A data device controls distribution of data to user devices through an edge router via an encryption scheme. The data device encrypts data using a first key and a public key, and sends the data to the edge router. The edge router encrypts the encrypted data with a second key and sends the re-encrypted data to a user device. The data device then authenticates the user device and issues a decryption key derived from a private key corresponding to the public key, the first key, and the second key to the user device. The user device uses the decryption key to decrypt and access the data.

A data processing method performed by a computer system including a first computer, a second computer, and a third computer includes a step of, by the first computer, encrypting first data with a first encryption key and transmitting the first data encrypted with the first encryption key to the third computer, a step of, by the second computer, encrypting second data with a second encryption key and transmitting the second data encrypted with the second encryption key to the third computer, and a step of, by the third computer, generating, with a key exchange key for exchanging the second encryption key for the first encryption key, the second data encrypted with the first encryption key from the second data encrypted with the second encryption key.

In a client server environment a method of securely storing data; said method comprising generating a data element at a second location; transmitting the data element to a first location separate and remote from the second location; encrypting the data element at the first location thereby to form an encrypted data element; transmitting the encrypted data element to the second location separate and remote from the first location and storing the encrypted data element at the second location; and wherein the second location is constituted as a client device.

Also disclosed in a client server environment an apparatus for secure storage of data; said apparatus comprising a first processor at a first location which encrypts data utilising a key; said apparatus further comprising a second processor located at a second location remote from the first location; the data, after encryption, moved over a network to the second processor and stored in association with the second processor until the data is required for execution of an application on the first processor at which time the data is moved back from the second processor to the first processor and the first processor applies the key to a decryption algorithm to decrypt the data for use by the application executing on the first processor.

In preferred forms the second location/second processor are constituted by a client device.

The subject matter discloses a computerized system, comprising a computerized device communicating with a third party server, that comprises a memory unit that stores a representation of a Boolean circuit and a processing unit for calculating a result of the Boolean circuit according to a string used as input for the Boolean circuit and calculating a first predefined function on the result of the Boolean circuit. The system also comprises a first auxiliary server communicating with the computerized device, the first auxiliary server comprises a processing unit for calculating a second predefined function on the result of the Boolean circuit received from the computerized device and a second auxiliary server communicating with the computerized device comprises a processing unit for comparing the result of the first predefined function and the result of the second predefined function.

Disclosed are hybrid authentication systems and methods that enable users to seamlessly sign-on between cloud-based services and on-premises systems. A cloud-based authentication service receives login credentials from a user and delegates authentication to an on-premises authentication service proxy. The login credentials can be passed by the cloud-based authentication service to the on-premises authentication service proxy, for instance, as an access token in an authentication header. The access token can be a JavaScript Object Notation (JSON) Web Token (JWT) token that is digitally signed using JSON Web Signature. Some embodiments utilize a tunnel connection through which the cloud-based authentication service communicates with the on-premises authentication service proxy. Some embodiments leverage an on-premises identity management system for user management and authentication. In this way, there is no need for a cloud-based system to separately maintain and manage a user identity management system and/or having to sync with an on-premises identity management system.

A Radio Frequency Identification (RFID) system including an RFID reader and a reader proxy authenticates itself to a verification authority. The proxy receives a proxy challenge from a verification authority and determines a proxy response based on the proxy challenge and a proxy key known to the proxy. The proxy response is then sent to the verification authority along with an identifier for the reader. The reader then authenticates an RFID tag by sending a tag response to the verification authority, which determines whether the reader is authentic based on the authenticity of the proxy response.

A method for setting up a subscriber identity module for agreeing one or several exchange keys, between a subscriber identity module and a provisioning server includes generating one or several exchange keys from keys of the provisioning server and of the subscriber identity module on a production server and are transmitted into the subscriber identity module and stored, so that the subscriber identity module is put particularly into a state as though it had generated the exchange keys itself. In a method for agreeing one or several exchange keys, between a subscriber identity module and a provisioning server, the subscriber identity module sends its public key to the provisioning server, which subsequently generates the exchange keys.

A method of communicating over a network between first and second endpoints, one being and the other being a server. The method comprises: establishing a first secure transport layer channel between the first and second endpoints, establishing a second secure transport layer channel between the first endpoint and a middlebox to which the first endpoint is to delegate processing of the traffic sent over the first secure transport layer channel; the first endpoint validating the middlebox via the respective second secure transport layer channel, and on condition of said validation sharing the encryption key of the first channel with the middlebox via the second secure transport layer channel; and causing the traffic sent over the channel to be routed via the middlebox. The method thereby enables the middlebox to process, in the clear, content of the traffic sent over the first channel.

The present application provides example website login methods and apparatuses. One example method includes identifying a website jump trigger indication to jump from a first website to a second website. A first token is then obtained from a cookie store of the web browser, the first token associated with a website identifier of the second website and a device fingerprint indicating a running environment at a time when the password-free proxy login was previously set. In response to determining that a current running environment corresponds to the device fingerprint, a second token corresponding to the first token is obtained, wherein the second token comprises an access token indicating that the second website grants password-free login permissions. A password-free login request is sent to the second website including the second token. In response to the second website verifying the second token, the second website is logged into without a password.

A method and apparatus for fine-grained, trust-based rate limiting of network requests distinguishes trusted network traffic from untrusted network traffic at the granularity of an individual user/machine combination, so that network traffic policing measures are readily implemented against untrusted and potentially hostile traffic without compromising service to trusted users. A server establishes a user/client pair as trusted by issuing a trust token to the client when successfully authenticating to the server for the first time. Subsequently, the client provides the trust token at login. At the server, rate policies apportion bandwidth according to type of traffic: network requests that include a valid trust token are granted highest priority. Rate policies further specify bandwidth restrictions imposed for untrusted network traffic. This scheme enables the server to throttle untrusted password-guessing requests from crackers without penalizing most friendly logins and only slightly penalizing the relatively few untrusted friendly logins.