Techniques are described for providing data such as, for example, keys, connection identifiers, and hashes to network devices using a secure database in order to facilitate client devices remaining connected or reconnecting with network sites when the client device moves among networks and to prevent replay attacks. For example, a method may include receiving, by a network device of a first network, encrypted traffic destined for a network site via the first network from a client device. The method may also include retrieving, by the network device from a database, data related to a previously established connection via a second network of the client device to the network site. In configurations, the data is received by the database from a proxy on the client device. The method may further include based at least in part on the data, passing, by the network device, the encrypted traffic to the network site.

Systems and methods for providing encrypted cryptographic keys. A system obtains a request to generate a data key. The system generates the data key and a data structure comprising the data key encrypted with keys from a set of compute regions. The system provides the data structure and the data key in response to the request. The data structure can be used to obtain the data key contingent on at least one compute region of the set of compute regions being available.

This disclosure relates to systems and methods for managing protected electronic content using proxy reencryption techniques. Rights management architectures are described that may, among other things, provide end-to-end protection of content keys from their point of origination at a content creator and/or content service to end user devices. Proxy reencryption techniques consistent with aspects of the disclosed embodiments may enable transformation of a ciphertext under one public key to a ciphertext containing the same plaintext under another public key. Consistent with embodiments disclosed herein, proxy reencryption processes may be implemented using indistinguishability obfuscation and puncturable public-key encryption schemes, functional encryption, and/or white box obfuscation techniques.

Systems and methods are disclosed herein for dynamically applying information rights management (IRM) policies to documents. An example system for dynamically applying IRM policies to documents can include a document repository, a proxy server, and a dynamic IRM wrapping service (also referred to herein as an IRM engine). A user can request a document on the document repository by, for example, attempting to access the document from a user device. The user device can be managed by a management server that enrolls the user device and enforces compliance rules and other policies at the user device. The user's request for the document can be received at the proxy server, and the proxy server can then request the document from the document repository.

Some embodiments are directed to an authentication system (100; 101; 102) for computing an authentication token for a service provider to authenticate a user system to the service provider, the authentication system comprising a processor configured to jointly blind with a user system an encrypted user identity and to compute an encrypted identity for the service provider from the blinded encrypted user identity.

Techniques for hashing messages with cryptographic key components are provided. In one technique, a message to be hashed with a private key component is identified. During a hash operation relative to the message involving a hash function, the client identifies an internal state of the hash function, which internal state is based on the message. The client sends the internal state of the hash function to a cryptographic device. The cryptographic device identifies a private key component and generates a final hash based on the private key component and the internal state of the hash function. In another technique, a client receives, from a cryptographic device, an internal state of a hash function, where the internal state is based on a private key component that is stored in the cryptographic device. Based on the internal state and a message, the client generates a final hash.

An example may involve determining that a first proxy server is to share security credentials with a set of one or more proxy servers, wherein the set of one or more proxy servers is associated with the security credentials, and wherein the set of one or more proxy servers includes a second proxy server; transmitting, to the second proxy server, a request for the first proxy server to have access to the security credentials; and receiving, from the second proxy server, a credential key in an encrypted form, wherein the credential key is configured to decrypt the security credentials.

Embodiments of the present disclosure relate to methods, apparatuses and computer readable storage media for hop-by-hop security. A proposed method comprises receiving, at a first apparatus and from a second apparatus associated with a first network function, a message directed from the first network function to a second network function, the message comprising a first signature and network function information, the network function information at least comprising identification information of the first network function; in accordance with a successful validation of the first signature, updating the message with a second signature specific to a service communication proxy implemented by the first apparatus; and transmitting the updated message to a third apparatus associated with the second network function, the updated message comprising at least the second signature and the network function information.

The present disclosure a method for a lattice-based homomorphic proxy re-encryption scheme. Conventional methods are attribute based and the attribute-based encryption schemes employ very expensive operations and generate long ciphertexts and secret keys (whose sizes also increase linearly with the size of the access policy), which makes them hard to implement in real-life applications. The present disclosure provides a unidirectional, single-hop HPRE scheme from the Learning With Errors (LWE) assumption which is Chosen Plaintext Attack (CPA) secure. Further, the present disclosure is based on the widely accepted BGV algorithm that supports both levelled FHE operations as well as arbitrary number of ciphertexts with unique and secure re-encryption key generation. Further, the present disclosure provides batch evaluation of ciphertexts, in order to enable re-encryption and evaluation of multiple ciphertexts.

This disclosure relates to systems and methods for managing protected electronic content using proxy reencryption techniques. Rights management architectures are described that may, among other things, provide end-to-end protection of content keys from their point of origination at a content creator and/or content service to end user devices. Proxy reencryption techniques consistent with aspects of the disclosed embodiments may enable transformation of a ciphertext under one public key to a ciphertext containing the same plaintext under another public key. Consistent with embodiments disclosed herein, proxy reencryption processes may be implemented using indistinguishability obfuscation and puncturable public-key encryption schemes, functional encryption, and/or white box obfuscation techniques.