A service provider device includes key generation means, which generates a service public key for encrypting data and a secret key, and proxy key generation means, which inputs the service public key and the secret key and generates a proxy key. A data registration device includes encrypted data generation means, which generates encrypted data upon input of the service public key and data, and stores the generated encrypted data in a database. Proxy devices each includes encrypted portion statistical data generation means, which generates encrypted portion statistical data upon input of the proxy key with respect to the encrypted data stored in the database. An integrated data generation device includes encrypted statistical data generation means, which inputs the encrypted portion statistical data from each of the proxy devices, generates encrypted statistical data, and stores the generated encrypted statistical data in an integrated data storage device.

The present disclosure relates to an advantageous system and related methods for distributed deduplication of encrypted chunks. One embodiment relates to a method for storing encrypted chunks in which an encryption key is generated independently from a chunk payload. With this method, two encrypted chunks are identifiable as having identical chunk payloads even when the chunk payloads are encrypted with different encryption keys. Other embodiments, aspects and features are also disclosed.

A variety of mechanisms to perform End-to-End authentication between entities having diverse capabilities (E.g. processing, memory, etc.) and with no prior security associations are used. Security provisioning and configuration process is done such that appropriate security credentials, functions, scope and parameters may be provisioned to an Entity. Mechanisms to distribute the security credentials to other entities which could then use the credentials to perform an End-to-End authentication at the Service Layer or the Session Layer and using Direct or Delegated modes are developed.

An encryption key management system and method implements enterprise managed encryption key for an enterprise using encryption for cloud-based services. In some embodiments, the enterprise deploys a key agent on the enterprise data network to distribute encryption key material to the network intermediary on a periodic basis. The network intermediary receives the encryption key material from the enterprise and stores the encryption key material in temporary storage and uses the received encryption key material to derive a data encryption key to perform the encryption of the enterprise's data. In this manner, the enterprise can be provided with the added security assurance of maintaining and managing its own encryption key while using cloud-based data storage services. The encryption key management system and method can be applied to ensure that the enterprise's one or more encryption keys do not leave the enterprise's premises.

In one embodiment of the present invention, a first userthe creatoruses a web browser to encrypt some information. The web browser provides to the creator a URL which contains the key used for encryption, such as in the form of an anchor embedded within a URL. The web browser also provides a hash of the cryptographic key and the encrypted information to a web server. The creator transmits the URL to a second userthe viewerwho provides the URL to a web browser, thereby causing the web browser to navigate to a decryption web page maintained by the web server, but without transmitting the cryptographic key to the web server. The viewer's web browser hashes the cryptographic key and sends the hash to the web server, which uses the hash to identify and return the encrypted information to the viewer's web browser, which in turn uses the encryption key to decrypt the message and display the decrypted message to the viewer.

In this invention, we propose privacy-enhancing technologies for medical tests and personalized medicine methods, which utilize patients' genomic data. Assuming the whole genome sequencing is done by a certified institution, we propose to store patients' genomic data encrypted by a patient's public keys at a Storage and Processing Unit (SPU). A part of the corresponding private key is also stored on the SPU. At the time of the test by a Medical Unit (MU), the patient provides the second part of the private key to the MU. A test with its associated markers is determined by the MU and sent to the SPU. The test is carried out on the encrypted values thanks to homomorphic operation and returned back to the MU. The latter uses the second part of the private key to access the result.

A computer-implemented method of generating and distributing keys includes generating, based on a master key, a keyset, wherein the keyset comprises a re-encryption key, generating a key distribution request comprising the keyset, encrypting the keyset using an inbox key associated with a client device to generate an encrypted keyset, sending the re-encryption key to a key manager, and causing to distribute the encrypted keyset to the client device.

A computer implemented method of applying a unified search for a match of one or more features in a plurality of encrypted records, comprising using one or more processors of a server associated with a database comprising a plurality of encrypted records. The processor(s) is adapted for receiving a query for searching one or more plaintext features in the plurality of encrypted, searching for a match of the one or more plaintext features using a first search methodology and a second search methodology and outputting an indication of matching encrypted records according to the match. Wherein the second search methodology is asymptotically faster than the first search methodology and wherein the first search methodology is used for searching a subset of the plurality of encrypted records selected based on status indication associated with each encrypted record.

Disclosed are hybrid authentication systems and methods that enable users to seamlessly sign-on between cloud-based services and on-premises systems. A cloud-based authentication service receives login credentials from a user and delegates authentication to an on-premises authentication service proxy. The login credentials can be passed by the cloud-based authentication service to the on-premises authentication service proxy, for instance, as an access token in an authentication header. The access token can be a JavaScript Object Notation (JSON) Web Token (JWT) token that is digitally signed using JSON Web Signature. Some embodiments utilize a tunnel connection through which the cloud-based authentication service communicates with the on-premises authentication service proxy. Some embodiments leverage an on-premises identity management system for user management and authentication. In this way, there is no need for a cloud-based system to separately maintain and manage a user identity management system and/or having to sync with an on-premises identity management system.

A message authentication system for a network includes a private communication system including one or more private nodes in electronic communication with one another, a public communication system including one or more public nodes in electronic communication with one another, and a security proxy device that electronically connects the private communication system to the public communication system. The security proxy device includes a processing unit, a security module, and a lightweight security module that is electronic communication with the one or more private nodes of the private communication system. The lightweight security module generates message authentication codes for messages transmitted by the private communication system that are sent to the public communication system.