A method, system, and computer usable program product for verifying and enforcing certificate use are provided in the illustrative embodiments. A certificate is received from a sender. The certificate is validated before communicating a message associated with the certificate to a receiver. If the certificate is invalid, a policy is selected based on a type of invalidity of the certificate. An action is taken to enforce the policy for using the certificate. The certificate may be received from the sender at a proxy. The validating may further include verifying the validity of the certificate using a certificate from a certificate database accessible to the proxy over a network. the proxy may copy a part of the certificate database to a second certificate database local to the proxy. The validating may further include verifying the validity of the certificate using a certificate revocation list accessible to the proxy over a network.

A method is provided for redirecting signed code images. The method includes the steps of receiving a code image from an origin device at a proxy machine, invoking a code signing client at the proxy machine, receiving signing request information indicating a requested cryptographic operation, sending a code signing request to a code signing server, receiving a signed code image at the code signing client from the code signing server, storing the signed code image in a restricted memory, invoking a software repository client at the proxy machine, and sending the signed code image from the restricted memory location to a software repository.

Securely transporting data across a unidirectional data diode interconnecting a process plant to a remote system includes provisioning, using join key material, a sending device at the plant end of the diode with a receiving device at the remote end. The join key material is used to securely share network key material that is used to encrypt/decrypt messages or packets that are transported across the diode and whose payload includes plantupdated or re-set generated data. The shared network key material is recurrently using the join key material, and the recurrence interval may be based on a tolerance for lost data or other characteristic of an application, service, or consumer of plant data at the remote system.

An escrow platform is described that can be used to enable access to devices. The escrow platform can be used to sign cryptographic network protocol challenges on behalf of clients so that the secrets used to sign cryptographic network protocol challenges do not have to be exposed to the clients. The escrow platform can store or control access to private keys, and the corresponding public keys can be stored on respective target platforms. A client can attempt to access a target platform and in response the target platform can issue a challenge. The client platform can send the challenge to the escrow platform, which can use the corresponding private key to sign the challenge. The signed challenge can be sent back to the client, which can forward it to the target platform. The target platform can verify the expected private key and grant access.

Data processing method, device and system, and a storage medium are provided. The method includes: performing handshaking operations with a data provider and a data consumer respectively, to send a first key to the data provider and the data consumer respectively; acquiring, from the data provider, first encrypted data, information encrypted by the first key and algorithm call information, wherein the information encrypted by the first key is related to the first encrypted data; processing the first encrypted data based on the information encrypted by the first key and the algorithm call information to obtain second encrypted data; and outputting the second encrypted data to the data consumer.

A code protection method may include storing, using a processor of a computer, a package file that includes files for an application on a storage device of the computer; transforming, at the processor, a protection target method and/or function selected from a file that includes an execution code among the files, or converting or deleting a library file among the files; regenerating the package file by adding, to the package file, a first protection module file for restoring the transformed protection target method and/or function or a second protection module file for restoring the library file; and providing the regenerated package file over a network.

Some database systems may implement encrypted connections to improve the security of incoming server traffic. The systems may implement the encrypted connections using encryption keys known to both a proxy server and a server (e.g., a database server). For example, a proxy server may encrypt one or more communications between the proxy server and a user device, such as self-identifying information for the user device, using a known encryption key. The user device may, in turn, attempt to establish an encrypted connection with the server using the encrypted communications. Because the encryption key is known to both the server and the proxy server, the server may decrypt the encrypted communications and subsequently establish an encrypted connection with the user device based on the decrypted communications.

Systems and methods for authenticating a biometric device using a trusted coordinating smart device in accordance with embodiments of the invention are disclosed. In one embodiment, a process for enrolling a configurable biometric device with a network service includes obtaining a device identifier (ID) of the configurable biometric device using a coordinating smart device, communicating the device ID from the coordinating smart device to a network service, communicating a first challenge based on a challenge-response authentication protocol from the network service to the coordinating smart device, communicating the first challenge and a response uniform resource locator (URL) from the coordinating smart device to the configurable biometric device, generating a first response to the first challenge and communicating the first response to the network service utilizing the response URL, receiving a secure channel key by the coordinating smart device from the network service, communicating the secure channel key from the coordinating smart device to the configurable biometric device, performing a biometric enrollment process using the configurable biometric device including capturing biometric information from a user, and creating a secure communication link between the configurable biometric device and the network service using the secure channel key when the first response satisfies the challenge-response authentication protocol.

The invention relates to a method for aggregation of a performance indicator of a device comprising the steps of: concatenating a respective first data item to a plurality of second data items in the device; encrypting the plurality of concatenated second data items relevant for computing the performance indicator using a first encryption key in the device, wherein the first encryption key is based on an additive homomorphic encryption scheme; sending the encrypted concatenated second data items to a computation cluster; computing the performance indicator on the computation cluster using the encrypted concatenated second data items and computing an aggregate value regarding the performance indicator by summing up the encrypted concatenated second data items; sending the aggregate value to a server of a service provider of the device; decrypting the aggregate value using a second encryption key on the server of the service provider; and verifying the decrypted result by checking whether the decrypted sum computed by summing up the encrypted concatenated second data items comprises a predetermined value. The present invention also relates to a corresponding system and corresponding computer program product comprising one or more computer readable media having computer executable instructions for performing the steps of the method.

The application relates to a method for computing a probabilistic encryption scheme for encrypting a data item in an electronic device including: computing a plurality of random bit strings in a computation cluster; sending the computed plurality of random strings to the electronic device; generating a random string (r.sub.E) for using in the encryption scheme in the electronic device using a subset of the plurality of the random strings computed in the computation cluster and encrypting the data item using the random string computed in the electronic device. The present application also relates to a corresponding system and corresponding computer program product including one or more computer readable media having computer executable instructions for performing the steps of the method.