique key, where the device key pair includes a device public key and a device private key, and generate a device certificate based on the device public key and the certificate signing key. The generated device certificate is configured to be validated based on a public key associated with the certificate authority.

Various embodiments are directed to a system and method for establishing a secure communication pathway between a network-connected device and a computing platform. Such configurations encompass encrypting a device-specific installation package passed to the device using a device-generated cryptography key, verifying the identity of the computing platform at the device, encrypting a response message via a platform-generated cryptography key, transmitting the response message to the computing platform, verifying characteristics of the device via the response message, and establishing a secure communication platform upon verification of the device.

A node enables sharing data connectivity between a consumer device and a broker device, and receives from a first packet routing node a request for a consumer authorization certificate. The request includes a subscriber identity. Based on the subscriber identity authorizing the subscriber for sharing data connectivity; a consumer authorization certificate is generated using a private encryption key associated with the node. The consumer authorization certificate includes the subscriber identity of the subscriber. The consumer authorization certificate is returned to the first packet routing node. A request for a data connectivity service for the subscriber is received from a second packet routing node. The request includes a consumer agreement certificate and a broker identity. The consumer agreement certificate is signed using a private key associated with the subscriber and includes the subscriber identity. The consumer agreement certificate is valued. A confirmation message is sent to the second packet routing node.

A system and method for protocol independent multi-flow table routing includes a first flow table, a second flow table, and a shared hash table accessible by both the first flow table and the second flow table. Upon receipt of a packet, a first secure signature of a first lookup key is generated for the first flow table, and a second secure signature of a second lookup key is generated for the second flow table. The shared hash table stores both the first secure signature in association with a first value corresponding to the first secure signature, and the second secure signature along with a second value corresponding to the second secure signature. The first and second values indicate destination information for the packet.

The techniques herein are directed generally to a zero-knowledge data management network. Users are able to share verifiable proof of data and/or identity information, and businesses are able to request, consume, and act on the dataall without a data storage server or those businesses ever seeing or having access to the raw sensitive information (where server-stored data is viewable only by the intended recipients, which may even be selected after storage). In one embodiment, source data is encrypted with a source encryption key (e.g., source public key), with a rekeying key being an encrypting combination of a source decryption key (e.g., source private key) and a recipient's public key. Without being able to decrypt the data, the storage server can use the rekeying key to re-encrypt the source data with the recipient's public key, to then be decrypted only by the corresponding recipient using its private key, accordingly.

The techniques herein are directed generally to a zero-knowledge data management network. Users are able to share verifiable proof of data and/or identity information, and businesses are able to request, consume, and act on the dataall without a data storage server or those businesses ever seeing or having access to the raw sensitive information (where server-stored data is viewable only by the intended recipients, which may even be selected after storage). In one embodiment, source data is encrypted with a source encryption key (e.g., source public key), with a rekeying key being an encrypting combination of a source decryption key (e.g., source private key) and a recipient's public key. Without being able to decrypt the data, the storage server can use the rekeying key to re-encrypt the source data with the recipient's public key, to then be decrypted only by the corresponding recipient using its private key, accordingly.

The techniques herein are directed generally to a zero-knowledge data management network. Users are able to share verifiable proof of data and/or identity information, and businesses are able to request, consume, and act on the dataall without a data storage server or those businesses ever seeing or having access to the raw sensitive information (where server-stored data is viewable only by the intended recipients, which may even be selected after storage). In one embodiment, source data is encrypted with a source encryption key (e.g., source public key), with a rekeying key being an encrypting combination of a source decryption key (e.g., source private key) and a recipient's public key. Without being able to decrypt the data, the storage server can use the rekeying key to re-encrypt the source data with the recipient's public key, to then be decrypted only by the corresponding recipient using its private key, accordingly.

Systems, computer program products, and methods are described herein for the convergent distribution of electronic digital certificates. The present invention may be configured to generate electronic digital certificates associated with artifacts, store the electronic digital certificates on a distributed ledger, and record, on the distributed ledger, interests of the users in the electronic digital certificates. The present invention may be configured to receive a request from at least one user of the group of users to combine ownership of the electronic digital certificates. The present invention may be configured to generate, based on the request and based on the electronic digital certificates, a combined electronic digital certificate. The present invention may be configured to store the combined electronic digital certificate on the distributed ledger.