The present invention is a computer system, such cooperator is coupled to a negotiator, which is associated with one of the peers, a client (client computer) or server (e.g., a computer), to a Transport Layer Security (TLS)/Secure Socket Layer (SSL) session and its associated handshake between the peers. The cooperator is configured such that it can obtain parts of the handshake between peers, without taking part in the handshake.

An application server sends a public key from an asynchronous key-pair to a user system to encrypt a user encryption secret that forms part of a first encryption key. The application server uses a second encryption key provided by a key derivation server to encrypt a private key from the asynchronous key-pair. The application server then deletes the second encryption key to prevent decryption of the user encryption secret received from the user system. The application server receives the encrypted user encryption secret from the user system and sends a request to the key derivation server to re-encrypt the user encryption secret. The key derivation server uses a key encryption secret to generate the second encryption key and decrypt the private key. The key derivation server uses the decrypted private key to decrypt the user encryption secret and then re-encrypts the first encryption secret to prevent decryption by the application server.

In accordance with embodiments, there are provided mechanisms and methods for facilitating protection of data in a database environment in an on-demand services environment according to one embodiment. In one embodiment and by way of example, a method includes detecting, by a first computing device in the database environment, sensitive data associated with a user having access to a second computing device, where the sensitive data is capable of being communicated within a geographic residency. The method may further include performing, by the first computing device, secured communication of the sensitive data between at least one of multiple computing devices and multiple application frames within the geographic residency, wherein the first computing device includes a proxy server that is locally situated within the geographic residency.

Disclosed is an orthogonal access control system based on cryptographic operations provided by multi-hop proxy re-encryption (PRE) that strictly enforces only authorized access to data by groups of users, scalable to large numbers of users. Scalable delegation of decryption authority can be shared with a plurality of members of a group whether those members be users or devices, and members of a group can further create sub groups and delegate decryption authority to those members, whether users or devices. Members are granted access via generation of transform keys, and membership or access can be revoked merely be deleting the transform keyno elimination of the encrypted data, regardless of its storage location, is needed.

A gateway device between a first and second communication network outside the gateway device handles communication between a first device in the first network and a second device in the second network. When the gateway receives a communication request from the first device, directed to the second device, for performing a first cryptographic data communication protocol, the gateway determines whether the first cryptographic data communication protocol is registered as unsafe in the gateway device, and/or registered as safe, in particular whether it is safe against key reconstruction by a quantum computer. When the first cryptographic data communication protocol is not registered as unsafe in the gateway device, and/or registered as safe, the gateway device forwards messages exchanged as part of execution of the first cryptographic data communication protocol between the first and second device. When the gateway determines that the first cryptographic data communication protocol is registered as unsafe in the gateway device, and/or not registered as safe, the gateway device executes the first cryptographic data communication protocol between the first device and the gateway device, and executes a second cryptographic data communication protocol, which is not recorded as unsafe in the gateway device, and/or registered as safe, between the gateway and the second device, whereby the first and second cryptographic data communication protocol are executed sequentially to communicate data between the first and second device via the gateway device.

A technique for rendering web content includes downloading a framework page from a framework server, the framework page including framework code which, when executed by a browser of a client machine, dynamically downloads a set of plugins from respective service providers. Each plugin includes its own plugin code configured to communicate with the respective service provider and with the framework code, to dynamically render web content specific to the service provider in the framework page running in the browser.

A method for decrypting an encrypted message in a cluster may be provided. The method may include generating, by a first private key generator, one or more system parameters and a master key using a security parameter of the cluster and a depth of the maximum of a unit vector, the cluster including a first member and a second member. The method may also include generating, by the first private key generator, a private key of the first member; The method may further include generating, by a second private key generator, a private key of the second member based on the one or more system parameters, the identification vector of the first member, the private key of the first member, and an identification vector of the second member; The method may still further include decrypting the encrypted message the private key of the first member or the second member.

An example operation may include one or more of connecting, by a broker node, to a blockchain comprised of an arranger node and a plurality of client nodes, retrieving from the blockchain, by the broker node, a request for information sent by a client node of the plurality of the client nodes, decrypting, by the broker node, the request for the information with a private key of the broker node, extracting, by the broker node, a public key of a client associated with the client node from the decrypted request for the information, selecting, by the broker node, a set of client properties based on the public key of the client, generating, by the broker node, a modified request for information based on the request for the information and the set of the client properties, and sending, by the broker node, the modified request for the information to the arranger node.

One embodiment provides a method for pre-authorizing public key infrastructure communication between entities, the method comprising: utilizing at least one processor to execute computer code that performs the steps of: determining if pre-authorization is required from a remote device to establish a communication channel between a first entity and a second entity; establishing a shared secret value between the first entity and the remote device; receiving, at the second entity, from the remote device, proof of pre-authorization, thereby pre-authorizing communication between the first and second entity, wherein the pre-authorization is based on the shared secret value; and storing the proof of pre-authorization for any subsequent communication with the first entity. Other aspects are described and claimed.

An identity authentication method includes sending, by a third-party application client, an operation request to a third-party application server, in response to receiving a first operation indication for requesting to perform a target operation, the operation request requesting the third-party application server to perform the target operation, and receiving, by the third-party application client, to-be-signed information from an authentication server via the third-party application server, in response to the operation request being sent, the to-be-signed information comprising a challenge random number. The method further includes forwarding, by the third-party application client, the to-be-signed information that is received, to intelligent hardware, and receiving, by the third-party application client, a first signature result from the intelligent hardware, the first signature result being obtained by signing the to-be-signed information that is forwarded, using an application private key corresponding to a third-party application.