The subject disclosure is directed towards secure query processing over encrypted database records without disclosing information to an adversary except for permitted information. In order to adapting semantic security to a database encryption scheme, a security model for all query processing is specified by a client and used to determine which information is permitted to be disclosed and which information is not permitted. Based upon the security model, a trusted, secure query processor transforms each query and an encrypted database into secure query results. Even though the adversary can view the secure query results during communication to the client, the adversary cannot determine any reliable information regarding the secure query results or the encrypted database.

Disclosed is an updated browser having an API for communicating payment data between the browser and a site or an application and a software module for processing payments of purchases and to reduce the number of user interactions needed for a purchasing process. The method includes receiving, via the user interface, an interaction by a user with an object associated with a site, the interaction indicating a user intent to make a purchase, receiving, based on the interaction and via an application programming interface, a request from the site or application for payment data in connection with the purchase and transmitting, to the site or the application and via the application programming interface, the payment data, wherein the payment data confirms the purchase or can be used to process or deliver a product associated with the purchase.

This application describes systems and methods for using a garbled circuit and a physical unclonable function (PUF) value to authenticate a device. During enrollment, the device and at least one computer collaboratively construct multiple garbled circuits corresponding to bits of an enrollment PUF value generated by PUF circuitry coupled to the device. During authentication, the device and at least one computer evaluate the multiple garbled circuits using an authentication PUF value. Using the results of this evaluation, the at least one computer compares the enrollment PUF value with the authentication PUF value and determines a distance between them. The at least one computer may authenticate the device when the calculated distance is less than a threshold value.

Systems and methods are provided for encrypting data at a customer for storage at a hosted service provider. In addition to the data being encrypted by the client, the secret encryption key used to encrypt the data is also encrypted. Both the encrypted data and the encrypted secret encryption key are transmitted to the service provider who may further encrypt the data with another encryption key and who stores the further encrypted data, the encrypted secret encryption key and the another encryption key.

A method includes, after expiration of a first passcode, receiving, at an access point, a first access request from a first device. The first access request may be encrypted based on the first passcode. The method further includes determining whether an identifier of the first device is included in a device list associated with the first passcode. The device list includes identifiers of devices that accessed the access point using encryption based on the first passcode before the expiration of the first passcode. The method also includes, in response to a determination that the identifier of the first device is included in the device list generating, at the access point, data representing a second passcode by encrypting the second passcode using the first passcode. The method further includes sending the data representing the second passcode to the first device from the access point.

A first service submits a request to a second service on behalf of a customer of a service provider. The request may have been triggered by a request of the customer to the first service. To process the request, the second service evaluates one or more policies to determine whether fulfillment of the request is allowed by policy associated with the customer. The one or more policies may state one or more conditions on one or more services that played a role in submission of the request. If determined that the policy allows fulfillment of the request, the second service fulfills the request.

A method for generation of an application cryptogram for use in a payment transaction includes: storing, in a first memory, a single use key associated with a transaction account; electronically transmitting the single use key to a processing server; receiving an encrypted session key and a server encryption key from the processing server; executing a first query to store the encrypted session key in the first memory and a second query to store the server encryption key in a second memory; decrypting the encrypted session key using the server encryption key; generating an application cryptogram based on the decrypted session key; and electronically transmitting the generated application cryptogram for use in a payment transaction.

Methods and apparatuses are disclosed for secure network communications. An exemplary method may include sending a handshake request message to a server. The handshake request message contains a first random number encrypted by using a first public key and first service request data encrypted by using the first public key. The method may also include receiving a handshake response message replied from the server. The handshake response message contains the first service response data encrypted by using the first random number and a second random number encrypted by using the first random number. The method may further include decrypting the handshake response message by using the first random number to obtain the first service response data and the second random number. In addition, the method may include calculating a session key used in a session with the server in accordance with the first random number and the second random number.

A computer-implemented method for managing a personal data store is described for binding one or more identities of different types associated with a user. The computer-implemented method is implemented in a trust system including one or more processing devices communicatively coupled to a network. The computer-implemented method includes receiving one or more self-asserted first attributes by the user and second attributes asserted by an Attribute Provider; utilizing one or more of the first attributes and the second attributes as inputs to obtain and/or produce one or more cryptographically signed attributes signed by an associated Attribute Provider; storing the first attributes, the second attributes, and the one or more cryptographically signed attributes in a personal data store associated with the user; and utilizing one or more of the first attributes, the second attributes, and the one or more cryptographically signed attributes to respond to a request from a Relying Party.

Spray arm assemblies for dishwasher appliances are provided. A spray arm assembly includes a first spray arm. The first spray arm includes an arm member, the arm member defining an interior and a plurality of apertures in fluid communication with the interior. The arm member further extends along and is rotatable about a longitudinal axis. The spray arm assembly further includes a central housing defining and rotatable about a central axis, the central axis generally perpendicular to the longitudinal axis. In some embodiments, the spray arm assembly further includes a bevel drive assembly disposed within the central housing. The bevel drive assembly is configured to rotate the arm member about the longitudinal axis when the central housing rotates about the central axis. The bevel drive assembly includes a drive member, an axle member, and an idler member, the axle member mounted to the arm member.