First and second devices store respective device data and private keys. The first-device data is additionally stored by the second device and by a proxy; and the second-device data is additionally stored by the first device and by the proxy. In a commitment phase, each of the first and second devices uses its respective device data, private key and a random nonce to generate a respective one-time first-device or second-device commitment value, which it sends to the proxy. In a checking phase, the devices communicate secret-key information to the proxy, which verifies the received one-time commitment values. In a digest phase, the proxy calculates a one-time digest, which it sends to the second device. The second device then verifies the received one-time digest to authenticate the first device.

A method for encrypting data. The method comprises receiving, from a user, via a client terminal, digital content including at least one textual string for filling in at least one field in a document managed by a network node via a computer network, encrypting the at least one textual string, and sending the at least one encrypted textual string to the network node via the computer network so as to allow filling in the at least one field with the at least one encrypted textual string. The network node is configured for storing and retrieving the at least one textual encrypted string without decrypting.

A method for operating a cloud gateway is provided. The method includes generating a plurality of rules relating users and groups to data access at a plurality of cloud service providers. The method includes encrypting, at one of a plurality of connectors, outgoing data that is moving through a cloud gateway en route from a proxy server to one of the plurality of cloud service providers, responsive to a data write request associated with a first user, the encrypting in accordance to one of the plurality of rules as related to the first user. The method includes decrypting, at one of the plurality of connectors, incoming data that is moving through the cloud gateway en route from one of the plurality of cloud service providers to the server, responsive to a data read request associated with a second user, the decrypting in accordance to one of the plurality of rules as related to the second user.

Examples of the present disclosure describe systems and methods for performing cryptographic operations in an isolated collection. In an example, a user may have an associated user resource within the isolated collection, which may be associated with a cryptographic key. Other users may access the user's key from a known location to manually or automatically perform one or more cryptographic operations. In another example, a key may be generated when initiating a group conversation. The key may be encrypted for and provided to each participant using each participant's public key. Each participant may then use the cryptographic key during the conversation. A new participant may receive authorization to join the conversation from an existing participant, wherein the encrypted key of the existing participant may be decrypted and re-encrypted using the new participant's public key. The new participant may then use the re-encrypted key to participate in the conversation.

A method and apparatus for fine-grained, trust-based rate limiting of network requests distinguishes trusted network traffic from untrusted network traffic at the granularity of an individual user/machine combination, so that network traffic policing measures are readily implemented against untrusted and potentially hostile traffic without compromising service to trusted users. A server establishes a user/client pair as trusted by issuing a trust token to the client when successfully authenticating to the server for the first time. Subsequently, the client provides the trust token at login. At the server, rate policies apportion bandwidth according to type of traffic: network requests that include a valid trust token are granted highest priority. Rate policies further specify bandwidth restrictions imposed for untrusted network traffic. This scheme enables the server to throttle untrusted password-guessing requests from crackers without penalizing most friendly logins and only slightly penalizing the relatively few untrusted friendly logins.

The invention relates to a method and an apparatus for encrypted communication between a client and a server, wherein the communication comprises request messages, each with request elements, and response messages, each with response elements. Request elements and response elements can comprise data. It is an object of the invention to hamper or prevent unauthorized access to the data during communication and also during storage and processing on the server. In this case, it is assumed that the communication channel and also the server itself are not trustworthy and neither client nor server provide measures or are adaptable in order to counter said risks of unauthorized access, for example by means of cryptographic methods. The invention achieves this object by virtue of a first request message being received from a client, being broken down into request elements, and at least one request element being encrypted on the basis of a predetermined configuration, encrypted request elements being combined with unencrypted request elements to form a second response message, and being finally transmitted to the server; a first response message is then received from the server, broken down into response elements, and at least one request element is encrypted on the basis of a predetermined configuration, the encrypted request element is combined with unencrypted request elements to form a second request message, and is finally transmitted to the server; a first response message is received from the server, broken down into response elements, response elements that need to be decrypted are determined and decrypted, decrypted response elements are combined with unaltered, unencrypted response elements to form a second response message, and are finally transmitted to the client. The invention also presents an apparatus for encrypting communication between the client and the server, wherein the apparatus is arranged between the client and the server and wherein the apparatus is set up to perform the steps of said method for encrypted communication between the client and the server.

Embodiments are generally directed to mechanisms to enable secure virtual namespaces in disaggregated storage targets. An embodiment of an apparatus includes a processor to process data; a memory for the storage of data; an interface with a host system over a communication fabric; an interface with each of one or more endpoint devices to provide storage for the host system; and a virtual target, the virtual target to map the one or more endpoint devices to multiple namespaces for the host system. The apparatus is operable to support secure access to the namespaces, the secure access including encryption of data transferred between the host system and a namespace, the data encryption key being derived from an identification of the host system; and present the plurality of namespaces to the host system in the virtual target.

The disclosure relates to a service processing method and apparatus. The method includes: setting up, by a proxy node, a first encrypted connection to UE, and setting up a second encrypted connection to the network server; obtaining, by the proxy node from the UE, an encryption context generated in the process of setting up the first encrypted connection, and generating a first key according to the encryption context; and receiving, by the proxy node, a ciphertext sent by the UE, decrypting the ciphertext by using the first key, processing obtained service information, and sending the processed service information to the network server by using the second encrypted connection, where the ciphertext is obtained by the UE by encrypting the service information by using a second key, the first key corresponds to the second key, and the second key is generated by the UE according to the encryption context.

The present invention relates to a method to authenticate a user using an authenticator at an access device using another registered device named personal device, said authenticator being stored by the access device after registration of the personal device comprising a double encryption using an access device's secret key and a personal device's public key to be retrieved at each request of authentication received from the personal device, encrypted using a session key and sent with the session key encrypted using the personal device's public key to the personal device for partial decryption using the decrypted session key and the personal device's private key, re-encryption using the session key and sending back to the access device for total decryption of the authenticator, using the session key and the access device's secret key, and use of the thus decrypted authenticator to authenticate at the access device.

Disclosed are systems and methods to encrypt an image for secure image transmission and parallel decryption using resources from a networked environment. Upon reception of encrypted data from the mobile user, the data can be decrypted by transforming the data, decrypting the transformed data, and inversing the transformation. The decrypted data can be sent for storage in a cloud storage.