Provided is a process of operating a zero-knowledge encrypted database, the process including: obtaining a request for data in a database stored by an untrusted computing system, wherein the database is stored in a graph that includes a plurality of connected nodes, each of the nodes including: an identifier, accessible to the untrusted computing system, that distinguishes the respective node from other nodes in the graph; and an encrypted collection of data stored in encrypted form, wherein: the untrusted computing system does not have access to an encryption key to decrypt the collections of data, the encrypted collections of data in at least some of the plurality of nodes each include a plurality of keys indicating subsets of records in the database accessible via other nodes in the graph and corresponding pointers to identifiers of the other nodes.

Techniques for utilizing a trusted platform module of a host device are described. According to various embodiments, a client device that does not include a trusted platform module (TPM) may leverage a TPM of a host device to provide trust services to the client device.

Data in vehicle networks has been treated as proprietary assets, due to car makers' concern of potential IP infringement via extraction of confidential vehicular data. To address this concern, an intermediate gateway in between internal and external networks translates proprietary in-vehicle data to rich type data, thus preventing the exposure of raw in-vehicle data. The translation relies solely on the gateway which can be a direct target of cyberattacks, making it difficult to trust the data through the gateway. This, in turn, requires authentication of the translated data. A communication protocol is presented that provides secure communications between the vehicle's internal components and external entities. The protocol enables authorization of external servers for in-vehicle ECUs as well as authentication and proof of messages between internal and external components to combat a compromised gateway.

A computing apparatus outputs .sub.1 and .sub.2 corresponding to a ciphertext x, a capability providing apparatus uses .sub.1 to correctly compute f(.sub.1) with a probability greater than a certain probability and sets the result of the computation as z.sub.1, uses .sub.2 to correctly compute f(.sub.2) with a probability greater than a certain probability and sets the result of the computation as z.sub.2, the computing apparatus generates a computation result u=f(x).sup.bx.sub.1 from z.sub.1, generates a computation result v=f(x).sup.ax.sub.2 from z.sub.2, and outputs u.sup.bv.sup.a if the computation results u and v satisfy a particular relation, where G and H are groups, f(x) is a function for obtaining an element of the group G for xH, X.sub.1 and X.sub.2 are random variables having values in the group G, x.sub.1 is a realization of the random variable X.sub.1, and x.sub.2 is a realization of the random variable X.sub.2.

Securely transporting data across a unidirectional data diode interconnecting a process plant to a remote system includes provisioning, using join key material, a sending device at the plant end of the diode with a receiving device at the remote end. The join key material is used to securely share network key material that is used to encrypt/decrypt messages or packets that are transported across the diode and whose payload includes plantupdated or re-set generated data. The shared network key material is recurrently using the join key material, and the recurrence interval may be based on a tolerance for lost data or other characteristic of an application, service, or consumer of plant data at the remote system.

A system for protecting data stored in the cloud includes a computing device that generates a plaintext encryption key and encrypts the plaintext encryption key using a credential of a customer that uses a cloud application. The computing device encrypts plaintext data using the encryption key and forwards the encrypted data to a cloud computer system that hosts the cloud application. The plaintext data can be received from a cloud application client that runs in the computing device or from another computing device that hosts the cloud application client. The encrypted encryption key can be stored in and retrieved from a key server.

A request to access a destination device associated may be received from a user device. The request may comprise a digital certificate. The digital certificate may comprise a public key of the user device. A distributed ledger address of the user device may be determined by applying a deterministic function to the public key of the user device. A distributed ledger entry may be created on a distributed ledger. The distributed ledger entry may comprise the address of the user device. Based on the distributed ledger entry, access to the destination device may be granted to the user device.

Disclosed herein are embodiments for implementing periodic management of cryptographic keys. An embodiment includes a processor configured to perform operations comprising receive a first input associating a first set of subscribers with a first data stream published by the first publisher device, and a first cryptographic key. Processor may transmit, to the first publisher device, a first confirmation, indicating that the first cryptographic key is ready for use, for example. In some embodiments, processor may release the first cryptographic key to a first set of subscribers, receive a second input from a publishing user, associating a different, second set of subscribers with the first data stream, and receive a second cryptographic key after a certain time period. Processor may further transmit, to the first device, a second confirmation, indicating that the second cryptographic key is ready for use, and release the second cryptographic key to the second set of subscribers.

An encoding of a cryptographic key is obtained in a form of an encrypted key. Request is provided to a service provider including a fulfillment involving performing a cryptographic operation on data. Upon fulfillment of the request, a response is then received which indicates the fulfillment of the request.

Systems and methods are disclosed herein for dynamically applying information rights management (IRM) policies to documents. An example system for dynamically applying IRM policies to documents can include a document repository, a proxy server, and a dynamic IRM wrapping service (also referred to herein as an IRM engine). A user can request a document on the document repository by, for example, attempting to access the document from a user device. The user device can be managed by a management server that enrolls the user device and enforces compliance rules and other policies at the user device. The user's request for the document can be received at the proxy server, and the proxy server can then request the document from the document repository.