To enable multiple key replacements for information sharing between users and control of the key replacement directions, a key replacement direction control system 100 at least has a key replacement server 200 including: a storage part 220 that stores key replacement information defining a relation indicating permission and direction of information sharing between users, a replacement key for use to re-encrypt encrypted data of a first user to enable a second user to decrypt the encrypted data with a decryption key retained by the second user, and encrypted data of users; and an arithmetic device 210 that receives a transmission request from a user terminal, and if the key replacement information defines that information sharing in a direction from a certain user to a different user is permitted, re-encrypts encrypted data of the certain user using the replacement key for the users thus defined and transmits the re-encrypted encrypted data to the user terminal of the different user.

Systems and methods for securing network devices through the use of an out-of-band beacon are described. In some embodiments, a method may include broadcasting, by a gateway, a wireless beacon that is out-of-band with respect to communications between the gateway and a plurality of devices over a network, where the wireless beacon includes a token; receiving an encrypted packet at the gateway as part of the communications; decrypting the encrypted packet into an intermediate payload by the gateway using a public key, where the public key corresponds to a certificate provisioned to each of the plurality of devices; and decrypting the intermediate payload into a decrypted packet by the gateway using the token.

A system for attribute-based encryption comprises a first encrypter (11) and a second encrypter (12). The first encrypter (11) comprises an input unit (1) for determining a message and a policy over a set of attributes, wherein the policy comprises a plurality of components, and a first cryptographic unit (2) for generating an encrypted representation of the message and an encrypted representation of the plurality of components. The second encrypter (12) comprises a receiving unit (3) for receiving the encrypted representation of the message and the encrypted representation of the plurality of components, and a second cryptographic unit (4) for transforming the encrypted representation of the message and the encrypted representation of the plurality of components into an attribute-based encrypted message associated with the policy.

A constrained device, such as an Internet of Things (IoT) device, can use a handshake procedure to establish a secure transport session with a server and generate a corresponding client session state. The constrained device can encrypt the client session state into an encrypted client session state, and transmit the encrypted client session state to the server. When the constrained device enters an idle mode, the client session state may be cleared from memory of the constrained device. However, when the constrained device next wakes from the idle mode and re-enters an active mode, the constrained device can retrieve the encrypted client session state from the server. The constrained device can decrypt the encrypted client session state to recover the client session state, and use the recovered client session state to resume the secure transport session instead of establishing a new secure transport session with a new client session state.

Embodiments described herein provide enhanced computer- and network-based systems and methods for providing data security with respect to computing services, such as a digital transaction service (DTS). Example embodiments further provide a discovery service that enables nodes that are included in, or otherwise communicatively coupled to, the DTS to actively or passively “discover” roles and keys associated with the nodes. These node roles are associated with the various services provided by the DTS. A security module provides at least a portion of the security services.

A data interaction method and system, wherein the method includes: obtaining a real card information list of smart cover end by a smart cover; prompting the real card information list of smart cover end by the smart cover; receiving a real card selecting instruction by the smart cover, determining a selected real card by the smart cover; receiving first data sent from a transaction terminal by a simulation card, and sending the first data to the smart cover by the simulation card; prompting the first data by the smart cover, receiving a confirming instruction for confirming that the first data is correct by the smart cover, and sending the first data to the real card manager by the smart cover; and receiving the first data sent from the smart cover by the real card manager, and sending the first data to the selected real card by the real card manager.

Mechanisms may be used for edge caching Hypertext Transfer Protocol Secure (HTTPS) content via an owner-endorsed proxy. The edge servers of a mobile-content distribution network (CDN) may work as the proxy that dynamically gets the means to serve HTTPS content through rights delegated by content owners. Mechanisms may include dynamically assigning a domain with a Canonical name (CNAME) record in DNS based on the popularity of the domain at an edge server. Each edge server from the plurality of edge servers may be associated with a mobile content distribution (mobile-CDN) network, via the mobile-CDN, the right to establish a transport layer security (TLS) session is delegated to the edge server on behalf of the content owner, so that the HTTPS request to the content server may be served by the edge server. A mechanism to restrict the scope of HTTPS content served through the delegated right is presented as well.

A system and method for cryptographically securing data communications between a group of networked devices establishes and maintains an overlay network at the Application Layer, on top of a unicast routing service provided at the Internetworking Layer. The overlay network provides first, the routes that are used to deliver multicast datagrams and second, the cryptographic keys used to secure multicast datagrams. A common cryptographic key is established between all members of each group, and end-to-end encryption ensures that multicast datagrams can be accessed only by authorized group members. In other embodiments, keys are established between pairs of adjacent devices in the overlay network, and hop-by-hop encryption ensures that multicast datagrams can be accessed only by overlay network members.

An interactive multi-party system for collaboratively performing homomorphic operations, such that no party has access to unencrypted data or an unencrypted operator. A first party device may add noise to encrypted data and an encrypted linear operator to generate noisy encrypted data and a noisy encrypted operator, and transmit the noisy encrypted data and operator to a second party device possessing a secret decryption key for the encryption. The second party device may decrypt the noisy encrypted data and noisy encrypted operator to generate unencrypted noisy data and an unencrypted noisy operator, solve the linear operation using the unencrypted noisy data and an unencrypted noisy operator to generate a noisy solution, encrypt the noisy solution to the linear operation, and transmit it to the first party device. The first party device may then cancel the noise of the encrypted noisy solution to generate the encrypted solution to the linear operation.

Embodiments of the present disclosure relate to the field of data security, and a file signature system and method are disclosed. The system includes: an encryption server, configured to store an encryption key; and a signature client, configured to: generate an encrypted message according to a to-be-encrypted file, and send the generated encrypted message to the encryption server, where the encryption server is configured to: after receiving the encrypted message, generate a hash according to the encryption key, and send the hash back to the signature client; and the signature client is configured to sign the to-be-encrypted file according to the hash. By means of the foregoing solution, key exposure can be effectively avoided by storing an encryption key through an encryption server, thereby improving signature safety.