An application server sends a public key from an asynchronous key-pair to a user system to encrypt a user encryption secret that forms part of a first encryption key. The application server uses a second encryption key provided by a key derivation server to encrypt a private key from the asynchronous key-pair. The application server then deletes the second encryption key to prevent decryption of the user encryption secret received from the user system. The application server receives the encrypted user encryption secret from the user system and sends a request to the key derivation server to re-encrypt the user encryption secret. The key derivation server uses a key encryption secret to generate the second encryption key and decrypt the private key. The key derivation server uses the decrypted private key to decrypt the user encryption secret and then re-encrypts the first encryption secret to prevent decryption by the application server.

In an encryption authentication system, a service server transmits the third encryption information to a user terminal, in a case where the service server receives a request from the user terminal. The user terminal calculates fourth encryption information and transmits the fourth encryption information to an encryption server. The encryption server and the calculation server cooperate with each other to calculate encryption information as a collation target and transmit the encryption information to the service server. The service server obtains a coincidence degree between the first plaintext information included in the encryption information as the collation target and the second plaintext information, by a collation function using a third encryption key and a second encryption key used to calculate registration encryption information, and transmits an authentication result corresponding to the coincidence degree to the user terminal.

Techniques for exporting remote cryptographic keys are provided. In one technique, a proxy server receives, from a secure enclave of a client device, a request for a cryptographic key. The request includes a key name for the cryptographic key. In response to receiving the request, the proxy server sends the request to a cryptographic device that stores the cryptographic key. The cryptographic device encrypts the cryptographic key based on an encryption key to generate a wrapped key. The proxy server receives the wrapped key from the cryptographic device and sends the wrapped key to the secure enclave of the client device.

A device may determine that a network function of a network is to use a secure communication protocol. The network function may be configured to facilitate communication via the network. The device may identify a component of a resource configuration that is to instantiate the network function. The device may instantiate, using the component, a proxy for the network function. The device may configure the proxy to obtain a certificate that is associated with the secure communication protocol. The device may cause the proxy to use the certificate to communicate with another proxy that is associated with the network function to perform an operation associated with the network function.

An infrastructure delivery platform provides a proxy service as an enhancement to the TLS/SSL protocol to off-load to an external server the generation of a digital signature, the digital signature being generated using a private key that would otherwise have to be maintained on a terminating server. Using this service, instead of digitally signing (using the private key) “locally,” the terminating server proxies given public portions of ephemeral key exchange material to the external server and receives, in response, a signature validating the terminating server is authorized to continue with the key exchange. In this manner, a private key used to generate the digital signature (or, more generally, to facilitate the key exchange) does not need to be stored in association with the terminating server. Rather, that private key is stored only at the external server, and there is no requirement for the pre-master secret to travel (on the wire).

Disclosed are hybrid authentication systems and methods that enable users to seamlessly sign-on between cloud-based services and on-premises systems. A cloud-based authentication service receives login credentials from a user and delegates authentication to an on-premises authentication service proxy. The login credentials can be passed by the cloud-based authentication service to the on-premises authentication service proxy, for instance, as an access token in an authentication header. The access token can be a JavaScript Object Notation (JSON) Web Token (JWT) token that is digitally signed using JSON Web Signature. Some embodiments utilize a tunnel connection through which the cloud-based authentication service communicates with the on-premises authentication service proxy. Some embodiments leverage an on-premises identity management system for user management and authentication. In this way, there is no need for a cloud-based system to separately maintain and manage a user identity management system and/or having to sync with an on-premises identity management system.

Some embodiments enable distributing data (e.g., recorded video, photographs, recorded audio, etc.) to a plurality of users in a manner which preserves the privacy of the respective users. Some embodiments leverage homomorphic encryption and proxy re-encryption techniques to manipulate the respective data so that selected portions of it are revealed according to an identity of the user currently accessing the respective data.

A computer-implemented method includes: receiving, by a computing device, a request from a requester; determining, by the computing device, one or more delegates that are currently capable of handling the request; sending, by the computing device, a request package to each of the one or more delegates, the request package including an authentication challenge; receiving, by the computing device, a solution to the authentication challenge from a supplier, the solution being provided by a particular delegate of the one or more delegates; determining, by the computing device, the solution to the authentication challenge is valid; and instructing, by the computing device and in response to determining the solution to the authentication challenge is valid, the particular delegate to proceed with handling the request.

Provided is a method for testing if a candidate data element, belongs to a list of reference data elements, performed by a client device (102) and comprising the steps of generating an encrypted candidate data element (y′) by encrypting said candidate data element (x′) with a leveled fully homomorphic encryption scheme, transmitting said encrypted candidate data element (y′) to a server device (103), storing said reference data elements (x.sub.i) receiving, from said server device, a delta value depending on a product of differences, decrypting said delta value with said leveled fully homomorphic encryption scheme, based on said decrypted delta value, determining whether said candidate data element (x′) belongs to said list of reference data elements (x.sub.i). Other embodiments disclosed.

A method for checking the identity of a reference individual, the method comprising the following steps, implemented by a checking device: selecting terminals respectively associated with individuals forming part of a set of individuals whose identities are intended to be checked by the checking device, the individual forming part of the set of individuals; sending, to each of the selected terminals, an input datum associated with the reference individual and a request asking the terminal to implement a first cryptographic processing operation producing an output datum from the input datum and from a private key specific to the individual associated with the terminal; receiving each output datum; and implementing a second cryptographic processing operation producing a check result relating to the reference individual from each output datum.