Embodiments disclosed herein relate to cryptology, and more particularly to secure sharing of data objects stored in the at least one cloud device between two user devices using the PRE. Embodiments herein disclose methods and systems for enabling a first user device to subscribe with a key server for uploading encrypted data object to at least one cloud device using the PRE. Embodiments herein disclose methods and systems for allowing the first user device to share the encrypted data object stored in the at least one cloud device with a second user through the key server using the PRE.

Methods and apparatus for control of data and content protection mechanisms across a network using a download delivery paradigm. In one embodiment, conditional access (CA), digital rights management (DRM), and trusted domain (TD) security policies are delivered, configured and enforced with respect to consumer premises equipment (CPE) within a cable television network. A trusted domain is established within the user's premises within which content access, distribution, and reproduction can be controlled remotely by the network operator. The content may be distributed to secure or non-secure “output” domains consistent with the security policies enforced by secure CA, DRM, and TD clients running within the trusted domain. Legacy and retail CPE models are also supported. A network security architecture comprising an authentication proxy (AP), provisioning system (MPS), and conditional access system (CAS) is also disclosed, which can interface with a trusted authority (TA) for cryptographic element management and CPE/user device authentication.

A method for setting up a subscriber identity module for agreeing one or several exchange keys, between a subscriber identity module and a provisioning server includes generating one or several exchange keys from keys of the provisioning server and of the subscriber identity module on a production server and are transmitted into the subscriber identity module and stored, so that the subscriber identity module is put particularly into a state as though it had generated the exchange keys itself. In a method for agreeing one or several exchange keys, between a subscriber identity module and a provisioning server, the subscriber identity module sends its public key to the provisioning server, which subsequently generates the exchange keys.

The invention is a cryptographic pseudonym mapping method for an anonymous data sharing system, the method being adapted for generating a pseudonymized database (DB) from data relating to entities and originating from data sources (DS.sub.i), wherein the data are identified at the data sources (DS.sub.i) by entity identifiers (D) of the respective entities, and wherein the data are identified in the pseudonymized database KM (DB) by pseudonyms (P) assigned to the respective entity identifiers (D) applying a one-to-one mapping. According to the invention, more than one, a number k of mappers (M.sub.j) are applied, and the respective pseudonyms (P) are generated by sequentially performing, in a permutation of the mappers (M.sub.j), a number k of mappings utilizing mapping cryptographic keys (h.sub.ij) of the mappers (M.sub.j) belonging to the particular data source (DS.sub.i) on each encrypted entity identifier (C.sub.i0) encrypted by the data source (DS.sub.i). The invention is further a computer system realizing the invention, as well as a computer program and a computer-readable medium.

A method and an apparatus for performing verification using a shared key are disclosed. The method includes: receiving, by a first network element, a registration request message from a second network element, where the registration request message includes a user identifier, first network identifier information, and second network identifier information, the second network identifier information is obtained by processing the first network identifier information by using a shared key, and the shared key is a key used between the first network element and the second network element; verifying, by the first network element, the registration request message by using the shared key; and sending, by the first network element, a registration response message to the second network element. When receiving a registration request from a visited network, a home network verifies the registration request message by using a shared key, to avoid a spoofing attack from the visited network.

In a secure end-to-end transmission of data between a first device and a second device via a message broker, the following are performed: a sharing of an entropy pool between the first device and the second device via the message broker, by means of signalling messages, any payload of which is encrypted asymmetrically and which comprise a message signature; and a transmission of subsequent messages between the first device and the second device via the message broker, each said subsequent message comprising a header and a payload, the header comprising an identifier of an authentication key obtained from the shared entropy pool and an identifier of a symmetrical encryption key obtained from the shared entropy pool, the payload being encrypted symmetrically by means of the symmetrical encryption key, and the whole formed by the header and the payload being authenticated by means of a message authentication code obtained by means of the authentication key and inserted in the header. Thus, the subsequent messages benefit from the non-repudiation afforded by the way in which the entropy pool was previously shared.

A proxy system is installed on a computing device that is in the network path between the device and the Internet. The proxy system, residing on the computing device, decrypts and inspects all traffic going in and out of the computing device.

Generally discussed herein are devices, systems, and methods for secure cloud application provisioning. A method can include, while providing access to the cloud application, receiving data indicating a first universal resource locator (URL) entered in a search bar of a web browser associated with the cloud application has changed to a second URL, determining whether the second URL has a valid certificate, and in response to determining the second URL is associated with the cloud application and a valid certificate for the second URL exists, providing resources for the second URL and the valid certificate to the web browser or in response to determining the second URL is not associated with the application, re-directing the web browser away from the proxy server.

Techniques for sharing secret key information in a system that includes a remote server that proxies cryptographic keys. In one technique, a proxy server receives, from a client device, a request for a cryptographic operation. The proxy server also receives, from the client device, secret key information that is associated with the request. Prior to the request, the proxy server did not have access to the secret key information. While storing the secret key information in memory of the proxy server, the proxy server sends the secret key information to a cryptographic device that stores one or more cryptographic key. The proxy server does not store the secret key information in any persistent storage. The cryptographic device performs the cryptographic operation based on the secret key information.

Various embodiments are generally directed to provide a semi-local authentication scheme. A server can transmit one or more encryption mechanisms to a user device, which in turn can transmit the encrypted mechanisms to one or more secondary devices associated with the user device, where the user device and the secondary devices share a local connection. The secondary devices can transmit the one or more encrypted mechanism utilizing one or more one or more decryption mechanisms supplied by the server, and then transmit the result of the decryption, e.g. decrypted codes, back to the user device, which in turn can then transmit a final decrypted code or codes to the server. Upon confirming receipt of the decryption from the user device, the server can authorize access (via the user device) to one or more devices, networks, applications, and/or components.