A system and method for encrypting portions of data for storage in a remote network have been provided. The system comprises a memory with instructions executable by a processor to receive data for forwarding to a server device, wherein the received data comprises an indication of one or more portions of the received data to be encrypted; identify a portion comprising the one or more portions of the received data based at least in part on the indication; encrypt the identified portion of the data; generate a payload that comprises the encrypted portion and one or more unencrypted portions of the received data; and transmit, to the server device, the payload.

Systems and methods for authenticating a biometric device using a trusted coordinating smart device in accordance with embodiments of the invention are disclosed. In one embodiment, a process for enrolling a configurable biometric device with a network service includes obtaining a device identifier (ID) of the configurable biometric device using a coordinating smart device, communicating the device ID from the coordinating smart device to a network service, communicating a first challenge based on a challenge-response authentication protocol from the network service to the coordinating smart device, communicating the first challenge and a response uniform resource locator (URL) from the coordinating smart device to the configurable biometric device, generating a first response to the first challenge and communicating the first response to the network service utilizing the response URL, receiving a secure channel key by the coordinating smart device from the network service, communicating the secure channel key from the coordinating smart device to the configurable biometric device, performing a biometric enrollment process using the configurable biometric device including capturing biometric information from a user, and creating a secure communication link between the configurable biometric device and the network service using the secure channel key when the first response satisfies the challenge-response authentication protocol.

An identity authentication method includes sending, by a third-party application client, an operation request to a third-party application server, in response to receiving a first operation indication for requesting to perform a target operation, the operation request requesting the third-party application server to perform the target operation, and receiving, by the third-party application client, to-be-signed information from an authentication server via the third-party application server, in response to the operation request being sent, the to-be-signed information comprising a challenge random number. The method further includes forwarding, by the third-party application client, the to-be-signed information that is received, to intelligent hardware, and receiving, by the third-party application client, a first signature result from the intelligent hardware, the first signature result being obtained by signing the to-be-signed information that is forwarded, using an application private key corresponding to a third-party application.

The present invention provides a secure communication method and apparatus. A security proxy device is arranged between a client and a server. The method comprises: the security proxy device using a key exchange mechanism to perform connection key agreement with the client; and assigning a token for the client after identity authentication for the client succeeds; upon receiving a request sent by the client to the server, validating whether the token sent together with the request is a token assigned for the client; if the validation succeeds, forwarding to the server a request obtained by using the connection key or a token connection key to decrypt the request, wherein the token connection key is assigned for the client and then sent to the client by using the connection key; after receiving a response returned by the server, using the connection key or token connection key to encrypt the response, and forwarding the encrypted response to the client. The present invention improves security of communication between the client and the server, and can effectively protect the server and client from various replay, injection of malicious codes and automated attacks.

In an authentication method according to an embodiment, a server generates first authentication information configured by a value generated by using a pseudo ransom function using an identifier of an authentication target device and a common key as arguments and transmits the first authentication information to the authentication target device via an authentication proxy client. The authentication target device checks validity of the first authentication information by comparing the value generated by using the pseudo random function using the identifier and the common key as arguments and the first authentication information, after checking the validity of the first authentication information, generates second authentication information configured by a value generated by using a pseudo random function using the identifier of the authentication target device, the common key, and a check result of the first authentication information as arguments, and transmits the second authentication information to the authentication proxy client.

Examples provide an authentication system for authorizing third-party pickup of items. An authentication controller obtains a user-generated token. The user-generated token is associated with an item to be picked up by a third-party user. The authentication controller creates a machine-generated token. The machine-generated token is transmitted to the third-party user. Upon receiving a request to pick up the item from the third-party user, the authentication controller compares tokens provided by the requesting third-party with the user-generated token and the machine-generated token. If the third-party provided tokens are valid, the requesting third-party is authorized to pick up the item and the request is accepted. The item is released to the authorized third-party requester. The item may be released via an item pickup kiosk or a locker system. If the tokens are invalid, the third-party request to pick up the item is rejected. A notification is sent to the user.

A variety of mechanisms to perform End-to-End authentication between entities having diverse capabilities (E.g. processing, memory, etc.) and with no prior security associations are used. Security provisioning and configuration process is done such that appropriate security credentials, functions, scope and parameters may be provisioned to an Entity. Mechanisms to distribute the security credentials to other entities which could then use the credentials to perform an End-to-End authentication at the Service Layer or the Session Layer and using Direct or Delegated modes are developed.

One embodiment relates to a method for enabling an entity to delegate calculation of a bilinear pairing value e(A,B) between two values A and B to a calculation server. The entity may select public elements P1 and P2 and secret elements S1 and S2, two of the elements from among P1, P2, S1, and S2 being selected to be equal to A and B, generate elements R1=vS1, R2=uS2, T1=uP1+S1, T2=vP2=S2, where u and v are random numbers, and transmit R1, R2, T1, and T2 to the calculation server. The server may calculate (a1).sup.y=e(T1,T2)[e(R1,P2)e(P1,R2)].sup.1, and (a2).sup.z=e(D1,D2), y and z designating two integers equal to 1 or to an integer c, D1 and D2 designating two public elements from among A and B or from among R1 and R2 and transmit a1 and a2 to the entity. The entity may obtain the value e(A,B) from a1 or a2.

Disclosed is an orthogonal access control system based on cryptographic operations provided by multi-hop proxy re-encryption (PRE) that strictly enforces only authorized access to data by groups of users, scalable to large numbers of users. Scalable delegation of decryption authority can be shared with a plurality of members of a group whether those members be users or devices, and members of a group can further create sub groups and delegate decryption authority to those members, whether users or devices. Members are granted access via generation of transform keys, and membership or access can be revoked merely be deleting the transform keyno elimination of the encrypted data, regardless of its storage location, is needed.

A data storage unit (202) stores encrypted data while remaining in an encrypted state, and stores decryption conditions to define a user attribute of a decryption-permission user who is permitted to decrypt the encrypted data. In a case wherein revocation information to indicate a user attribute of a revoked user who is no longer the decryption-permission user has been added to the decryption condition when update timing arrives, a revocation information removing unit (206) removes the revocation information from the decryption condition while the encrypted data remains in the encrypted state. Further, the revocation information removing unit (206) transmits the encrypted data and the decryption conditions from which the revocation information has been removed to a re-encryption apparatus that performs re-encryption in a proxy re-encryption scheme, and receives, from the re-encryption apparatus, the encrypted data that has be re-encrypted in the proxy re-encryption scheme using the decryption condition from which the revocation information has been removed. A refresh processing unit (205) updates the encrypted data that has been re-encrypted and the decryption condition from which the revocation information has been removed.