Techniques disclosed herein encrypt sensitive data being transmitted from one endpoint to another endpoint through intermediary cloud(s) so that the sensitive data is not visible to the intermediary cloud(s). Double data encryption, utilizing public and private key pairs generated at the endpoints, is used to anonymize the sensitive data, while other data transmitted along with the sensitive data remains unencrypted so that intermediary cloud(s) can process the unencrypted data. In a particular embodiment, one of the endpoints is an application running in a first cloud, the other endpoint is a web browser executing a web application, and the intermediary cloud(s) are additional cloud(s) with applications running therein that provide services to the first cloud or coordinate with the application running in the first cloud to provide a service.

Embodiments are described for enhanced security in a switched network using RSA security between hops of a transmission path of a data frame from an origination node to a destination node, via one or more intervening switches. Each switch and node in a switched network can be configured for RSA security enabled or RSA security disabled. RSA security can be enabled, or disabled, for the whole network. RSA security can be enabled for all switches (but not nodes) or selectively enabled for switches. If two adjacent devices (nodes or switches) have RSA security enabled, then an RSA secure frame is generated to transmit data on that hop of a transmission path between an originating node and destination node. RSA encryption keys can be different for each hop on the transmission path. RSA token seeds can be regenerated periodically to increase the difficulty of learning an encryption key for any hop.

A computer implemented method of applying a unified search for a match of one or more features in a plurality of encrypted records, comprising using one or more processors of a server associated with a database comprising a plurality of encrypted records. The processor(s) is adapted for receiving a query for searching one or more plaintext features in the plurality of encrypted, searching for a match of the one or more plaintext features using a first search methodology and a second search methodology and outputting an indication of matching encrypted records according to the match. Wherein the second search methodology is asymptotically faster than the first search methodology and wherein the first search methodology is used for searching a subset of the plurality of encrypted records selected based on status indication associated with each encrypted record.

A device provides a one-time proof of knowledge about a one-time signing key to a server without revealing the one-time signing key by computing a hash as a hash function from the one-time signing key, and transmitting, to the server, the computed hash, an identity associated with the electronic device and a hash path of the hash. The server receives the message from the device and checks whether the hash corresponds to a one-time signing key for a root hash included in a public certificate associated with the identity, checks whether an index corresponding to the hash path from the one-time signing key to the root hash corresponds to a correct time slot, and determines it to be proven that the device is in possession of the correct one-time signing key when the checks are fulfilled.

A client provides a hash value that provides for a time-stamp for data upon verification, by deriving a one-time signing key, OTSK, of a OTSK hash chain by applying a time fraction hash tree splitting a time slot corresponding to an index into time fractions such that the time slot is divided into fractions according to the number of leafs of the time fraction hash tree, forming a signing request by applying the OTSK for the fraction for the data to calculate hash values, and transmitting the signing request comprising the hash values to a server of a signing authority. The server receives the signing request from the client, derives a time stamp for the data including a hash path of the time fraction hash tree as a sub-tree of hash tree of the OTSK, and transmits the time stamp for the data.

Described herein are a system and techniques for enabling biometric authentication without exposing the authorizing entity to sensitive information. In some embodiments, the system receives a biometric template from a user device which is encrypted using a public key associated with the system. The encrypted biometric template is then provided to a second entity along with a biometric identifier. Upon receiving a request to complete a transaction that includes the biometric identifier and a second biometric template, the second entity may encrypt the second biometric template using the same public key associated with the system and perform a comparison between the two encrypted biometric templates. The resulting match result data file is already encrypted and can be provided to the system to determine an extent to which the two biometric templates match.

Systems and methods to securely send or write data to a cloud storage or server. In one embodiment, a method includes: establishing a connection to a client using a client-side transport protocol; receiving, over the connection, data from the first client; decrypting, using a client session key, the received data to provide first decrypted data; encrypting the first decrypted data using a stored payload key (that is associated with the client) to provide first encrypted data; encrypting, using a cloud session key, the first encrypted data using a remote-side transport protocol to provide second encrypted data; and sending the second encrypted data to the cloud storage or server.

The messages established on a communication path between two nodes are increasingly encrypted. However, the devices present on the communication path may intervene to transport the messages and to read, edit or add data in the messages. It may also be desirable that only authorized devices can carry out these actions. In order to intervene on these data, it would be necessary that the devices on the communication path have available all the keys used by the nodes to encrypt and decrypt the data of the messages, which is difficult to envisage. A modification method enables a device, capable of intercepting a data message on a communication path between two nodes, to edit the data under the control of the nodes, while ensuring that a device cannot access the data edited by another device on the path.

Techniques for combining independent sessions between application(s) and a VPN, proxy service, or similar system, including inner protocol sessions (e.g., such as QUIC, etc.), coming from a single device to form a single logical session, where the single logical session could share a single authentication/authorization token are described. The techniques include receiving, from a device within a network, a request for a first application to access a service associated with the proxy service or the VPN, sending, to the device, a first authentication request, and receiving, from the device, a message including a token. The techniques may further include authenticating, by the proxy service or the VPN, the token using a unique identifier associated with the device and enabling, by the proxy service or the VPN, the device to access the service via a first session flow.

An apparatus in one embodiment comprises a processing platform having at least one processing device. The processing platform implements a trusted bridge configured for at least temporary coupling between one or more data sources and a smart contract program of a blockchain. The trusted bridge comprises a secure enclave component and a relay component. Data obtained from a given one of the data sources via the relay component of the trusted bridge is authenticated in the secure enclave component of the trusted bridge. Information based at least in part on the data authenticated in the secure enclave component of the trusted bridge is provided to the smart contract program of the blockchain via the relay component of the trusted bridge. The secure enclave component illustratively receives a request for authenticated data from the blockchain smart contract program via the relay component, and responds to the request via the relay component.