Source and replica data in a storage area network is tracked during management of data encryption keys. Association of source and replica data allows for all copies of customer information in an enterprise to be managed as a single entity for deletion or tracked for management purposes by using referenced data encryption keys upon creation of replicas. Any replica from a source storage object can be created using the source storage object data encryption key or an associated key and tracked by these keys as a subset of the number of replicas created. Management of the data encryption keys can control the lifetime of data on a storage array and in the storage area network without managing every replicated instance for the lifetime of the data.

Aspects of various embodiments are directed to applications utilizing secret keys for authentication and/or encrypted communication. In certain embodiments, authentication data is provided from a source network communication device to a target network communication device that allows a computing server to verify that the key migration has been is authorized by the source network communication device. The authentication data also enables the data provider and the target network communication device to independently determine a temporary key for establishing a secure communication channel between the service provider and the target network communication device and/or determine a new key for the target network communication device. In some implementations, the authentication data may be exchanged between the source and target network communication devices between offline without involvement of the computing server. When the target network communication device later connects to the computing server, the authentication data may be used to verify that the key migration is authorized and/or generate key(s).

A method and apparatus for authenticating a user for access to a service provider over a network is disclosed. It includes a first device configured to receive a request for a ticket, generate the ticket, send the ticket to at least one additional device, generate a first partial signature of the ticket, receive additional partial signatures of the ticket, generate a complete signature of the ticket, encrypt the ticket and the complete signature of the ticket, send the encrypted ticket and encrypted complete signature of the ticket to the service provider, receive an encrypted verification code from the service provider, decrypt the encrypted verification code, and display the decrypted verification code.

A mobile device can establish a communication with a separate device via a single function action such as bringing the devices near to each other. A method can include establishing a communication between a mobile device and a separate device a via a wireless link, presenting an instruction associated with the potential purchase and receiving, after the instruction is displayed and interpreted by the mobile device, a combination of a first type of input and a second type of input with the mobile device, at least one of which can be a security measure to prevent unauthorized purchase. The method includes retrieving the payment data from a memory of the mobile device and transmitting the payment data via the wireless link to the separate device to make a purchase.

In accordance with an example aspect of the present invention, there is provided an apparatus comprising a receiver configured participate in an association with a first node, and at least one processing core configured to obtain a first credential set based on the association, to determine the apparatus has become associated with a computer, to receive an encrypted first key from the first node, to decrypt the encrypted first key and to provide the decrypted first key to the computer.

Systems and methods for enabling user authentication using a first computing device (e.g., a tablet computer) for providing user credentials including an obfuscated password to an application server for authenticating the user credentials and a second computing device different from the first computing device (e.g., a mobile phone) for generating the obfuscated password are described. In some cases, the first computing device may request a login page for accessing a protected resource (e.g., an electronic file) from the application server, which may generate a user specific grid for the login page and send the login page including the user specific grid to the first computing device. The user specific grid may include a plurality of symbols (e.g., alphanumeric characters) associated with a password. The second computing device may generate the obfuscated password using the plurality of symbols entered by a user of the second computing device.

Techniques for facilitating secure and scalable data transfers using a hybrid blockchain-based approach are provided. In one embodiment, a first computer system at a first site can transmit a token to a second computer system at a second site, where the token includes metadata regarding a data set to be transferred from the first computer system to the second computer system and one or more cloud storage service addresses where the data set will be temporarily stored. The token can be transmitted using a blockchain network that is accessible to the first and second computer systems via a public network. The first computer system can then upload the data set to the one or more cloud storage service addresses via the public network, and the second computer system can download the data set from the one or more cloud storage service addresses via the public network.

The various examples are directed to establishing a secure session between a device and a server. The device and the server may establish a session key. The session key may be used for encrypting data. After authenticating the session key, the server may transmit secure session data to the device, and the device may store the secure session data. The server may transmit information for deriving, based on secure session data, the session key to a different server. The device may transmit the secure session data to the server, or to the different server, to re-establish the secure session. The different server may derive, using the information and based on the secure session data, the session key. The different server may re-establish, using the session key, the secure session.

Techniques are disclosed for encrypting internet-of-things (IoT) data of an IoT network only once at its inception until its final consumption without intervening encryption/decryption stages/cycles. The present encrypt-decrypt-once design thus eliminates potential exposure of the IoT data in its plaintext form of a traditional approach employing intervening encryption/decryption cycles. The present design is also efficient and reduces the burden on IoT resources by eliminating the need for encrypting and decrypting the data multiple times. To accomplish these objectives, a number of schemes for device enrollment, authentication, key distribution, key derivation, encryption and encoding are disclosed. The devices employ authenticated encryption because it provides confidentiality, integrity, and authenticity assurances on the encrypted data. The final consumption of the IoT data may be at a designated gateway or a corporate system.

Disclosed are various embodiments for facilitating the encryption of files as well as facilitating requiring a user to employ an authenticator device in order to access a file that is encrypted or otherwise secured. The authenticator device can provide an authenticator code in which a security key used to access a secured file can be embedded. An additional layer of encryption can also be applied in the authenticator code.