A method for execution by one or more modules of one or more processors of a storage network includes receiving a data object for storage, segmenting the data object into a plurality of data segments and determining a level of security and a level of performance for the plurality of data segments. The method continues by determining whether one or more data segments of the plurality of data segments is to be transformed using an all-or-nothing transformation and in response to a determination to transform one or more data segments of the plurality of data segments, transforming a data segment of the plurality of data segments to produce a transformed data segment. The method continues by dispersed error encoding the transformed data segment to produce a set of encoded data slices and transmitting the set of encoded data slices to a set of storage units of the storage network.

Cryptographic techniques are provided for generating, distributing, validation, and processing secure commands on different devices and/or peripherals. A control device generates and encrypts a key corresponding to a secure command using a private key of control device to produce a key envelope. Control device further encrypts the key envelope with a recipient's public key producing a recipient envelope. The recipient envelope is delivered to a recipient's device. The recipient's device decrypts the recipient envelope with a private key of the recipient's device producing the key envelope. The key envelope is delivered back to the control device. The control device decrypts the key envelope producing the key, validates the key, and processes a secure command on behalf of a secure resource or delivers the secure command to the secure resource for processing. In an embodiment, control device maintains audit records/audit trail, which is maintained on the control device.

Techniques are disclosed relating to electronic security, e.g., for authenticating a mobile electronic device to allow access to system functionality (e.g., physical access to the system, starting an engine/motor, etc.). In some embodiments, a system and mobile device exchange public keys of public key pairs during a pairing process. In some embodiments, an asymmetric transaction process includes generating a shared secret using a key derivation function over a key established using a secure key exchange (e.g., elliptic curve Diffie-Hellman), and verifying a signature of the system before transmitting any information identifying the mobile device. In various embodiments, disclosed techniques may increase transaction security and privacy of identifying information.

Devices and techniques for secure transmission of content over third-party networks are provided. Keys are established for secure transport of content between a source and recipient via a third party. The source generates a content package that includes an encrypted payload, and a payload handler. In some instances, the content package may also include user interface code for obtaining a secret from the recipient. The content package may be signed (e.g., the message content hashed and the result of the hash added to the content package). The content package is transmitted over a connection to a content delivery service for delivery to recipient(s) via another connection. The content delivery service receives the package and forwards the package to recipient(s) without decrypting the payload. A recipient receives the package from the content delivery service, validates the package and decrypts the payload. The payload may be presented to a display application.

A method of sharing encrypted data includes, by an electronic device, receiving a password from a user to perform an action, receiving a salt value, generating a user key using the password and salt value, receiving an encrypted key location identifier value, decrypting the encrypted key location identifier value to obtain a key location identifier, receiving an encrypted read token value, decrypting the encrypted read token value using the user key to obtain a read token value, and transmitting the read token value and the key location identifier to a server electronic device.

Device to device (D2D) communication can be performed with packet data convergence protocol (PDCP) based encapsulation without internet protocol (IP) addressing. The non-IP D2D PDCP-encapsulated communication can further include two forms of secure data transfer. A first non-IP D2D PDCP-encapsulated communication can be a negotiated non-IP D2D PDCP-encapsulated communication. A second non-IP D2D PDCP-encapsulated communication can be a non-negotiated non-IP D2D communication. The non-negotiated non-IP D2D PDCP-encapsulated communication can include a common key management server (KMS) version and a distributed KMS version. The encapsulated communication can be used with various protocols, including a PC5 protocol (such as the PC5 Signaling Protocol) and wireless access in vehicular environments (WAVE) protocols.

Techniques are disclosed relating to electronic security, e.g., for authenticating a mobile electronic device to allow access to system functionality (e.g., physical access to the system, starting an engine/motor, etc.). In some embodiments, a system and mobile device exchange public keys of public key pairs during a pairing process. In some embodiments, an asymmetric transaction process includes generating a shared secret using a key derivation function over a key established using a secure key exchange (e.g., elliptic curve Diffie-Hellman), and verifying a signature of the system before transmitting any information identifying the mobile device. In various embodiments, disclosed techniques may increase transaction security and privacy of identifying information.

A method of sharing of encrypted data includes, by an electronic device, receiving a password from a user in order to perform an action, receiving a salt value, generating a user key using the password and the salt value, receiving an encrypted key location identifier, decrypting the encrypted key location value to obtain a key location identifier, receiving an encrypted read token value, decrypting the encrypted read token value using the user key to obtain a read token value, and transmitting the read token value and the key location identifier to a server electronic device. The method includes, by the server electronic device, receiving the read token value and the key location identifier from the electronic device, verifying that the read token corresponds to information stored in a memory location associated with the key location identifier, and in response to verifying that the read token corresponds to information stored in the memory location associated with the key location identifier, transmitting an encrypted encryption key to the electronic device.

A RFID tag (501), reader (502) and protocol allow a protected read operation in a two-step tag authentication with cipher-block cryptography. A challenge-response mechanism using a shared secret symmetric key (638) for tag authentication includes a challenge and information to read data from a tag's memory (637). Tag's response to the challenge-response mechanism includes the response to the reader's challenge and data from the tag's memory. A method embeds a protected write operation in a four-step reader authentication with cipher-block cryptography. The protocol allows a challenge-response mechanism using the shared secret symmetric key for reader authentication including a challenge and information to write data to the tag's memory. Reader's response to the challenge-response mechanism includes a response to the tag's challenge and data for writing to the tag's memory. Authenticated read and write data may be in plaintext, message authentication code (MAC)-protected, encrypted, or both encrypted and MAC protected.

Methods and systems for encrypting sensitive information are disclosed comprising hashing sensitive information by a hash function and selecting a salt or key salt based, at least in part, on the hashed sensitive information. If a salt is selected, the selected salt is combined with the hashed sensitive information to yield combined sensitive information, which is encrypted and stored. If a key is selected, such as an AES key, for example, the sensitive information is encrypted by the selected encryption key, and stored. The keys and salts may be encrypted by a cryptographic processing system that generates and stores keys, such as a key management system and/or a hardware security module, for further protection. The salts may be concatenated into a binary large object prior to encryption. Methods and systems for updating of stored records comprising encrypted sensitive information are also described.