A network and a device can support secure sessions with both (i) a post-quantum cryptography (PQC) key encapsulation mechanism (KEM) and (ii) forward secrecy. The device can generate (i) an ephemeral public key (ePK.device) and private key (eSK.device) and (ii) send ePK.device with first KEM parameters to the network. The network can (i) conduct a first KEM with ePK.device to derive a first asymmetric ciphertext and first shared secret, and (ii) generate a first symmetric ciphertext for PK.server and second KEM parameters using the first shared secret. The network can send the first asymmetric ciphertext and the first symmetric ciphertext to the device. The network can receive (i) a second symmetric ciphertext comprising “double encrypted” second asymmetric ciphertext for a second KEM with SK.server, and (ii) a third symmetric ciphertext. The network can decrypt the third symmetric ciphertext using the second asymmetric ciphertext.

An edge location of a content delivery network may protect data that is stored and transmitted within the edge location while providing access to associated metadata. After an origin-facing server obtains a requested object, the server may encrypt the object using a client-specific encryption key. In some cases, the server may also separately encrypt the metadata. The encrypted object and metadata may be sent to an intermediate layer server. The intermediate server may decrypt the metadata (if it is encrypted) and determine, based on the metadata, routing for the object. The object remains encrypted at the intermediate server. In some cases, the metadata may be re-encrypted by the intermediate server. The encrypted object and metadata may be sent to a client-facing server, in accordance with the determined routing. The client-facing server may decrypt the encrypted object and send the encrypted object to the client.

One feature pertains to a method for secure wireless communication at an apparatus of a network. The method includes receiving a user equipment identifier identifying a user equipment and a cryptographic key from a wireless wide area network node, and using the cryptographic key as a pairwise master key (PMK). A PMK identifier (PKMID) is generated based on the PMK and the two are stored at the network. A PMK security association is initialized by associating the PMK with at least the PMKID and an access point identifier identifying an access point of the apparatus. An association request is received that includes a PMKID from the user equipment, and it's determined that the PMKID received from the user equipment matches the PMKID stored. A key exchange is initiated with the user equipment based on the PMK to establish a wireless local area network security association with the user equipment.

A method performed by a UE. The method incudes generating a SUCI comprising: i) an encrypted part in which a Mobile Subscription Identification Number of a SUPI is encrypted and ii) a clear-text part comprising: a) a Mobile Country Code of the SUPI, b) a Mobile Network Code of the SUPI, c) a public key identifier for a public key of a home network of the user equipment, and d) an encryption scheme identifier that identifies an encryption scheme used by the UE to encrypt the Mobile Subscription Identification Number in the SUCI. The method also includes transmitting the SUCI to an authentication server in the home network for forwarding of the SUCI to a de-concealing server capable of decrypting the Mobile Subscription Identification Number.

A computer implemented user authentication method, according to which a mobile application is installed on the mobile terminal device of the user and when the user inputs his username and password, the mobile application creates a private and public encryption keys and encrypts the password with the public key. Data including the encrypted password, the username and the public key is sent to a dedicated server and stored therein as an encrypted file under the username, along with information required for contacting the user's mobile terminal device. The user to selects, and enrolls to, an advanced authentication mechanism, which creates an authentication key for validating the identity of the user and encrypting the private key. The encrypted private key is stored on the user's terminal device. Upon launching the mobile application, the user selects a preferred advanced authentication mechanism which returns an authentication key upon successful authentication of the user. The authentication key is used to decrypt the encrypted private key. Then the encrypted password for the user is retrieved and the private key is used to decrypt the user's password. The user's username and password are then forwarded to the mobile application, to complete the authentication.

Method, device, and system for deriving keys are provided in the field of mobile communications technologies. The method for deriving keys may be used, for example, in a handover process of a User Equipment (UE) from an Evolved Universal Terrestrial Radio Access Network (EUTRAN) to a Universal Terrestrial Radio Access Network (UTRAN). If a failure occurred in a first handover, the method ensures that the key derived by a source Mobility Management Entity (MME) for a second handover process of the UE is different from the key derived for the first handover process of the UE. This is done by changing input parameters used in the key derivation, so as to prevent the situation in the prior art that once the key used on one Radio Network Controller (RNC) is obtained, the keys on other RNCs can be derived accordingly, thereby enhancing the network security.

A method and apparatus for authenticating a mobile device in a second network when the mobile device is already authenticated in a first network. An authentication device in the first network generates an authentication master key associated with the mobile device using a first nonce generated by the authentication device and a second nonce generated by the mobile device. The generated authentication master key is sent to a second authentication device in the second network, where is usable by the second authentication device to authenticate the mobile device in the second network.

Methods and systems are configured to store user data and control access to the user data, wherein the data is stored remotely from the user (such as external to a user's computing device) and the user's data is maintained anonymously. Content is stored in association with a user identifier and access by third parties is controlled by linked third party identifiers.

The technology disclosed relates to securely encrypting a document. In particular, it relates to accessing a key-manager with a triplet of organization identifier, application identifier and region identifier and in response receiving a triplet-key and a triplet-key identifier that uniquely identifies the triplet-key. Also, for a document that has a document identifier (ID), the technology disclosed relates to deriving a per-document key from a combination of the triplet-key, the document ID and a salt. Further, the per-document key is used to encrypt the document.

This invention is directed to a computerized system for encryption and transmission of digital information comprising: an encryption server in communications with a sender computer device and a recipient computer device; and, a set of encryption server computer readable instructions included on the encryption server that, when executed by a processor, preform the steps of: receiving an original information set from the sender computer device, generating a sender key, encrypting a portion of the original information set with the sender key, generating an key pair having a public and private key pair, encrypting the sender key with the public key of the key pair, encrypting the private key of the key pair with a master key, generating a hyperlink to the encrypted portion of the original information set, transmitting the hyperlink to the recipient computer device.