Techniques for employing a secure enclave to enhance the security of a system that makes use of a remote server that proxies cryptographic keys. In one technique, a proxy server receives a request for a cryptographic operation that is initiated by a client device. The request includes a key name of a cryptographic key and a (e.g., authentication) code. In response, the proxy server sends the code and the request to a secure enclave that is associated with a cryptographic device that stores the cryptographic key. The secure enclave validates the code based on a local key and sends, to the cryptographic device, (1) data associated with the secure enclave and (2) the cryptographic request. The proxy server receives result data that was generated by the cryptographic device that performs the cryptographic operation. The proxy server sends the result data to the client device.

Techniques disclosed herein encrypt sensitive data being transmitted from one endpoint to another endpoint through intermediary cloud(s) so that the sensitive data is not visible to the intermediary cloud(s). Double data encryption, utilizing public and private key pairs generated at the endpoints, is used to anonymize the sensitive data, while other data transmitted along with the sensitive data remains unencrypted so that intermediary cloud(s) can process the unencrypted data. In a particular embodiment, one of the endpoints is an application running in a first cloud, the other endpoint is a web browser executing a web application, and the intermediary cloud(s) are additional cloud(s) with applications running therein that provide services to the first cloud or coordinate with the application running in the first cloud to provide a service.

A network printing system comprising a user device to encrypt a print job using a public key of a user and to transmit the encrypted print job to a print server. The system may further comprise the print server to re-encrypt the encrypted print job using the re-encryption key. The system may further comprise the printer to decrypt the re-encrypted print job using a private key of the printer and print the decrypted print job.

Data security is provided in the form of a method for digitally signing a data message. A client device issues a issuing a signature request to a server and generates a first signature part as functions of selected ones of first signature parameters. It then receives from the server a second signature part, said second signature part having been computed by the server as functions of second signature parameters and at least one of the first signature parameters. The client device then attempts to verify components of the second signature part and generates a final digital signature of the message only if the components of the second signature part are valid. Part of the computational effort of creating the signature is thus offloaded to the server, even though the server may not be fully trusted.

Systems and methods are disclosed for zero trust authentication. In certain embodiments, a method may comprise providing, from a client computing system to an identity provider (IdP) authority, an authentication nonce value generated by hashing a random value hashed along with a public key of the client computing system, and receiving, at the client computing system from the IdP authority, an authorization token including the authentication nonce value signed by a secret key of the IdP authority. The method may further comprise providing a message including the authorization token from the client computing system to a target computing system via an intermediary co-signer (ICS) configured to authenticate the message.

Systems and techniques for a System-on-a-Chip (SoC) security plugin are described herein. A component message may be received at an interconnect endpoint from an SoC component. The interconnect endpoint may pass the component message to a security component via a security interlink. The security component may secure the component message, using a cryptographic engine, to create a secured message. The secured message is delivered back to the interconnect endpoint via the security interlink and transmitted across the interconnect by the interconnect endpoint.

Some embodiments enable distributing data (e.g., recorded video, photographs, recorded audio, etc.) to a plurality of users in a manner which preserves the privacy of the respective users. Some embodiments leverage homomorphic encryption and proxy re-encryption techniques to manipulate the respective data so that selected portions of it are revealed according to an identity of the user currently accessing the respective data.

An encryption device (50) generates a ciphertext. A master re-encryption key generation device (40) generates a master re-encryption key that cannot decrypt a ciphertext generated by the encryption device (50), but can generate a re-encryption key for changing an access range for a ciphertext generated by the encryption device (50). A re-encryption device (60) generates a re-encryption key for re-encrypting a target ciphertext generated by the encryption device (50), using the master re-encryption key, and re-encrypts the target ciphertext to generate a re-encrypted ciphertext, using the generated re-encryption key.

Described herein are a system and techniques for enabling biometric authentication without exposing the authorizing entity to sensitive information. In some embodiments, the system receives a biometric template from a user device which is encrypted using a public key associated with the system. The encrypted biometric template is then provided to a second entity along with a biometric identifier. Upon receiving a request to complete a transaction that includes the biometric identifier and a second biometric template, the second entity may encrypt the second biometric template using the same public key associated with the system and perform a comparison between the two encrypted biometric templates. The resulting match result data file is already encrypted and can be provided to the system to determine an extent to which the two biometric templates match.

The present approaches generally relate to the encryption of data within a database in such a way that the encrypted data may still be easily accessed and utilized by an application. The present approach provides the ability to encrypt and decrypt data at an application layer though the data remains in an encrypted state at the database layer and when in transit.