A system and method for encrypting metadata in a communication system, including defining paths from a source node to a destination node through intermediate nodes and anchor nodes; dividing messages and sending a portion in each path by: dividing the path into sub-paths, where each two contiguous sub-paths are connected by an anchor node; calculating a secret value including a list of nodes of a first sub-path and an encrypted form of a remaining portion of the path; calculating a first random point on a linear line connecting a first metadata share of a symmetric key of the source node and a first intermediate node, and a metadata share including a second x-value of the symmetric key of the source node and the first intermediate node in the path and the secret value; and sending the portion together with the first random point to the first intermediate node.

Embodiments of the present disclosure relate to methods, apparatuses and computer readable storage media for hop-by-hop security. A proposed method comprises receiving, at a first apparatus and from a second apparatus associated with a first network function, a message directed from the first network function to a second network function, the message comprising a first signature and network function information, the network function information at least comprising identification information of the first network function; in accordance with a successful validation of the first signature, updating the message with a second signature specific to a service communication proxy implemented by the first apparatus; and transmitting the updated message to a third apparatus associated with the second network function, the updated message comprising at least the second signature and the network function information.

A method for performing an operation according to one embodiment includes performing a homomorphic operation using one or more ciphertexts that are homomorphically encrypted based on an encryption key, determining a count value for a ciphertext generated through the homomorphic operation based on count values for each of the one or more ciphertexts, requesting a key management apparatus, which holds the encryption key and a decryption key corresponding to the encryption key, to re-encrypt the generated ciphertext based on the determined count value, acquiring, from the key management apparatus, a ciphertext generated by re-encrypting the generated ciphertext through decryption based on the decryption key and encryption based on the encryption key; and determining a count value for the acquired ciphertext to be a preset initial value.

A proxy hardware security module (HSM) is disclosed, useable with an existing HSM for expansion of key storage for the HSM. The proxy HSM receives a signing request that is targeted to the HSM, and retrieves a wrapped version of a signing key from a storage location separate from the HSM. The proxy HSM provides the wrapped signing key to the HSM, and provides the signing request to the HSM. Upon receipt of a response to the signing request indicating successful execution of a signing operation by the HSM, the proxy HSM transmits a key destroying request to the HSM, and a confirmation message to the device from which the signing request was received. Upon completion of the signing request, the HSM does not retain the signing key.

An Internet infrastructure delivery platform (e.g., operated by a service provider) provides an RSA proxy “service” as an enhancement to the SSL protocol that off-loads the decryption of the encrypted pre-master secret (ePMS) to an external server. Using this service, instead of decrypting the ePMS “locally,” the SSL server proxies (forwards) the ePMS to an RSA proxy server component and receives, in response, the decrypted pre-master secret. In this manner, the decryption key does not need to be stored in association with the SSL server.

An encoding of a cryptographic key is obtained in a form of an encrypted key. Request is provided to a service provider including a fulfillment involving performing a cryptographic operation on data. Upon fulfillment of the request, a response is then received which indicates the fulfillment of the request.

The invention relates to a method and an apparatus for encrypted communication between a client and a server, wherein the communication comprises request messages, each with request elements, and response messages, each with response elements. Request elements and response elements can comprise data. It is an object of the invention to hamper or prevent unauthorized access to the data during communication and also during storage and processing on the server. In this case, it is assumed that the communication channel and also the server itself are not trustworthy and neither client nor server provide measures or are adaptable in order to counter said risks of unauthorized access, for example by means of cryptographic methods. The invention achieves this object by virtue of a first request message being received from a client, being broken down into request elements, and at least one request element being encrypted on the basis of a predetermined configuration, encrypted request elements being combined with unencrypted request elements to form a second response message, and being finally transmitted to the server; a first response message is then received from the server, broken down into response elements, and at least one request element is encrypted on the basis of a predetermined configuration, the encrypted request element is combined with unencrypted request elements to form a second request message, and is finally transmitted to the server; a first response message is received from the server, broken down into response elements, response elements that need to be decrypted are determined and decrypted, decrypted response elements are combined with unaltered, unencrypted response elements to form a second response message, and are finally transmitted to the client. The invention also presents an apparatus for encrypting communication between the client and the server, wherein the apparatus is arranged between the client and the server and wherein the apparatus is set up to perform the steps of said method for encrypted communication between the client and the server.

A security module securely manages keys. The security module is usable to implement a cryptography service that includes a request processing component. The request processing component responds to requests by causing the security module to perform cryptographic operations that the request processing component cannot perform due to a lack of access to appropriate keys. The security module may be a member of a group of security modules that securely manage keys. Techniques for passing secret information from one security module to the other prevent unauthorized access to secret information.

Embodiments of the present invention include determining whether a cryptographic certificate can be trusted. A cryptographic certificate is received at a client device. The client device performs a first check on a first set of attributes of the cryptographic certificate. In addition, the client device sends the cryptographic certificate to a central verification server, which performs a second check on a second set of attributes of the cryptographic certificate. In the case that the first set of attributes passes the first check, and the second set of attributes passes the second check, the client device determines that the cryptographic certificate can be trusted.

A virtual smart card service corresponds to an execution of a smart card application. A key is stored at a server side. Application metadata is used to emulate a smart card application logic. The method comprises: processing, by a client, the smart card application logic; running the smart card application while retrieving smart card data from the smart card application logic; identifying key operation within the smart card application; generating a key operation request by using the identified key operation and data relating to the client; sending to the server the key operation request; processing, by the server, the key operation request by using the key and client data; getting a key operation result from the identified key operation on the client data; and sending to the client the key operation result.