Methods, systems, and devices are provided for authenticating API messages using PKI-based authentication techniques. A client system can generate a private/public key pair associated with the client system and sign an API message using the private key of the private/public key pair and a PKI-based cryptographic algorithm, before sending the signed API message to a server system. The server system (e.g., operated by a service provider) can authenticate the incoming signed API message using a proxy authenticator located in less trusted zone (e.g., a perimeter network) of the server system. In particular, the proxy authenticator can be configured to verify the signature of the signed API message using the public key corresponding to the private key and the same cryptographic algorithm. The authenticated API message can then be forwarded to a more trusted zone (e.g., an internal network) of the server system for further processing.

A responder device receives, from an initiator device, a request to initiate a cryptographic tunnel between the initiator device and the responder device. The responder device does not include a static private key to be used in an asymmetric cryptography algorithm when establishing the tunnel. The responder device transmits a request to a key server that has access to the static private key and receives a response that is based on at least a result of at least one cryptographic operation using the static private key. The responder device receives from the key server, or generates, a transport key(s) for the responder device to use for sending and receiving data on the cryptographic tunnel. The responder device transmits a response to the initiator device that includes information for the initiator device to generate a transport key(s) that it is to use for sending and receiving data on the cryptographic tunnel.

Techniques for employing a secure enclave to enhance the security of a system that makes use of a remote server that proxies cryptographic keys. In one technique, a proxy server receives a request for a cryptographic operation that is initiated by a client device. The request includes a key name of a cryptographic key and an authentication code. In response, the proxy server sends the authentication code and the request to a secure enclave that is associated with a cryptographic device that stores the cryptographic key. The secure enclave validates the authentication code based on a local key and sends, to the cryptographic device, (1) data associated with the secure enclave and (2) the cryptographic request. The proxy server receives result data that was generated by the cryptographic device that performs the cryptographic operation. The proxy server sends the result data to the client device.

A proxy system is installed on a computing device that is in the network path between the device and the Internet. The proxy system, residing on the computing device, decrypts and inspects all traffic going in and out of the computing device.

Disclosed herein are embodiments for implementing periodic management of cryptographic keys. An embodiment includes a processor configured to perform operations comprising receive a first input associating a first set of subscribers with a first data stream published by the first publisher device, and a first cryptographic key. Processor may transmit, to the first publisher device, a first confirmation, indicating that the first cryptographic key is ready for use, for example. In some embodiments, processor may release the first cryptographic key to a first set of subscribers, receive a second input from a publishing user, associating a different, second set of subscribers with the first data stream, and receive a second cryptographic key after a certain time period. Processor may further transmit, to the first device, a second confirmation, indicating that the second cryptographic key is ready for use, and release the second cryptographic key to the second set of subscribers.

Systems and methods to securely send or write data to a cloud storage or server. In one embodiment, a method includes: establishing a connection to a client using a client-side transport protocol; receiving, over the connection, data from the first client; decrypting, using a client session key, the received data to provide first decrypted data; encrypting the first decrypted data using a stored payload key (that is associated with the client) to provide first encrypted data; encrypting, using a cloud session key, the first encrypted data using a remote-side transport protocol to provide second encrypted data; and sending the second encrypted data to the cloud storage or server.

Various embodiments are generally directed to provide a semi-local authentication scheme. A server can transmit one or more encryption mechanisms to a user device, which in turn can transmit the encrypted mechanisms to one or more secondary devices associated with the user device, where the user device and the secondary devices share a local connection. The secondary devices can transmit the one or more encrypted mechanism utilizing one or more one or more decryption mechanisms supplied by the server, and then transmit the result of the decryption, e.g. decrypted codes, back to the user device, which in turn can then transmit a final decrypted code or codes to the server. Upon confirming receipt of the decryption from the user device, the server can authorize access (via the user device) to one or more devices, networks, applications, and/or components.

A method, system, and computer program product generate, with a payment network, a first value (a) and a second value (g.sup.a), the second value (g.sup.a) generated based on the first value (a) and a generator value (g); generate, with the payment network, a plurality of random merchant numbers (m.sub.i) for a respective plurality of merchant banks; determine, with the payment network, a merchant product (M) based on a product of the plurality of random merchant numbers (m.sub.i); generate, with the payment network, a public key (pk.sub.i) based on the second value (g.sup.a), the merchant product (M), and the random merchant number (m.sub.i) and a random key (rk.sub.i) based on the merchant product (M) and the random merchant number (m.sub.i) for each respective merchant bank; and communicate, with the payment network, the public key (pk.sub.i) and the random key (rk.sub.i) to at least one respective merchant bank.

A system and method for cryptographically securing data communications between a group of networked devices establishes and maintains an overlay network at the Application Layer, on top of a unicast routing service provided at the Internetworking Layer. The overlay network provides first, the routes that are used to deliver multicast datagrams and second, the cryptographic keys used to secure multicast datagrams. A common cryptographic key is established between all members of each group, and end-to-end encryption ensures that multicast datagrams can be accessed only by authorized group members. In other embodiments, keys are established between pairs of adjacent devices in the overlay network, and hop-by-hop encryption ensures that multicast datagrams can be accessed only by overlay network members.

A method, system, and computer program product generate, with a payment network, a first value (a) and a second value (g.sup.a), the second value (g.sup.a) generated based on the first value (a) and a generator value (g); generate, with the payment network, a plurality of random merchant numbers (m.sub.i) for a respective plurality of merchant banks; determine, with the payment network, a merchant product (M) based on a product of the plurality of random merchant numbers (m.sub.i); generate, with the payment network, a public key (pk.sub.i) based on the second value (g.sup.a), the merchant product (M), and the random merchant number (m.sub.i) and a random key (rk.sub.i) based on the merchant product (M) and the random merchant number (m.sub.i) for each respective merchant bank; and communicate, with the payment network, the public key (pk.sub.i) and the random key (rk.sub.i) to at least one respective merchant bank.