In one embodiment, a crypto cloudlet is provided that includes a security wrapper to a virtual machine to guarantee secure Input/Output exchange between a client and one or more cryptographic adaptive services powered by a set of virtual CPUs through a single well defined channel, an adaptive service running in the virtual machine that identifies hardware resources necessary to satisfy a cryptographic demand or request, and an Ethernet interface communicatively coupled to the security wrapper providing network channel services for exchange of cryptographic data and commands. The security wrapper presents to the adaptive services the hardware accelerators exposed by the virtual machine. Other embodiments are disclosed.

A machine-implemented method of encoding/decoding data is described. The encoding method comprises steps of receiving a message of a given size, the message being represented by a series of units of data, configuring multiple encoding elements (50) in an arrangement having a given frame size, and encoding the message by passing each unit of data through the arrangement so that each unit is processed by at least one of the encoding elements. The frame size of the arrangement is the maximum number of units of data that can pass through the arrangement without any unit of data passing through the arrangement and being processed in the same way as another unit of data. The configuring of the arrangement defines how each unit of data is processed by the encoding elements and creates an arrangement corresponding to a frame size that is dependent upon the number of units of data in the series, for example so that the frame size of the arrangement is guaranteed to be greater than the number of units of data in the series.

Deep packet inspection of data in a multi-spoke data tunnel inspection architecture is provided. Inspection may include using a data review tunnel module to receive a first portion of a data stream, encrypted with a first encryption scheme, in a first data conduit. The method may also include receiving a second portion of the data stream, encrypted with a second encryption scheme, in the second data conduit. The method may also include decrypting and reconstructing a complete data stream. The complete data stream may be derived from the decrypted and reconstructed first data stream and the decrypted and reconstructed second data stream. The method may then analyze and review the flow of the complete data stream to determine whether the flow of the data stream is associated with a pre-determined likelihood of intrusion, and then prepare a data report based on the analysis and review.

An execution environment has a deployed virtual machine image. The virtual machine image provides a service that is identified by a role. The execution environment generates a measurement of the virtual machine image and provides it to a key service to request role keys that enable operation of the virtual machine image in the execution environment. The key service determines whether the virtual machine image is mapped to the role and, if so, returns the role keys to the requesting execution environment.

Various embodiments that pertain to an enterprise network that employs a block chain portion and a non-block chain portion. For a single transaction, a header of the transaction can be sent over the block chain network and the non-header of the transaction can be sent over the non-block chain network. A hash-based cuckoo filter can be used for communication of the header along the block chain network.

Rules are applied at a network perimeter to outbound network communications that contain file attachments. The rules may, in a variety of circumstances, require wrapping of an outbound file from the endpoint in a portable encrypted container. The network perimeter may be enforced locally at the endpoint, or at any network device between the endpoint and a recipient.

A portable encryption format wraps encrypted files in a self-executing container that facilitates transparent, identity-based decryption for properly authenticated users while also providing local password access to wrapped files when identity-based decryption is not available.

A communication system includes a management device, a reception device, and a transmission device. The reception device and the transmission device are configured to hold first information included in a received first communication message each time the reception device and the transmission device receive the first communication message. The transmission device is configured to manage second information of a management code, and generate a first authenticator from communication data and a management code formed by combining the held first information with the managed second information. The reception device is configured to receive a second communication message transmitted by the transmission device, and authenticate the received second communication message based on a comparison between the first authenticator included in the received second communication message and a regenerated authenticator regenerated based on the received second communication message.

A receiver in a communication system may include a buffer and hardware. The buffer may be configured to store a communication signal comprising one or more pulses representative of data. The hardware may be configured to determine whether a data authentication pulse has been superimposed over at least one of the one or more pulses, and authenticate, based on the determination of whether the data authentication pulse has been superimposed over at least one of the one or more pulses, the one or more pulses as a valid representation of the data.

In an embodiment, an electronic data security system improves the security and usability of encrypted electronic data using a symmetric key approach implemented by security engines embedded on operably coupled integrated circuits. Engines paired to integrated circuits in combinations of hardware and software engines implementing security tasks can also be utilized. A first security engine is configured to interface to a second security engine and, using the components of the respective security engines, securely exchange electronic data using symmetric key encryption. The key change instruction configures the second security engine private key for a subsequent transmission.